“Cyber-securing the Human” CSIT 2015 Mary Aiken: Director RCSI CyberPsychology Research Centre.

“Cyber-securing the Human” CSIT 2015 Mary Aiken: Director RCSI CyberPsychology Research Centre

2

“Claims for the independence of

cyberspace…are based on a false

dichotomy…physical and virtual are not

opposed; rather the virtual complicates the

physical, and vice versa” (Slane, 2007)

The Virtual World & Real World

3

The Weakest Link…

‘It’s time to really consider the awkward entity whose thumbs are too big

for cell phone keypads, bodies are clumsily shaped for wearable

technology-design, memory is too weak to retain multiple 10-digit

passwords - the “thing” that the cyber-security guys call ‘”the weakest link

in any secure system.” In other words, it’s time to factor in the human.’

(Aiken, 2015 - in press)

4

Insight at the Human/Technology Interface

HUMAN TECHNOLOGY

CYBER PSYCHOLOGY

Privacy Dignity Self-Endangerment Needs, Habits & Emotions Identity Harassment Anonymity Welfare & Rights Development Creativity Resilience Skills Education Environment

Big Data Policy Governance IOT Cyber Law Artificial Intelligence

Content Industry Mobile

Tools Safety

Security Risk Algorithms Authentication/age verification

Privacy Fragmentation

Biometrics

5

Cybersecurity: Blind spot

• Critical task: build body of established findings of how human beings experience technology

• Efforts have focused on tech. solutions to intrusive behavior - without consideration of how that behavior mutates, amplifies or accelerates in cyber domains.

• Humans – the blind spot in cybersecurity: “research focusing on people is vital if we have any real hope of coming to grips with the phenomena of computer crime (Rogers, Siegfried & Tidke, 2007)

• Threat Actors – Organized Crime Groups, State Sponsors, Terrorist Groups

6

Cybersecurity: Research Approach

• Cybersecurity: interdisciplinary efforts in a practical sense, and transdisciplinary theoretical perspectives in an exploratory context.

• Cyberpsychology: exemplification of how this inter disciplinary combination can be achieved: psychology and computer science

• Illuminating problem space: anthropological, ethnographic and sociological analyses of sophisticated cyber actors and networked groups

“the multi-disciplinary nature of cyber security attacks is important, attacks happen for different reasons, only some of which are technical, other reasons include, for example, socioeconomic issues” (Vishik, 2014)

• Methodological openness – hard metrics of computational sciences to qualitative interrogations of the social sciences.

7

Conceptualising Cyberspace

• Conceptualise technology in a new way - think about cyberspace as an environment, as a place, as cyberspace.

• Consider impact of this environment on vulnerable populations (such as developing youth) and on criminal, deviant or radical populations.

• Comprehend modus operandi in this space.

8

Developing Cyber Insight

• Cybercrime & Cybersecurity “governments attempt to respond with

law, corporations with policies and procedures, suppliers with terms and conditions, users with peer pressure, technologists with code”

(Kirwan & Power, 2012 )

• But where is the understanding of human behaviour

• How do we cyber-secure the human? • Answer = develop cyber insights

9

Cyber Security Threat Assessment

Cyber Security Threat Assessment : Human factors

– Anonymity and self-disclosure– Cyber immersion/presence – Self-presentation online– Pseudoparadoxical privacy– Escalation & amplification online– Dark tetrad of personality – Problematic Internet use

(impulse-control and conduct disorders )

10

Cyber Security Threat Typology

• Typology:

– Internet enabled threats such as fraud, – Internet specific threats include more recent crimes e.g. hacking

• “Locards exchange principle” every contact leaves a trace – this is also true online

• Needle and haystack – sensemaking differentiating human and machine trace evidence

• Current problems; hacking, malware production, identity theft, online fraud, child abuse material/solicitation, cyberstalking, IP theft/software piracy, botnets, data breaches, organised cybercrime, ransomware and extortion –

• Dynamic nature of the environment: important to consider future evolutions

11

Cyber Behavioral Profiling• Two assumptions that inform profiling

methodology (Allison & Kebbell, 2006)

• Consistency assumption (i.e. behaviour of a threat actor will remain reasonably consistent) – but as technology evolves: behaviour evolves – challenges the consistency assumption

• Homology assumption (offence style will reflect threat actor characteristics) – but given anonymity in cyber contexts can we be certain that characteristics will remain uniform? not only between real world and virtual world, but also from crime to crime, & platform to platform – particular importance regarding insider threat

12

All About Motive• Typical cyber criminal (Shinder, 2010)

– some degree of technical knowledge (ranging from ‘script kiddies’ who use others’ malicious code, to very talented hackers).

– Certain disregard for the law or rationalisations about why particular laws are invalid or should not apply to them, a certain tolerance for risk,

– ‘Control freak’ type nature - enjoyment in manipulating or ‘outsmarting’ others. – Motive (subject to nature of threat actor): monetary gain, emotion, political or religious beliefs, sexual impulses,

boredom or desire for ‘a little fun.

• Traditional/real world crime: not yet clear is whether cybercrime has the same associations or etiology – eg RAT Deep Web

• Cyberpsychological perspective: what are the behavioural, experiential, and developmental aspects of individual cyber actor motive

• Gap in knowledge: evolution of how individuals (with/without a criminal history) become incorporated into organised cybercrime.

• Critical: understanding of motive: transition from initial motive to sustaining motive, overlapping motives, and the prediction of evolving motives, along with an understanding of primary and secondary gains.

13

Theories of Crime

• Theories of crime– biological theories, – labelling theories, – geographical theories, – routine activity theory, – trait theories, – learning theories, – psychoanalytic theories, – addiction and arousal theories

• Application of theories to cybercrime – Are real world criminal and psychological theories applicable in virtual environments,

do we need to modify them, or develop new theories?

14

Cyber-securing the Future

• Increasing human immersion in cyber physical systems houses, cars, and smart cities – software can be compromised - not designed with cyber security

• Additional threat: security workforce shortage vs increased technology skills of criminal populations.

• Emboldened organised crime incentivising and recruiting criminal population• Crime-as-a-Service (CAAS) IOCTA 2014- Criminals are freely able to procure

services, rental of botnets, denial-of-service attacks, malware development, data theft, password cracking, to commit crimes

• Financial obscurity: Bitcoin, Dogecoin, Litecoin – evolving ways to launder • Distribution malware via social engineering infecting by perceived trusted sources. • Cyber propaganda increasing: gamed use of social media platforms for propoganda

and cyberterrorism

15

Cyber-securing the Future

• Psychological obsolescence: disruptive impact of technology on youth development - produces a cultural shift - leave present psychological, social and cultural norms behind, including respect for property rights, privacy, national security and authority.

• Prognosis for a generation inured by the consumption of illegally downloadable music, videos software and games - generation of ‘virtual shoplifters’

• Cyber criminal & threat actor sensemaking of Big Data: massive increase in data, very little analysed, Value of personally identifiable information is growing rapidly. Analytic gap represents opportunity

• More serious threats: environmental developmental effects - spending large amounts of time in deep web contexts, exposed to age-inappropriate sexual violent or radical content online

16

Cyber Security: Future Legacy

• Increase in mobile and wearable technologies - may not have the same level of security features as laptop or desktop devices.

• Given that mobile devices can now both store large amounts of sensitive information, as well as access cloud storage – state of Ubiquitous victimology

• Mobile devices present a growing challenge in cyber security. The numbers of devices is predicted to double in 5 years. security of software on mobile devices a concern, along with security issues in apps, many of these store usernames and passwords are vulnerable to man in the middle attacks (Maughan, 2014)

• Problems will likely be further exacerbated by ‘blurring of boundaries’ between corporate and private life – bring-your-own-device (BYOD) in corporate life.

• The IoT will present a variety of additional attack surfaces

17

Digital Deterrents & Digital Outreach • Key perspective: consider cyber space as an immersive, as opposed to transactional• Address the ‘minimisation and status of authority online’• Challenge for technology: create an impression that there are consequences - criminal use of

technologies • Develop digital deterrents and digital outreach protocols

– Investigation of the role of social and psychological issues in the lifespan development of an individual into cybercrime

– Exploration of the dynamic relationship between the real world and virtual world - cyber security pov.

– Methodologically ‘factoring the criminal’ or threat actor as a human into the digital forensic investigative process

– Development of a robust typology of those who present cybersecurity threats – Analysis of cybernetic crime evolution, structure and syndication– Forensic cyberpsychology risk assessment of ubiquitous victimology.

18

Cybermethodology

• Cyberpsychology : research visionunderstanding new norms of behaviour online

– org. & individual – user & threat actor

• Consolidate with - or differentiate from -existing real world behaviours,

• Cybermethodology: a theoretically profound, experimentally rigorous, developmentally longitudinal, and technically sophisticated research approach required

• Cooperation: academia, law enforcement and industry- all parties that have an interest in creating secure digital citizens and cyber societies

19

CSI Cyber Trailer

20

ReferencesAlison, L., & Kebbell, M. (2006). Offender profiling: Limits and potential. In M. Kebbell, & G. Davies (Eds.), Practical Psychology for Forensic Investigations and Prosecutions. Chichester: Wiley

IOCTA (2014) https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta

Kirwan, G., & Power, A. (2012). The Psychology of Cyber Crime:nConcepts and Principles (p. 277). Information Science Reference, p.Xvii

Maughan, D. ( 2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies,Queens University Belfast.

Rogers, M. K., Seigfried, K., & Tidke, K. (2006). Self-reported computer criminal behavior: A psychological analysis. Digital Investigation, 3, 116–120. doi:10.1016/j.diin.2006.06.002, p. S119

Shinder, D. (2010). Profiling and categorizing cybercriminals http://www.techrepublic.com/blog/it-security/profiling-and-categorizing-cybercriminals/

Slane, A. (2007). Democracy, social space, and the Internet. University of Toronto Law Journal, 57(1), 81–105. doi: 10.1353/tlj.2007.0003, p. 97

Vishik, C. (2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies, Queens University Belfast.