How hackers think | Weatherhead School at Case Western Reserve University

How hackers think

Posted 2.23.2015

Timothy C Summers photographTimothy C. Summers is a PhD Candidate in Management: Designing Sustainable Systems at the Weatherhead School of Management. He recently defended his dissertation, How Hackers Think: A Mixed Method Study of Mental Models and Cognitive Patterns of High-Tech Wizards.

What is a hacker?

The dictionary provides two definitions for the term “hacker”:

  1. A person who is inexperienced or unskilled at an activity, and
  2. A person who illegally gains access to and sometimes tampers with information in a computer system.

So according to our communication tools, a hacker is either someone who knows nothing or someone that knows a lot but uses it for illegal purposes.

In my 20+ years of experience, I define a hacker as a person—specifically a technologist—with a proclivity for complex problem solving. A “hack” is an inventive solution to such a problem reached by unobvious means, which makes hacking an activity that requires exceptional cognitive abilities.

Bruce Schneier, a respected security researcher, defines a hacker as “…someone who disregards conventional wisdom and does something else instead.”


What does it mean to be a hacker?

In most cases, being a hacker is something that one chooses, but it also chooses the person. A hacker is someone who experiments with the limitations of systems for intellectual curiosity. In some cases, this desire to experiment with a system can almost seem like a compulsion. Some hackers describe interacting with a new system and almost automatically conceiving of the vulnerabilities and potential flaws in the design and functionality.

Being a hacker—as one of my interviewees described—can be both a gift and a burden, particularly when one realizes the amount of responsibility associated with such talents in a technology-reliant world. 


What motivates hackers like the ones who have accessed company records from organizations like Anthem, Sony, and others?

The answer to the question is “it depends.” A recent study done by Thycotic (2014) suggests that the motivational breakdown for hackers is:

  • 51% fun/thrill
  • 29% moral compass
  • 19% financial gain, and
  • 1% notoriety.

Based on these results, most hackers do it for the lulz (fun). Arguably, the hackers like those behind the Sony attack had different motivation and intent than those behind the Anthem breach.

But much can be surmised about the company attacked. For example, if someone hacks a bank, there is a strong possibility that it has to do with financial gain. In fact, recently a Swiss bank was hacked, and the hackers requested a payment not to release customer data. When I asked the hackers why they had hacked the bank, they said:

  1. the attack was incredibly easy,
  2. this bank should be ashamed for allowing such a security flaw to exist, and
  3. we wanted to make some money.

The hackers requested the equivalent of $12,000 USD.

It is hard to say why someone does what they do, but regardless of whether a person is a white hat (ethical hacker) or a black hat, their brain is pulling the strings—enabling them to perform logical reasoning and systematically thinking through possible actions, alternatives, and potential conclusions. This is why I have made it my business to understand the hacker mind. Based on my research, we will be able to better understand the commonalities and differences of the mental models of white hat and black hat hackers.


What is unique about the way a hacker thinks, and how can this positively – or negatively – affect the way businesses operate in this increasingly tech-driven society?

First and foremost, hackers speak and understand the language of technology: code. It is technology and code that propels the evolution of our daily lives, which makes hackers the solvers of our largest, most complex technological issues.

Beyond that, hackers are unique because of their almost compulsive desire to command and control systems, to make them do things for which they may or may not have been originally designed. This can have both positive and negative effects, heavily dependent on the intent of the person who possesses such abilities.

My research uncovered that hackers use their mental models – internal representations of the external world – to perform just-in-time learning and generate testable predictions, thereby enabling them to adapt to environments that abound with ambiguity – like that of technology.

The hacker’s mind is exactly what many companies need to protect themselves.

For example, cybercrime is costing societies more than $1 trillion dollars, with billions of dollars being stolen from small, medium, and large sized enterprises, identities of millions of individuals compromised, and several governments across the world having become targets of cyber warfare. With this in mind, it is advantageous for all of us to have forward-thinking hackers on the team.

The unique cognitive development of a hacker is not only an advantage when businesses need to be protected from hacks but imperative for businesses to fight on a fair playing field when keeping up to date with the constantly changing technology.

The media tends to cast hackers in a negative light, but their way of thinking and processing actually advances computer and network functionality.


What have you discovered in your research on strategies for improving the cognitive mechanisms necessary for hacking? Are there programs and educational institutions that are adopting these kinds of strategies for developing this skill? How can governments, universities, and businesses work with hackers?

The media is still trying to get a grasp on the concept of hackers. As far as they are concerned, the hackers are the thieves stealing money and identities; however, that’s only part of the story. Within my research, I paint a comprehensive picture of the history of hackers – from the guys who originated on the MIT and Carnegie Mellon campuses to the black hats that we hear about in the news today – and how that history is inextricably linked with the evolutions in technology that has so strongly impacted our lives. In fact, my research indicates that with each new generation of technology there has been a new generation of hacker. This further echoes the link between the hackers and the systems they hack.

Yes, there is a link between the hacker mind and the advancement of computers and network functionality. Hackers truly are the immune system of the Internet.

We can improve the cognitive mechanisms of hackers through the development of cognitive development tools and services. To my knowledge, there are no educational or governmental institutions that are using these kinds of strategies for developing hackers. To alleviate the lack of activity in the cognitive development of hackers, I am building a platform, called Gray Matter™. Using my research and our advancing knowledge in cognitive science, Gray Matter™ will be able to improve hacker effectiveness. 


About Dr. Timothy C. Summers

Dr. Summers is a scholar-practitioner in the fields of organizational management and cybersecurity. As one of the world's leading experts in hacker cognitive psychology, Dr. Summers received his PhD in Management: Designing Sustainable Systems from Case Western Reserve University. He also holds a Master of Science degree in Information Security Policy and Management from Carnegie Mellon University, advanced education in Project Management from Villanova University, and a Bachelor of Computer Science and Business Administration from Elizabeth City State University. Dr. Summers additionally is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).

As the President of Summers & Company, LLC, Dr. Summers has nearly two decades of consulting experience in strategic management and technology services. Previously, Dr. Summers was a consultant with one of the world’s oldest and most prestigious management and technology consulting firms. Prior to his consulting experience, Mr. Summers provided organizational management and cyber security guidance to various businesses, governments, and institutions.

For undergraduate programs: learn more information here or apply now. For graduate programs: request more information or apply now. You can also register for one of over 70 open enrollment courses through Executive Education.

Weatherhead School of Management at Case Western Reserve University cultivates creativity, innovation, and purpose-driven leadership to design a better world.