Title: Investigating the Relationship between Need for Cognition and Skill in Ethical Hackers

As technology gets more complex and increasingly connected, there is an increasing concern with cyber security. There is also a growing demand for cyber security professionals. Unfortunately there currently are not enough skilled professionals to meet that demand. In order to prepare the next generation of cyber security professionals to meet this demand, we need to understand what characteristics make skilled cyber security professionals. For this work, we focus on professionals who take an offensive approach to cyber security, so called ethical hackers. These hackers utilize many of the same skills that the adversaries that we defend against would use, with the goal of identifying vulnerabilities and address them before they are exploited by adversaries. A commonly held belief among ethical hackers is that hackers must possess exceptional curiosity and problem solving skills in order to be successful. Curiosity is has been studied extensively in psychology, but there is no consensus on what it is and how to measure it. Further, many existing inventories for assessing curiosity are targeted at measuring curiosity in children. Although there isn’t an accepted standard to assess curiosity in adults, a related construct, called Need for Cognition (may capture what is meant when people speak of curiosity. The Need for Cognition scale also captures the tendency toward preferring complex problems (which correlates with good problem solving skills), which may provide insight into what make skilled hackers. In addition to the Need for Cognition, we used a structured interview to assess hacker skill. Hackers rated their own skill on a scale from one to ten on a predefined list of hacker skills. They were then asked to rate a peer who they felt was most skilled in each of the skills. They were asked to rate two peers for each skill, one that they worked with directly and one person that was the most skilled in the field (these could be known by reputation only). The hypothesis is that hackers have a higher than average (i.e., compared to non-hackers) Need for cognition and that Need for Cognition will be positively correlated with self-reported and peer reported skill. We interviewed 20 cyber security researchers who specialize in offensive approaches. Based on the responses to the hacker skill inventory, we generated a self-reported skill score for each participant. We also developed a peer-rating for each participant based on the number of times each individual that was interviewed was named as the most skilled in a particular area. The results indicate that the sample of ethical hackers has a high Need for Cognition and that Need for cognition was related to both self-reported skill and peer-reported skill. The results are discussed in the context of training and recruitment of cyber security professionals.