The language, words and phrases in cybersecurity job vacancies create impressions, beliefs, and prejudices discouraging people to apply for a post or getting involved in the cybersecurity field or participating in cyber exercises or operations. Strong words like “cyber fighters”, “cyberwar”, “cyber soldier”, “cyber defender”, “cybersecurity leaders”, “cybersecurity officers” are associated with physical strength, vitality, heroic/brave characters, prudence, and patriotic motives. Although these traits are relevant for military officers and traditional soldiers, they are irrelevant for being a cybersecurity expert or a sophisticated attacker.
These strong and discriminating words discourage talented people from various Groups At Risk of Discrimination (GARDs) (e.g., disabled people, women, non-binary, minorities, members of the LGBTIQ+ community) to join the cybersecurity workforce. Using words like “young” discriminates against older people, ignoring their skills, experiences, talents, commitment, and capabilities necessary for the cybersecurity analytical tasks. We need to avoid such bias language in cybersecurity that offend and discriminate, excluding real talents to get involved. Our cybersecurity language needs to unite, inspire, and include all people with cybersecurity enthusiasm regardless of their gender, age, nationality and/or physical abilities.
Offensive and bias language threatens the European cybersecurity workforce, that needs all the talents available, increases the shortage of cybersecurity skills needed, jeopardizes the trustworthiness of our Digital Single Market (DSM), the security of the EU industry, public peace, order and European solidarity. Extensive regulatory and policy work has been conducted to provide clear guidelines at regulatory and institutional level (e.g., regulations 2000/78/EC, 2006/54/EC, 2000/43/EC, 2002/73/EC, 1975/117/EC) and initiatives (e.g., IWD #BiasCorrect, GSNI) accelerating awareness, implementation and adoption of non-bias in the EU workplaces. These regulations need to apply to the cybersecurity workforce and workplaces as well.
The European cybersecurity communities in academia, market, military and government need to be inclusive, characterized by the European values not contaminated with biased language, which excludes cybersecurity expertise, puts a burden on our digital societies by restricting individual rights, human dignity and equality. Cybersecurity experts (analysts, testers, assessors, threat agents, white or black hackers) have distinct personality, behavioural, social, motivational and technical traits as described in the article by Kioskli K, & Polemi N. “Psychosocial approach to cyber threat intelligence”.
|Personality Traits||Description & Examples|
|Extraversion||Gregariousness (e.g., social engagement in attackers’ groups; Assertiveness/Outspokenness (e.g., Leadership skills); Activity/Energy level (e.g., Enjoys a busy life); Positive Emotions/Mood (e.g., Happiness)|
|Conscientiousness||Orderliness/Neatness (e.g., Well-organized); Striving/Perseverance (e.g., Aims to achieve excellence); Self-Discipline (e.g., Persistent engagement to goals); Dutifulness/Carefulness (e.g., Strong sense of duty); Self-Efficacy (e.g., Confidence to achieve goals)|
|Openness to experiences||Intellect/Creativity Imaginative (e.g., Intellectual style); Scientifically Interested/Originality (e.g., Evidence-based); Adventurousness (e.g., Experiences of different things)|
|Cognition||Knowledge (e.g., Collecting information for the topic of interest); Expectations (e.g., Evaluating strengths and possible outcomes); Attitudes (e.g., Acting based on knowledge and expectations)|
|Social – Behavioral Traits||Description & Examples|
|Selected social exposure||Difficult to adapt to conventional social norms (e.g., Events); Easy to build virtual anonymous, professional relationships (e.g., Using anonymous identity has contacts with other attackers in the Deep Web); Easy to build strong e-bonds in hacking communities (e.g., These communities are closed to the public)|
|Not conventional relationships||Difficult to build physical relationships or contacts; Easy to build professional (with other attackers) virtual, anonymous relationships under their moral code (us versus them approach)|
|Not talkative||Difficult to initiate small casual talks or social talks
Difficult to express him/herself
|Manipulative||Easy manipulating people via electronic means (e.g., phishing)|
|Technical Traits||Description & Examples|
|Networking skills||Knowledge in network architectures, systems, functional and operational aspects (e.g., DNS, HCP)|
|IT skills||Competencies in operating systems (e.g., languages, software and emerging technologies, programming)|
|Soft skills||Problem Solver (e.g., Understand, analyze and solve difficult problems)
Social observer (e.g., Audits security behaviors)
|Forensics skills||Know how to use security scripts, forensics tools (e.g., Intrusion detection/penetration tools)|
|Available resources||Available computing power (e.g., Owns/access to high computer processing power), devices, time, economic support security communities|
|Privileges||Insider (e.g., Works in the organization with significant /limited/no access)
Outsider (e.g., supply chain partner with significant limited/no access)
Outsider-Third party (e.g., vendor/manufacturer with indirect or no access)
|Information/ measurements gathered about the targets; (e.g., CVSS), knowledge in effective attacks|
|Motivational & Social Traits||Description & Examples|
|Political||Political power (e.g., Espionage, fake news)|
|Personal||Personal satisfaction, feeling of accomplishment, boredom, competition, economic gain|
|Cultural||Whistleblower (warns of any digital wrongdoings)|
|Philosophical||Humanitarian/activist/theological goals (e.g., Stealing for societal benefit)|
|Trigger Traits||Description & Examples|
|Vulnerable assets||Open ports (e.g., Zero-day vulnerability)
New non-certified technologies (e.g., App, AI systems)
|Human weaknesses/errors||Vulnerable infrastructures (e.g., No access control in data center)
Unintentional human error (e.g., Distracted administrator)
Intentional human error (e.g., Reckless but knowledge of risk)
The above traits are irrelevant to gender, age, nationality, physical ability, or any person in the GUARD. Safeguarding balanced and inclusive speech in the postings for cybersecurity opportunities (e.g., scholarships), job posts, job duties, operational activities will attract more talented people!