Hacking the Hackers: Expert in cyber profiling gives insight into the psyche of the perpetrators

Organizational psychologist Mark Thorben Hofmann travels the cyber underground to figure out from cyber criminals what drives them.

How did you come into contact with the topic of cybersecurity?

I did not come into contact with this from the technical side. During my studies in organisational psychology, I was interested in the darker side of the psyche, especially crime. After my Master's degree, I completed a state certification in the USA to become a "Crime and Intelligence Analyst". My career path is somewhat unusual, because normally you come from criminology to psychology and not the other way around like I did. In the process, I quickly discovered that the image of criminals is mostly a Hollywood myth. Unlike in the movies or on TV, the really intelligent crimes are found in white-collar crimes and cybercrime, not violent crime. The really interesting characters are people who may very well make a lot of money without committing crimes. Unlike many robbers or thieves, for example, these people would not actually need to become criminals.

From the psychology of crime, a path then quickly led to cybercrime, because most cybercrime activities address human characteristics, problems and mistakes. This raises very interesting questions psychologically.

In addition to Crime and Intelligence Analyst, you are also called Profiler. What do you mean by that and how is it connected?

I don't like the term profiler, it evokes the wrong associations. My job has nothing to do with intuition or superpower. As a crime analyst, I analyse events, processes, people and relationships. That means I need facts or data that I can analyse. If these are not available, I cannot help. The quality of the analysis depends largely on the quality of the data. The American law enforcement agencies call this principle NINO - Nothing in, Nothing out.

Your topic for the it-sa keynote is: "How companies can build a human firewall". What do you understand by a human firewall?

By this I mean, for example, employees who not only have an awareness of cybersecurity, but also behave mindfully. They don't just click on a link, they first look to see where it leads. Browsers usually show this at the bottom of the page. While many simply click on the link, there are others who have internalised the idea of always looking first to see where it leads. Security awareness is now widespread, but what behaviour do we derive from it, what have people changed? Cybersecurity is cumbersome, requires additional activities, you have to consciously take that on. Most people, as well as companies, assume that cyber attacks are a threat but cannot hit them themselves. But it takes behavioural change to really be able to counter the danger.

Which topics will you cover in your keynote?

The keynote will be divided into three blocks. In the first block, I will give an insight into the perpetrators' world of thought. I try to get in touch with offenders. This way you can gain insights that surprise even professionals. I want to know why they do it, what criteria they use to choose their victims. I am interested in the real motives of the perpetrators. I will also focus on where they learned this, because we have to prevent people from turning to the dark side in the long run.

In the second part, I will talk about social engineering and the human factor. It is about a psychological view of attack patterns. Artificial intelligence will also play a role here, because it is changing the world of attacks. One example is WormGPT, the dark AI. It is primarily designed to generate texts for phishing emails. This is based on results that have worked particularly well so far. AI is a big topic in cybercrime circles.

The last block deals with the question of what we can do to build a human firewall. So how can we convince employees, how can we convince CEOs. We have to convince ordinary people who are not necessarily interested in this topic. To do that, you have to talk about the people, not about the company or business processes. For example, many companies rely on phishing tests. Anyone who clicks on a dangerous link is retrained as a punishment. Awareness training is good, but it should never be a "punitive measure" because people perceive it as humiliation. You don't reach people that way. There are far better approaches, I will present them in my keynote.

How do you manage to find hackers who are willing to testify and get into conversation with them, what makes these people do it?

I often find them on platforms like Reddit; you don't always have to go to the darknet. A certain level of pride or narcissism is often the reason why people talk about what they've done. Sometimes with hackers it is also a bit of autism, but there is not much research on this yet. These people usually don't have the opportunity to brag about their deeds and abilities. But if they can do so anonymously, they are willing to tell about it. They are professionals who know very well how to remain anonymous. It is not about identifying perpetrators either, but certain patterns can be identified and for psychologists sometimes psychological problems.

Why is this interesting for your customers, why do they come to you? Do your customers tend to be public authorities or companies?

My clients are mainly companies, but also NGOs or public authorities, from Qatar to Switzerland. I work a lot in the Gulf States. I now have two offices, one in Berlin and one in Dubai. The Gulf States are very ambitious in their approach to cybersecurity. They even have a ministry for AI.

Mostly, my clients are interested in understanding profiles and perpetrators better in order to derive countermeasures and defence strategies. It is the inside perspective that interests people. Talking to offenders, I gain insights that are interesting for others. Moreover, I can present the topics in a way that everyone can follow, because I limit myself to the human side and not to technical aspects.

Interview: Uwe Sievers