Breaking Brains, Solving Problems: Lessons Learned from Two Years of Setting Puzzles and Riddles for InfoSec Professionals

Conference:  BlackHat USA 2020



Puzzles and riddles can improve problem-solving skills in cybersecurity and other areas, and can contribute to culture and engagement in the workplace.
  • Puzzles and riddles can develop problem-solving skills that can be applied to larger and day-to-day problems.
  • Designing puzzles and riddles requires thought and consideration of the audience.
  • Measuring engagement and statistics is important to improve puzzles and riddles.
  • Encouraging inclusivity and teamwork can improve engagement and problem-solving skills.
  • There is a gap in research on the psychology of security-related problem-solving.
  • The speaker plans to create a repository of workplace puzzles and hopes others will contribute.
  • The speaker encourages attendees to participate in a crossword puzzle.
The speaker led a project that involved problem-solving in the context of security. They encountered biases and had to consider related problems in human-computer interaction, bot detection, and antivirus evasion. The project highlighted the importance of problem-solving skills and the need to recognize biases.


Many of us got into security because we like solving hard problems, and problem-solving is often listed as a specific requirement in security job descriptions. You might need problem-solving skills to crack niche technical issues in exploit development or mitigation, or when investigating threats and compromises. Or it might be more general, like developing strategies and policies. But what does it mean to be 'good' at problem-solving? How do our minds work when solving problems? More importantly, how do we get better at it?In this talk, I'll present findings from over two years of creating and setting puzzles and riddles designed specifically for a team of 300 cyber security professionals as part of a dedicated program. Some were technical challenges, similar to CTFs; others focused on linguistics, lateral-thinking, probability, mathematics, and logic. I'll cover the program's inception; how its puzzles were designed and solved; and the findings - including an analysis of improvements over time, which types of puzzles were most popular/solved and why, and case studies of where improvements in problem-solving actively helped with day-to-day work. I'll set all this against a background of academic research on problem-solving, discussing the mental processes which take place and how they can be strengthened with practice and exposure to different types of challenges.I'll also share some observations on how the program fostered collaboration and cooperation between staff from different teams, technical abilities, and backgrounds – sometimes deliberately, sometimes completely accidentally.Finally, I'll conclude by sharing some resources which have helped me, give you tips on starting your own puzzle program, and suggest ways in which the community can work together to build and maintain a repository of puzzles and findings. I'll also set a puzzle during the talk - first to message me with the correct answer wins a prize!