Unlocking the Cyber Security Mindset: How Mental Models Shape Our Defences

In cyber security, our greatest asset isn't just our technical knowledge—it's how we think. As a seasoned cyber security professional, I've come to realise that understanding and harnessing the power of mental models is crucial to staying ahead in our field. Let’s explore this topic in a little more detail and see how it might change the way you think.

The Hidden Force Behind Our Decisions

Imagine you're faced with a potential security breach. Your heart races, adrenaline surges, and you spring into action. But have you ever paused to consider why you chose one course of action over another? The answer lies in your mental models.

Mental models are psychological representations of actual, hypothetical, or imaginary situations. Kenneth Craik, a Scottish psychologist, was one of the first to propose in 1943 that the mind constructs "small-scale models" of external reality that it uses to anticipate events and respond to future situations in order to attain better outcomes.

Essentially mental models are the invisible architects of our thoughts and actions. They're the cognitive frameworks we use to make sense of the world around us. In cyber security, these models shape how we perceive threats, analyse risks, and devise protection strategies.

The Cyber Security Lens: How Mental Models Work

Think of mental models as the lenses through which we view the digital landscape. Just as a photographer chooses different lenses to capture various aspects of a scene, we cyber security professionals use different mental models to understand and respond to cyber threats.

For example, consider the "castle and moat" model that many organisations still cling to. This model assumes that by building strong perimeter defences, we can keep threats out. But in today's interconnected world, is this still valid?

Another example might be the “compliance = security” model which implies that if you are 100% compliant to an information security standard or framework then you are secure. There are numerous instances of companies that were certified in accordance with a standard, yet they were still subject to data breaches. So, why do we still believe that standards are useful?

By recognising and questioning our existing mental models, we can start to adapt our thinking to the realities of modern cyber security challenges.

Real-World Impact: When Mental Models Make or Break Security

Let me share a personal anecdote that illustrates the power of mental models in action.

During my time at one organisation, we encountered a troubling issue with our outsourced IT services that demonstrates the importance of aligned mental models in cyber security. Our managed services provider operated under the assumption that their role was simply to execute client requests without question. Conversely, our internal teams held the belief that the provider would implement requests with appropriate security controls as a matter of course.

This misalignment in mental models led to a potentially dangerous situation. On three separate occasions, virtual machines were deployed with Remote Desktop Protocol (RDP) ports exposed directly to the internet - a significant security vulnerability. It took these repeated incidents for both parties to recognise the severe mismatch in our respective understanding of roles and responsibilities.

This experience underscores a crucial lesson in systems thinking applied to cybersecurity: the importance of clearly defined expectations and shared mental models between service providers and clients. It also highlights how seemingly minor misunderstandings can lead to substantial security risks, emphasising the need for continuous communication and alignment in outsourced IT relationships.

It wasn't until we shifted our perspective and adopted a more aligned mental model with the provider that we were able to effectively minimise the chance of this re-occurring.

This experience taught me the critical importance of continuously evolving our mental models in cyber security.

Practical Strategies: Cultivating Adaptive Mental Models

So, how can we develop more effective mental models in cyber security? Here are some strategies I've found invaluable:

1.       Embrace Cognitive Diversity: Surround yourself with professionals from diverse backgrounds. Their unique perspectives can help challenge and enrich your mental models.

2.       Practice Scenario Planning: Regularly engage in "what-if" exercises. This helps you identify gaps in your current mental models and develop more robust frameworks for decision-making.

3.       Listen and Stay Curious: Our organisational systems are always evolving and providing us with feedback. Cultivate a practice of constant learning, looking for patterns that signal something has changed or isn't right to keep your mental models current.

4.       Reflect on Past Experiences: After each security incident or project, take time to analyse your thought processes. What assumptions did you make? Were they valid? Use these insights to refine your mental models.

5.       Engage in Cross-Disciplinary Thinking: Draw inspiration from fields outside cyber security. Concepts from biology, psychology, or even art can offer fresh perspectives on cyber security challenges.

The Path Forward: Evolving Our Collective Mindset

As cyber security professionals, we're not just protectors of our organisation’s digital assets—we're cognitive architects of a safer digital future. By understanding and actively shaping our mental models, we can stay ahead of emerging threats and devise more adaptive and innovative approaches for our security challenges.

Remember, the most dangerous phrase in our field is "We've always done it this way." Our mental models should be as dynamic and adaptive as the challenges we face.

Are you ready to take your cyber security thinking to the next level?

I invite you to join me on this journey of cognitive exploration and professional growth. Follow me here on LinkedIn to dive deeper into the fascinating world of Systems Thinking for Cyber Security.

And if you're eager to supercharge your cyber security thinking skills, I have an exciting opportunity for you. I've developed a FREE email course on "How to Think Better in Cyber Security" that will help you cultivate more effective mental models and sharpen your decision-making abilities. You'll find the link to this course here or in my profile.