Carbon-based vuln hunters will always be better at infosec than AI, insist puny humans

Puny humans still think they're superior to AI when it comes to infosec – and a significant number still don't venture into meatspace or get enough sunlight.

So reckons a survey carried out on behalf of Bugcrowd, which also made the edifying finding that 64 per cent of independent infosec researchers are on median incomes below $25,000/year – with half being aged 24 or younger.

Bugcrowd, which competes with HackerOne in the "crowdsourced security" bug bounty market, released its "In The Mind of a Hacker" report to shed some light on the sorts of people using its services. While it referred to them throughout as "hackers", it meant both infosec researchers and pentesters who claim bug bounties through its platform – the people whose work helps thwart criminal hackers with bad intentions.

Financial reward was not the number-one motivation of the survey's 3,500 respondents either: just under a third (30 per cent) said "learning" was their main motivation, followed by a quarter who cheerfully admitted they were doing it for the cash. A fifth said they enjoyed the problem-solving element of vuln hunting.

"Hackers will always be one step ahead of AI when it comes to cybersecurity because humans are not confined by the logical limitations of machine intelligence," said Jasmin Landry, top-ranked Bugcrowd hacker. "For example, hackers can adapt four to five low-impact bugs to exploit a single high-impact attack vector that AI would likely miss without the creative flexibility of human decision-making."

Eye-catchingly, or perhaps not, the company's survey found that 87 per cent of humans agreed with Landry. No AI pentesting solutions were asked to respond.

Of the 3,500 people who answered the survey, just under half (48 per cent) reckoned healthcare orgs were most vulnerable to cybercrime during the COVID-19 pandemic. Although some ransomware gangs announced earlier this year they would stop targeting healthcare organisations, other notable names from the underworld declined to join those calls.

Bugcrowd also asked ethical infosec researchers how much sunshine they had access to during the year. A third answered "less than three hours a day", helping reinforce the stereotype that begins with an angry young man hiding inside a hoodie, an image 71 per cent said depicted them. And yes, at present it's almost always men: 94 per cent of respondents said they were male. ®