Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study
June 2014 • Technical Report
This report describes individual and team factors that enable, encumber, or halt the development of malicious-code reverse engineering expertise.
CMU/SEI Report Number
DOI (Digital Object Identifier):10.1184/R1/6574970.v1
Recently, government and news media publications have noted that a large-scale military cyberattack against the United States will be crippling primarily because of the existing personnel shortages and expertise gaps in the cybersecurity workforce. One critical job role within cyber defense teams is the malicious-code reverse engineer who deconstructs malicious code to understand, at the binary level, how the malware behaves on a network. Given the severe staffing shortages of these engineers, efforts to identify individual traits and characteristics that predict the development of expertise is important. Currently, job analysis research on teams of malicious-code reverse engineers is lacking. Therefore, a job analysis was conducted to identify individual factors (e.g., cognitive abilities, knowledge, and skills) and team factors (e.g., team leadership, decision making) that enable, encumber, or halt the development of malicious-code reverse engineering expertise. A 10-member malicious-code reverse engineering team was interviewed using a contextual inquiry/semi-structured interview hybrid technique to collect job analysis information. Performance factors were inferred based on the raw interview data.
The results indicate that expert performance requires other non-domain-specific knowledge and skills (e.g., performance monitoring, oral and written communication skills, teamwork skills) that enable successful performance. Expert performance may be enabled by personality factors (i.e., conscientiousness) and cognitive abilities (i.e., working memory capacity). Attributes of successful novices were also collected. Subsequent research will empirically validate that these factors predict the development of expertise. Training and operations implications for this research are also detailed.