Upload
owen-perkins
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
“Cyber-securing the Human” CSIT 2015 Mary Aiken: Director RCSI CyberPsychology Research Centre
2
“Claims for the independence of
cyberspace…are based on a false
dichotomy…physical and virtual are not
opposed; rather the virtual complicates the
physical, and vice versa” (Slane, 2007)
The Virtual World & Real World
3
The Weakest Link…
‘It’s time to really consider the awkward entity whose thumbs are too big
for cell phone keypads, bodies are clumsily shaped for wearable
technology-design, memory is too weak to retain multiple 10-digit
passwords - the “thing” that the cyber-security guys call ‘”the weakest link
in any secure system.” In other words, it’s time to factor in the human.’
(Aiken, 2015 - in press)
4
Insight at the Human/Technology Interface
HUMAN TECHNOLOGY
CYBER PSYCHOLOGY
Privacy Dignity Self-Endangerment Needs, Habits & Emotions Identity Harassment Anonymity Welfare & Rights Development Creativity Resilience Skills Education Environment
Big Data Policy Governance IOT Cyber Law Artificial Intelligence
Content Industry Mobile
Tools Safety
Security Risk Algorithms Authentication/age verification
Privacy Fragmentation
Biometrics
5
Cybersecurity: Blind spot
• Critical task: build body of established findings of how human beings experience technology
• Efforts have focused on tech. solutions to intrusive behavior - without consideration of how that behavior mutates, amplifies or accelerates in cyber domains.
• Humans – the blind spot in cybersecurity: “research focusing on people is vital if we have any real hope of coming to grips with the phenomena of computer crime (Rogers, Siegfried & Tidke, 2007)
• Threat Actors – Organized Crime Groups, State Sponsors, Terrorist Groups
6
Cybersecurity: Research Approach
• Cybersecurity: interdisciplinary efforts in a practical sense, and transdisciplinary theoretical perspectives in an exploratory context.
• Cyberpsychology: exemplification of how this inter disciplinary combination can be achieved: psychology and computer science
• Illuminating problem space: anthropological, ethnographic and sociological analyses of sophisticated cyber actors and networked groups
“the multi-disciplinary nature of cyber security attacks is important, attacks happen for different reasons, only some of which are technical, other reasons include, for example, socioeconomic issues” (Vishik, 2014)
• Methodological openness – hard metrics of computational sciences to qualitative interrogations of the social sciences.
7
Conceptualising Cyberspace
• Conceptualise technology in a new way - think about cyberspace as an environment, as a place, as cyberspace.
• Consider impact of this environment on vulnerable populations (such as developing youth) and on criminal, deviant or radical populations.
• Comprehend modus operandi in this space.
8
Developing Cyber Insight
• Cybercrime & Cybersecurity “governments attempt to respond with
law, corporations with policies and procedures, suppliers with terms and conditions, users with peer pressure, technologists with code”
(Kirwan & Power, 2012 )
• But where is the understanding of human behaviour
• How do we cyber-secure the human? • Answer = develop cyber insights
9
Cyber Security Threat Assessment
Cyber Security Threat Assessment : Human factors
– Anonymity and self-disclosure– Cyber immersion/presence – Self-presentation online– Pseudoparadoxical privacy– Escalation & amplification online– Dark tetrad of personality – Problematic Internet use
(impulse-control and conduct disorders )
10
Cyber Security Threat Typology
• Typology:
– Internet enabled threats such as fraud, – Internet specific threats include more recent crimes e.g. hacking
• “Locards exchange principle” every contact leaves a trace – this is also true online
• Needle and haystack – sensemaking differentiating human and machine trace evidence
• Current problems; hacking, malware production, identity theft, online fraud, child abuse material/solicitation, cyberstalking, IP theft/software piracy, botnets, data breaches, organised cybercrime, ransomware and extortion –
• Dynamic nature of the environment: important to consider future evolutions
11
Cyber Behavioral Profiling• Two assumptions that inform profiling
methodology (Allison & Kebbell, 2006)
• Consistency assumption (i.e. behaviour of a threat actor will remain reasonably consistent) – but as technology evolves: behaviour evolves – challenges the consistency assumption
• Homology assumption (offence style will reflect threat actor characteristics) – but given anonymity in cyber contexts can we be certain that characteristics will remain uniform? not only between real world and virtual world, but also from crime to crime, & platform to platform – particular importance regarding insider threat
12
All About Motive• Typical cyber criminal (Shinder, 2010)
– some degree of technical knowledge (ranging from ‘script kiddies’ who use others’ malicious code, to very talented hackers).
– Certain disregard for the law or rationalisations about why particular laws are invalid or should not apply to them, a certain tolerance for risk,
– ‘Control freak’ type nature - enjoyment in manipulating or ‘outsmarting’ others. – Motive (subject to nature of threat actor): monetary gain, emotion, political or religious beliefs, sexual impulses,
boredom or desire for ‘a little fun.
• Traditional/real world crime: not yet clear is whether cybercrime has the same associations or etiology – eg RAT Deep Web
• Cyberpsychological perspective: what are the behavioural, experiential, and developmental aspects of individual cyber actor motive
• Gap in knowledge: evolution of how individuals (with/without a criminal history) become incorporated into organised cybercrime.
• Critical: understanding of motive: transition from initial motive to sustaining motive, overlapping motives, and the prediction of evolving motives, along with an understanding of primary and secondary gains.
13
Theories of Crime
• Theories of crime– biological theories, – labelling theories, – geographical theories, – routine activity theory, – trait theories, – learning theories, – psychoanalytic theories, – addiction and arousal theories
• Application of theories to cybercrime – Are real world criminal and psychological theories applicable in virtual environments,
do we need to modify them, or develop new theories?
14
Cyber-securing the Future
• Increasing human immersion in cyber physical systems houses, cars, and smart cities – software can be compromised - not designed with cyber security
• Additional threat: security workforce shortage vs increased technology skills of criminal populations.
• Emboldened organised crime incentivising and recruiting criminal population• Crime-as-a-Service (CAAS) IOCTA 2014- Criminals are freely able to procure
services, rental of botnets, denial-of-service attacks, malware development, data theft, password cracking, to commit crimes
• Financial obscurity: Bitcoin, Dogecoin, Litecoin – evolving ways to launder • Distribution malware via social engineering infecting by perceived trusted sources. • Cyber propaganda increasing: gamed use of social media platforms for propoganda
and cyberterrorism
15
Cyber-securing the Future
• Psychological obsolescence: disruptive impact of technology on youth development - produces a cultural shift - leave present psychological, social and cultural norms behind, including respect for property rights, privacy, national security and authority.
• Prognosis for a generation inured by the consumption of illegally downloadable music, videos software and games - generation of ‘virtual shoplifters’
• Cyber criminal & threat actor sensemaking of Big Data: massive increase in data, very little analysed, Value of personally identifiable information is growing rapidly. Analytic gap represents opportunity
• More serious threats: environmental developmental effects - spending large amounts of time in deep web contexts, exposed to age-inappropriate sexual violent or radical content online
16
Cyber Security: Future Legacy
• Increase in mobile and wearable technologies - may not have the same level of security features as laptop or desktop devices.
• Given that mobile devices can now both store large amounts of sensitive information, as well as access cloud storage – state of Ubiquitous victimology
• Mobile devices present a growing challenge in cyber security. The numbers of devices is predicted to double in 5 years. security of software on mobile devices a concern, along with security issues in apps, many of these store usernames and passwords are vulnerable to man in the middle attacks (Maughan, 2014)
• Problems will likely be further exacerbated by ‘blurring of boundaries’ between corporate and private life – bring-your-own-device (BYOD) in corporate life.
• The IoT will present a variety of additional attack surfaces
17
Digital Deterrents & Digital Outreach • Key perspective: consider cyber space as an immersive, as opposed to transactional• Address the ‘minimisation and status of authority online’• Challenge for technology: create an impression that there are consequences - criminal use of
technologies • Develop digital deterrents and digital outreach protocols
– Investigation of the role of social and psychological issues in the lifespan development of an individual into cybercrime
– Exploration of the dynamic relationship between the real world and virtual world - cyber security pov.
– Methodologically ‘factoring the criminal’ or threat actor as a human into the digital forensic investigative process
– Development of a robust typology of those who present cybersecurity threats – Analysis of cybernetic crime evolution, structure and syndication– Forensic cyberpsychology risk assessment of ubiquitous victimology.
18
Cybermethodology
• Cyberpsychology : research visionunderstanding new norms of behaviour online
– org. & individual – user & threat actor
• Consolidate with - or differentiate from -existing real world behaviours,
• Cybermethodology: a theoretically profound, experimentally rigorous, developmentally longitudinal, and technically sophisticated research approach required
• Cooperation: academia, law enforcement and industry- all parties that have an interest in creating secure digital citizens and cyber societies
20
ReferencesAlison, L., & Kebbell, M. (2006). Offender profiling: Limits and potential. In M. Kebbell, & G. Davies (Eds.), Practical Psychology for Forensic Investigations and Prosecutions. Chichester: Wiley
IOCTA (2014) https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
Kirwan, G., & Power, A. (2012). The Psychology of Cyber Crime:nConcepts and Principles (p. 277). Information Science Reference, p.Xvii
Maughan, D. ( 2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies,Queens University Belfast.
Rogers, M. K., Seigfried, K., & Tidke, K. (2006). Self-reported computer criminal behavior: A psychological analysis. Digital Investigation, 3, 116–120. doi:10.1016/j.diin.2006.06.002, p. S119
Shinder, D. (2010). Profiling and categorizing cybercriminals http://www.techrepublic.com/blog/it-security/profiling-and-categorizing-cybercriminals/
Slane, A. (2007). Democracy, social space, and the Internet. University of Toronto Law Journal, 57(1), 81–105. doi: 10.1353/tlj.2007.0003, p. 97
Vishik, C. (2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies, Queens University Belfast.