SPRING 2017 MIT SLOAN MANAGEMENT REVIEW 95 SLOANREVIEW.MIT.EDU
To Improve Cybersecurity, Think Like a Hacker
José Esteves (IE Business School), Elisabete Ramalho (Google), and Guillermo de Haro (King Juan
Carlos University) pp. 71-77
In the past several years, the list of companies whose internal systems have been hacked has grown
rapidly. It now includes such high-profile businesses as Target, JPMorgan Chase, Home Depot, Sony
Pictures, Ashley Madison, and Yahoo. No industry appears to be safe from attacks. Unfortunately, the
authors say, investment in security measures is only part of the answer; traditional methodologies can
only do so much. To be effective, managers in charge of cybersecurity need to adjust their mindsets and
become as open and adaptive as possible.
In this article, the authors present a framework drawn from the knowledge and opinions of experts, including interviews with more than 20 experienced hackers. As the authors explain, hackers have two different mindsets depending on the stage of the attack: explorative and exploitative. An exploration mindset used in the early
stages of an attack combines deliberate and intuitive thinking and relies on intensive experimentation. Once
access to a system is gained, hackers adopt an exploitation mindset. An attack typically involves four steps:
Step 1: Identifying Vulnerabilities If hackers think your company is worth attacking, they will examine
it thoroughly for weaknesses, surveying the network information, organizational information, and security
policies. Companies can protect themselves by adopting an iterative and adaptive process and making a
point of conducting a high-level “footprint” of their systems on a regular basis. They should also make
sure that employees are well informed on policies regarding sharing of information.
Step 2: Scanning and Testing After a hacker has broken into your network, weaknesses in the applications running on those systems could become avenues for further unauthorized access. To protect
your company, examine your network and identify potential weaknesses.
Step 3: Gaining Access Hackers often play on both sophisticated technical knowledge and social skills
to breach company security. Companies need to consider how a hacker could gain access to their systems.
Step 4: Maintaining Access Hackers try to retain their “ownership” of the system and access for
future attacks. Organizations need to remain vigilant for suspicious activity in system logs and to ensure
that monitoring systems are always up to date.
“Cybersecurity is a game of cat and mouse in which the cat always makes the first move,” the authors
write. The more you can think like a hacker, the better able you will be to protect your company.
REPRINT 58314. For ordering information, see page 4.
Protect Your Project From Escalating Doubts
Karen A. Brown (Thunderbird), Nancy Lea Hyer (Vanderbilt), and Richard Ettenson (Thunderbird) pp. 78-87
Many projects are launched with great promise but lose traction and momentum during project delivery,
when the real work of the initiative is underway. Shifting organizational priorities, changes in leadership,
and distrust of information about the project’s progress can scuttle a project’s reputation and, ultimately,
its chance for success. This self-perpetuating downward spiral can cause contributors to distance themselves
from an effort that is losing support, cannot overcome inertia, or worse, is derailed. Even the most technically
sound and strategically important projects can fall into this “cycle of doubt” and fail to meet their objectives.
Building on previous work on project branding, the authors conducted a multisource, practice-based
field investigation to seek insights on how to help organizations and project leaders understand, avoid,
and recover from the cycle of doubt. Analyses revealed practical insight on three related issues: how to
recognize when a project is vulnerable to the cycle of doubt; how to ensure that a project does not fall
into a downward spiral of skepticism; and how to reverse negative momentum if a project begins to
stall. The research found four main categories of doubt triggers that can sap support and lead a project
into a negative tailspin. These warning signs are when strategic priorities change, sponsors appear
equivocal, delivery hiccups occur, or communication missteps raise doubts. The authors offer eight
action steps providing possible avenues by which vulnerable projects can successfully overcome or avoid
a momentum slide. An additional checklist helps project leaders get a sense of how well (or poorly)
their projects are positioned to forestall or recover from escalating doubts.
REPRINT 58309. For ordering information, see page 4.