Cyber-security can be stressful job, which should come as a surprise to no one who works in the IT industry. But what precisely is the impact of stress on work performance in cyber-security? That’s a question that the U.S. National Security Agency has attempted to answer.
Celeste Lyn Paul, senior researcher, and Josiah Dykstra, deputy technical director of NSA Cyber-Security Operations, gave a presentation at Black Hat USA in Las Vegas on Aug. 8 titled “Stress and Hacking,” which included details on research about the impact of stress on cyber-operations.
“In cyber-security we traditionally focus on the technology, but we’re also curious about the people,” Dykstra said.
The NSA has multiple roles within the U.S. intelligence community, including providing cyber-security to help defend national security, as well as signals intelligence operations that intercept and exploit foreign signals. Another NSA activity is exploitation of adversary computer networks, which is conducted by human operators, according to Dykstra.
Paul noted that tactical cyber-operations is hands-on-the-keyboard work, similar in nature to a red team in an enterprise environment. Tactical cyber-operations are planned, structured activities with high risks and real-life consequences if there is a failure. This makes tactical operations stressful on operators, she said.
“Stress can be harmful on humans,” Paul said.
Stress can lead to employee turnover, which is something that neither the NSA nor any enterprise wants, because of the time it takes to train a workforce. Although everyone experiences stress in everyday life, it is the chronic repetitive stress, where the individual feels he or she has no sense of control, that is typically the most harmful, she said.
Hacking is stressful because it is complex and unpredictable and has a high risk/reward, Paul said.
The Impact of Stress
In attempt to quantify the impact of stress, the NSA ran a research study across four of its locations and involved 126 tactical cyber-operators, including both civilian and military personnel.
The NSA looked at three primary factors across its tactical operators in an attempt to measure the impact of stress—fatigue, frustration and cognitive workload. Paul defined cognitive workload as being the amount of mental effort needed to use memory.
To measure fatigue, the NSA researchers asked operators how aware or tired they were before and after an operation, measuring responses using the Samn-Perelli Fatigue Scale. For frustration and cognitive workload, the researchers used the NASA Task Load Index (TLX) measure, which looks at multiple factors including mental, physical and time demands, alongside frustration level and effort required to complete a task.
Paul said it came as no surprise to her and the research team that the study revealed that tactical cyber-operations cause elevated levels of stress. Looking at the numbers, she noted that operators were on average 16 percent more fatigued after an operation than they were before one. In terms of frustration, post-operation levels were higher by 12 percent.
The results also showed that no matter how much the mental or physical demands grew, there was no relationship to the operator’s self-assessment for performance. Paul said that where there is a link is between frustration and performance.
“As frustration goes up, self-assessment of performance goes down,” she said.
The NSA study found that the average operation length is approximately 5 hours, but as operation length increases beyond that, there is a corresponding increase in fatigue and frustration. Operators experienced approximately 10 percent more fatigue and frustration when operations exceeded 5 hours compared with operations of less 5 hours.
“We’re not trying to take stress away from tactical cyber-operations. Stress is not bad when it’s managed,” Paul said. “When it’s unmanaged and people don’t feel they have control, that’s where we see the negative effects.”
For the NSA and its operators, the negative effects of stress are not the same as they are in the private sector, which could include losing money or customers.
“The NSA is part of the Department of Defense and is here to protect the nation,” she said. “A mistake could affect things for a lot of people, so we have to make sure they [operators] also take care of themselves.”
Dykstra said that lessons the NSA has learned can help commercial enterprises as well. He recommends that organizations have employees take a cyber-operations stress test to evaluate how stressed they are feeling. Based on the feedback, proactive measures can be taken, such as reviewing policies on breaks and scheduling to reduce fatigue and frustration levels.
“Ultimately, we can empower operators with happy, healthy work environments,” Dykstra said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.