In this video, you will learn to describe the five keys skills of critical thinking: challenge assumptions, consider alternatives, evaluate data, identify key drivers, understand context. Five skills. So now, how do you practice these skills? How do you actually apply these in your everyday life, on your job? How can you grow these and becoming a better critical thinker? So these skills, these are not my skills. These came from a women that I worked with at a previous job. These five skills came out of her time working, studying psychology and studying how humans make decisions. So for each of these skill, on the next slide, what I'm going to do is I'm going to go through each of the skills, explain what they mean, provide some additional work to examine how can that be applied to cybersecurity, and how can you actually exercise this. So we'll start with challenge your assumptions. This sounds easy, but it's hard in practice. It requires questioning your mental model. Questioning the mental model that underlies your reasoning, how do you do that? Because assumptions oftentimes we're not even aware that we're making them. They're based on our past experiences, thoughts, and evidence, or personality. So oftentimes we don't even know that we're making an assumption. What I found is that it's very useful to bring in other perspectives to talk to other people and start brainstorming and listing out your assumptions into continually do this. Throughout the life span of your project, throughout the project timeline, question your assumptions, gather more data, take a systematic disciplined approach to this. So what I usually do is I try to make a framework out of this. I tried to put this into steps that distill how you would do this. So step one is explicitly list all assumptions. Again, this requires other people. Invite all of the stakeholders involved whether it's your project manager, colleague, whoever. Have a brainstorming session where you start to list every possible assumption that you could be having. Then for each of those assumptions, question them, examine them with some key questions. Why do I think this is correct? When could this be untrue? How confident am I that this is valid? What's my confidence level? If it is valid, what would the impact be? This gives you a way start to triage your assumptions, and then now you can categorize them based on evidence into the solid and well-supported assumption. Is it correct with caveats, or is it unsupported or questionable? Unsupported and questionable doesn't necessarily mean wrong. It just means we need more data. So after you go through this categorization, you refine, you remove, you collect additional data as needed, and you iterate over this. This happens naturally throughout the life span of your project, and so that is your key assumptions check. Number two. So now, we've checked our assumptions. Are there alternative explanations for a behavior, for an activity? Like I said, our brain computes together a situation with just a few bits of data. But the scary thing is that, if we fail to consider missing data or alternatives, this can lead us down to the wrong path. We have to be able to consider alternative explanations. Avoid letting yourself become entrenched in one explanation. I can't tell you how many times this has happened to me. We're going to become so engrossed in one explanation. They turned out to be wrong because I failed to consider alternative explanations. So again, how do you do this? Brainstorming, get more people in the room. You need those different perspectives. You just need different perspectives of looking at the problem in different creative thought processes. I like to use the fixed classic journals to take question as a framework for this, which I'll talk about in the next slide, to evaluate all different dimensions and then also consider the null hypothesis. This is the exact opposite of what your main hypothesis is. This is a good exercise because sometimes it forces you to look at a problem from a different perspective. So the six W's. Again, they are very simple. We all know this: who, what, where, when, why, and how. I find that they're very useful for examining explanations or examining these alternative explanations. So in case of I like to use a prep hunt example, who is involved? Who's the victim? Who is the target? Who are the stakeholders? Who's affected by the outcome of this? What is at stake? Whether it's data, whether it's a physical asset. What happened? What is the problem? What's the desired outcome of this? Where did this take place? Does geography matter? Where's the infrastructure? Where's the victim? Where's the adversary? Does this matter? Again, when? Does timing matter? Are there key dates? Are there deadlines that we need to be aware of? Why are we doing this? Ask yourself that. Make sure you're solving the right problem. Also what are the key drivers? What could be a motive? How? How are we approaching this? Is it feasible? Then be detailed and specific. Really think through each alternative and what that would entail and whether that's plausible. So again, examine alternative explanations, look at them through the lens of these six different questions to characterize each explanation, and examine it from different dimensions. So we've identified our assumptions, we've evaluated alternative explanations. Now, we get to evaluate our data. This is one of my favorite skills. This is the crux of the scientific method. Assess the data against multiple hypotheses to see how well it fits. If you've got a favorite hypothesis that the data doesn't fit, then you unfortunately have to let go of that hypothesis. There's a few couple of points I'd like to make on this slide that aren't necessarily related directly to critical thinking but I still think are very important to make. In the start and the bottom, the first is that cyber data is notoriously hard to get, and oftentimes people don't realize that until they need the data. I mean, this can be for a number of reasons, whether it's policy, privacy issues, maybe HIPAA, GPR. Maybe there are reasons that your customer, your client, or whoever, you can't get the data. It could be that it's not uncollected. If your network is not instrumented to collect certain data or your hosts systems aren't instrumented to collect certain loss, the data doesn't exist. Then you can't do anything. So what I like to tell people is to be proactive. Be proactive when you're setting up a new network environment, a new system. Establish a baseline for what's normal. Understand what's important on your network and what data you would need to capture in order to triage problems or to monitor its health and wellness. So the nice thing about this two is that it helps you establish a baseline for what's normal. It helps you to see what is normal source and destination web traffic look like, what is normal activity look like. This is key to anomaly detection. This is how you'll be on the lookout too for inconsistent data. So again, evaluating data, if the data is not there, it's not there. Be proactive. Be proactive in establishing good data collection practices. Skill number four. So identifying key drivers. So again, key drivers are things that can significantly impact a situation, and they're not always technical in nature. So think about the behavior from a cybersecurity perspective, these obviously do include technology so encryption, authentication, tools/frameworks, infrastructure availability, but they also include things like regulatory and political drivers. So privacy, GDPR, General Data Protection Regulation, intellectual property, supply chain, logistics issues. Your employee, employee themselves, their training needs, their perspective, their skills, and then your threat actors. We always have that adversary, that other person. What are their technical capabilities? What are their motives? What are their opportunities? So a nation-state threat actor is going to have a lot more financial capability, and perhaps different motives than a Swiftkey, or somebody who's hacking at your server from a basement somewhere. A number of different drivers that can impact your situation, that it's important to be aware of because they're not always technical. Number 5, Understanding Contexts. So what does this mean. Contexts is the operational environment in which you are working, and so the context [inaudible] is different with the context at a university, which is different than a context perhaps at Microsoft, or another company. So context matters. Be aware of different perspectives of your managers, your colleagues, your clients. Ask yourself these questions, what do they need from me, how can I explain the issue, do I need to place their questions in a broader context? This is where the notion of framing techniques comes into play. So you'll call at the beginning of the presentation when I outlined the goal of this talk, and also what I mean by critical thinking. That was a framing technique to ensure that we are all on the same page, and to understand that we're all using the same vocabulary because this helps to avoid confusion, and avoid problems down the line. So I love framing techniques as just the solution to mitigate problems down the line. So framing the issue. Again, there's a number of steps that you can do to help you look at an issue or situation more objectively. The first is to identify the key components inherent in whatever the situation is. So what does this mean, who or what are the key components? You break them down into component parts, it start listing your key actors, key categories. Then from there, try to identify the different factors at play. You understand the components. What are the driving forces, and again, this will allow you, going back to that driving forces diagram, to start revealing additional insights in relationships that you might not have been aware of initially. Now you can start to look at relationship, or patterns in relationships exist among different components and factors. Are they static? Are they dynamic? In the case of maybe doing a threat hunt investigation, often graphing databases, may help you to help start to visualize different relationships among entities. In similarities and differences, are there historical analogies that you could fall back on? Have you seen similar patterns, behaviors, or situation in a different context or in different experience? You're okay to pull from that. Then redefining. Experiment with different ways to reframe your problem. Write down what you know, what you don't know. How can you look at it differently, if their root cause perhaps that you're not seeing. So going back to our elevator problem, again, just to remind us, we're managers of a high rise apartment complex, people are complaining that the elevators are too slow. We've got a number of different approaches to fixing this problem. I'm sure all of you came up with your own approach. You have a varied thought process. This is a real anecdote. This is a real situation that happened, and what they ended up doing was installing mirrors, they installed mirrors. The complaints died. All of a sudden, the elevators are faster. This is a classic example of problem framing, and how you can by changing the problem, problem framing, fundamentally changing the solution space. By installing mirrors, the problem wasn't that the elevator was too slow. The real problem that people are complaining about was that waiting is boring. It was boring to stand there and wait because that their minds weren't focused. They're focused on the waiting. By installing mirrors, now, all of a sudden, people who are waiting for the elevator are distracted. They can look at themselves, they can look at other people. They're not focused on the elevator. So rather than making the elevator faster, the solution space is transferred into shorten the perceived wait time. That can be done a lot more simply and cheaply by putting up mirrors, playing music, installing art displays, things like that. So this is an example of this notion of problem framing, and how to refine these different aspects of a problem to deliver it, like these radical improvements in spark solutions to seemingly intractable problem. Again, this is why having that big diversity of perception, or a thought within cybersecurity is so important. So again just to recap the five skills that I've outlined here, challenge your assumptions, refine as you learn more, consider alternative explanations, don't get entrenched in one explanation, evaluate data. Again, does the data fit your hypothesis? Identify the key drivers, and what are the driving forces that play, remembering that they're not always tap and go, they might be political. They might be personnel issues. There could be a number of the driving forces, and understand the context, understand the context in which you are working. Can you put yourself in other people's shoes? Can you reframe the problem, so the solution space is different.