PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Are Hackers Happy? No, They're Probably Stressed Out

Hackers in the movies frenetically pound keyboards and celebrate when they get a win. The NSA finds that in the real world, their cyber operators can suffer serious stress.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

LAS VEGAS—In the movies, hackers pound keyboards feverishly while mysterious numbers scroll across old-fashioned screens. They look intense, driven, but when the job is done, it's party time.

Black Hat Bug ArtIn the real world, those hackers might be suffering episodic or chronic stress, according to the National Security Agency (NSA), which ran a scientific psychological study on the matter. The results weren't very surprising (fatigue + stress = bad), but having statistically valid proof gives the issue a certain gravitas they wouldn't have had otherwise.

Stress in Cyber

During a panel here at Black Hat, Dr. Celeste Lyn Paul, a senior researcher with the NSA, pointed out that it was one of four conference tracks focusing on mental health; others cover addiction, PTSD, and avoiding burnout and depression.

"Anyone who's worked in this field has known these issues exist," she said. "Now we can focus on safety and health."

Dr. Paul, who earned a Ph.D. in Human-Centered Computing and teaches human-computer interaction at the University of Maryland, argued that acute stress, the kind that puts you in fight-or-flight mode, isn't necessarily a bad thing. But episodic stress—stress events over and over—doesn't give you time to recover, and can exacerbate ill health. And chronic stress—continuous stress with no sense of control—can make a healthy person sick.

Other government agencies have already thought about how to measure stress. The Samn-Perelli test, for example, measures fatigue and frustration in fighter pilots. And NASA's task load index measures frustration, fatigue, and a multi-part component called cognitive workload, which subdivides into Mental, Physical, Time (rushed or not), Performance success, Frustration, and Effort.

The NSA developed a quick one-page survey for cyber operators to fill out before and after an operation. "We made it short on purpose," said Dr. Paul. "Working in a mission environment, we didn't want to affect the mission by stressing our operators."

The Result? Time Matters

The NSA study took place at four agency locations: DC, Georgia, Texas, and Hawaii. It involved 126 operators, both civilian and military, with 361 total surveys. Statistics wonks will appreciate that the results of the study proved to be statistically significant. But for the rest of us, I'll cut to the chase.

The self-reported Success estimate hardly varied, suggesting that the operators considered the mission to be all important, regardless of the effect on their fatigue and other effects. The one component that dashed their feeling of success was fatigue. And fatigue was significantly less with missions under five hours compared with those that are longer.

"Cyber is hard," said Dr. Paul. "There will be stress. When it becomes unmanageable it's where we see negative effects. And it's harder in our environment. It's about protecting the nation, life, property and sovereignty. Imagine being the guy at the keyboard in charge of all that. You make a mistake, you could affect a lot of people."

She closed on an optimistic note, though. "What we found out from this work is going to help, and we have started making progress."

Josiah Dykstra, an NSA Subject Matter Expert, urged Black Hat attendees to use the NSA data to evaluate their own operations. "Many of you do work similar to ours," he said. "You can review your policies on breaks, scheduling and operation length. And you can empower operators with happy, healthy work environments."

The survey form and the entire study will be made available on the NSA.gov website, Dykstra said.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio