Hacking the Hackers: Crime analyst gives insight into the psyche of perpetrators

How did you come into contact with the topic of cybersecurity?

I didn't come into contact with it from the technical side. Even during my studies in organizational psychology, I was interested in the darker side of the psyche, especially crime. After my master's degree, I completed a state certification in the U.S. to become a "Crime and Intelligence Analyst." My career path is a bit unusual, because normally you come from criminalistics to psychology and not the other way around like I did. In the process, I quickly discovered that the image of criminals is mostly a Hollywood myth. Unlike in the movies or on TV, the really smart crimes are found in white collar crimes and cybercrime, not violent crime. The really interesting characters are people who may very well make a lot of money without committing crimes. Unlike, for example, many robbers or thieves, these people would not actually need to become criminals.

From the psychology of crime, then, a path quickly led to cybercrime, because most cybercrime activities address human characteristics, problems, and flaws. This raises very interesting questions psychologically.

In addition to Crime and Intelligence Analyst, you are also known as Profiler. What do you mean by that and what is the connection between the two?

I don't like the term profiler, it evokes the wrong associations. My job has nothing to do with intuition or superpower. As a crime analyst, I analyze events, processes, people and relationships. That means I need facts or data that I can analyze. If these are not available, I cannot help. The quality of the analysis depends largely on the quality of the data. American law enforcement agencies call this principle NINO - Nothing in, Nothing out.

Your topic for the it-sa keynote is "How companies can build a human firewall". What do you mean by a human firewall?

By that I mean, for example, employees who not only have an awareness of cybersecurity, but also behave mindfully. They don't just click on a link, they first look to see where it leads. Browsers usually show that at the bottom of the page. While many simply click on the link, there are others who have internalized always looking first to see where it leads. Security awareness is now widespread, but what do we infer about behavior, what have people changed? Cybersecurity is cumbersome, requires additional activities, you have to consciously take that on. Most people, as well as companies, assume that cyberattacks are a threat but cannot hit them themselves. But it takes behavioral change to really be able to counter the danger.

What will you cover in your keynote?

The keynote will be divided into three blocks. In the first block, I will give an insight into the perpetrators' world of thought. I'll try to get in touch with offenders. That way, you can gain insights that surprise even professionals. I want to know why they do it, according to which criteria they choose their victims. I am interested in the true motivations of the perpetrators. I will also put a focus on where they learned this, because we need to prevent people from going to the dark side in the long run.

In the second part, I will talk about social engineering and the human factor. It's about a psychological view of attack patterns. Artificial intelligence will also play a role here, because it is changing the attack world. One example is WormGPT, the dark AI. It is primarily designed to generate texts for phishing emails. This is based on results that have worked particularly well so far. AI is a big topic in cybercrime circles.

The last block deals with the question of what we can do to build a human firewall. So how can we convince employees, how can CEOs be convinced. We have to convince ordinary people who are not necessarily interested in this topic. To do that, you have to talk about the people, not the company or business processes. For example, many companies rely on phishing tests. Anyone who clicks on a dangerous link is retrained as a punishment. Awareness training is good, but should never be a "punitive measure" because people perceive it as humiliation. You don't reach people that way. There are far better approaches, and I will present them.

How do you manage to find hackers who are willing to testify and get into conversation with them, what makes these people do it?

I often find them on platforms like Reddit; you don't always have to go to the darknet. A certain level of pride or narcissism is often why people talk about what they've done. Sometimes with hackers it's also a bit of autism, but there's not much research here yet. These people usually don't have the opportunity to brag about their deeds and abilities. But if they can do so anonymously, they are willing to tell about it. They are professionals who know very well how to remain anonymous. It's not about identifying perpetrators either, but certain patterns can be identified, and for psychologists, sometimes psychological problems.

Why is this interesting for your customers, why do they come to you? Do your clients tend to be authorities or companies?

My clients are mostly companies, but also NGOs or authorities, from Qatar to Switzerland. I work a lot in the Gulf States. I now have two offices, one in Berlin and one in Dubai. The Gulf States have a very ambitious approach to cybersecurity. They even have a ministry for AI.

Mostly, my clients are interested in better understanding profiles and perpetrators in order to derive countermeasures and defense strategies. It's the inside perspective that interests people. By talking to offenders, I gain insights that are interesting to others. Also, I can present the topics in a way that everyone can follow because I limit myself to the human side and not to technical aspects.

Interview: Uwe Sievers