“Cyber-securing the Human” CSIT 2015 Mary Aiken: Director RCSI CyberPsychology Research Centre

2 “Claims for the independence of cyberspace…are based on a false dichotomy…physical and virtual are not opposed; rather the virtual complicates the physical, and vice versa” (Slane, 2007) The Virtual World & Real World

3 The Weakest Link… ‘It’s time to really consider the awkward entity whose thumbs are too big for cell phone keypads, bodies are clumsily shaped for wearable technology-design, memory is too weak to retain multiple 10-digit passwords - the “thing” that the cyber-security guys call ‘”the weakest link in any secure system.” In other words, it’s time to factor in the human.’ (Aiken, in press)

4 Insight at the Human/Technology Interface HUMAN TECHNOLOGY Privacy Dignity Self-Endangerment Needs, Habits & Emotions Privacy Dignity Self-Endangerment Needs, Habits & Emotions Identity Harassment Anonymity Welfare & Rights Development Creativity Resilience Skills Education Environment Education Environment Big Data Policy Governance IOT Cyber Law Artificial Intelligence Content Industry Mobile Tools Safety Security Risk Algorithms Authentication/age verification Privacy Fragmentation Biometrics Big Data Policy Governance IOT Cyber Law Artificial Intelligence Content Industry Mobile Tools Safety Security Risk Algorithms Authentication/age verification Privacy Fragmentation Biometrics

5 Cybersecurity: Blind spot Critical task: build body of established findings of how human beings experience technology Efforts have focused on tech. solutions to intrusive behavior - without consideration of how that behavior mutates, amplifies or accelerates in cyber domains. Humans – the blind spot in cybersecurity: “research focusing on people is vital if we have any real hope of coming to grips with the phenomena of computer crime (Rogers, Siegfried & Tidke, 2007) Threat Actors – Organized Crime Groups, State Sponsors, Terrorist Groups

6 Cybersecurity: Research Approach Cybersecurity: interdisciplinary efforts in a practical sense, and transdisciplinary theoretical perspectives in an exploratory context. Cyberpsychology: exemplification of how this inter disciplinary combination can be achieved: psychology and computer science Illuminating problem space: anthropological, ethnographic and sociological analyses of sophisticated cyber actors and networked groups “the multi-disciplinary nature of cyber security attacks is important, attacks happen for different reasons, only some of which are technical, other reasons include, for example, socioeconomic issues” (Vishik, 2014) Methodological openness – hard metrics of computational sciences to qualitative interrogations of the social sciences.

7 Conceptualising Cyberspace Conceptualise technology in a new way - think about cyberspace as an environment, as a place, as cyberspace. Consider impact of this environment on vulnerable populations (such as developing youth) and on criminal, deviant or radical populations. Comprehend modus operandi in this space.

8 Developing Cyber Insight Cybercrime & Cybersecurity “governments attempt to respond with law, corporations with policies and procedures, suppliers with terms and conditions, users with peer pressure, technologists with code” (Kirwan & Power, 2012 ) But where is the understanding of human behaviour How do we cyber-secure the human ? Answer = develop cyber insights

9 Cyber Security Threat Assessment Cyber Security Threat Assessment : Human factors –Anonymity and self-disclosure –Cyber immersion/presence –Self-presentation online –Pseudoparadoxical privacy –Escalation & amplification online –Dark tetrad of personality –Problematic Internet use (impulse-control and conduct disorders )

10 Cyber Security Threat Typology Typology: –Internet enabled threats such as fraud, –Internet specific threats include more recent crimes e.g. hacking “Locards exchange principle” every contact leaves a trace – this is also true online Needle and haystack – sensemaking differentiating human and machine trace evidence Current problems; hacking, malware production, identity theft, online fraud, child abuse material/solicitation, cyberstalking, IP theft/software piracy, botnets, data breaches, organised cybercrime, ransomware and extortion – Dynamic nature of the environment: important to consider future evolutions

11 Cyber Behavioral Profiling Two assumptions that inform profiling methodology (Allison & Kebbell, 2006) Consistency assumption (i.e. behaviour of a threat actor will remain reasonably consistent) – but as technology evolves: behaviour evolves – challenges the consistency assumption Homology assumption (offence style will reflect threat actor characteristics) – but given anonymity in cyber contexts can we be certain that characteristics will remain uniform? not only between real world and virtual world, but also from crime to crime, & platform to platform – particular importance regarding insider threat

12 All About Motive Typical cyber criminal (Shinder, 2010) –some degree of technical knowledge (ranging from ‘script kiddies’ who use others’ malicious code, to very talented hackers). –Certain disregard for the law or rationalisations about why particular laws are invalid or should not apply to them, a certain tolerance for risk, –‘Control freak’ type nature - enjoyment in manipulating or ‘outsmarting’ others. –Motive (subject to nature of threat actor): monetary gain, emotion, political or religious beliefs, sexual impulses, boredom or desire for ‘a little fun. Traditional/real world crime: not yet clear is whether cybercrime has the same associations or etiology – eg RAT Deep Web Cyberpsychological perspective: what are the behavioural, experiential, and developmental aspects of individual cyber actor motive Gap in knowledge: evolution of how individuals (with/without a criminal history) become incorporated into organised cybercrime. Critical: understanding of motive: transition from initial motive to sustaining motive, overlapping motives, and the prediction of evolving motives, along with an understanding of primary and secondary gains.

13 Theories of Crime Theories of crime –biological theories, –labelling theories, –geographical theories, –routine activity theory, –trait theories, –learning theories, –psychoanalytic theories, –addiction and arousal theories Application of theories to cybercrime –Are real world criminal and psychological theories applicable in virtual environments, do we need to modify them, or develop new theories?

14 Cyber-securing the Future Increasing human immersion in cyber physical systems houses, cars, and smart cities – software can be compromised - not designed with cyber security Additional threat: security workforce shortage vs increased technology skills of criminal populations. Emboldened organised crime incentivising and recruiting criminal population Crime-as-a-Service (CAAS) IOCTA Criminals are freely able to procure services, rental of botnets, denial-of-service attacks, malware development, data theft, password cracking, to commit crimes Financial obscurity: Bitcoin, Dogecoin, Litecoin – evolving ways to launder Distribution malware via social engineering infecting by perceived trusted sources. Cyber propaganda increasing: gamed use of social media platforms for propoganda and cyberterrorism

15 Cyber-securing the Future Psychological obsolescence: disruptive impact of technology on youth development - produces a cultural shift - leave present psychological, social and cultural norms behind, including respect for property rights, privacy, national security and authority. Prognosis for a generation inured by the consumption of illegally downloadable music, videos software and games - generation of ‘virtual shoplifters’ Cyber criminal & threat actor sensemaking of Big Data: massive increase in data, very little analysed, Value of personally identifiable information is growing rapidly. Analytic gap represents opportunity More serious threats: environmental developmental effects - spending large amounts of time in deep web contexts, exposed to age-inappropriate sexual violent or radical content online

16 Cyber Security: Future Legacy Cyber Security: Future Legacy Increase in mobile and wearable technologies - may not have the same level of security features as laptop or desktop devices. Given that mobile devices can now both store large amounts of sensitive information, as well as access cloud storage – state of Ubiquitous victimology Mobile devices present a growing challenge in cyber security. The numbers of devices is predicted to double in 5 years. security of software on mobile devices a concern, along with security issues in apps, many of these store usernames and passwords are vulnerable to man in the middle attacks (Maughan, 2014) Problems will likely be further exacerbated by ‘blurring of boundaries’ between corporate and private life – bring-your-own-device (BYOD) in corporate life. The IoT will present a variety of additional attack surfaces

17 Digital Deterrents & Digital Outreach Key perspective: consider cyber space as an immersive, as opposed to transactional Address the ‘minimisation and status of authority online’ Challenge for technology: create an impression that there are consequences - criminal use of technologies Develop digital deterrents and digital outreach protocols –Investigation of the role of social and psychological issues in the lifespan development of an individual into cybercrime –Exploration of the dynamic relationship between the real world and virtual world - cyber security pov. –Methodologically ‘factoring the criminal’ or threat actor as a human into the digital forensic investigative process –Development of a robust typology of those who present cybersecurity threats –Analysis of cybernetic crime evolution, structure and syndication –Forensic cyberpsychology risk assessment of ubiquitous victimology.

18 Cybermethodology Cyberpsychology : research vision understanding new norms of behaviour online –org. & individual –user & threat actor Consolidate with - or differentiate from - existing real world behaviours, Cybermethodology: a theoretically profound, experimentally rigorous, developmentally longitudinal, and technically sophisticated research approach required Cooperation: academia, law enforcement and industry- all parties that have an interest in creating secure digital citizens and cyber societies

19 CSI Cyber Trailer

20 References Alison, L., & Kebbell, M. (2006). Offender profiling: Limits and potential. In M. Kebbell, & G. Davies (Eds.), Practical Psychology for Forensic Investigations and Prosecutions. Chichester: Wiley IOCTA (2014) Kirwan, G., & Power, A. (2012). The Psychology of Cyber Crime:nConcepts and Principles (p. 277). Information Science Reference, p.Xvii Maughan, D. ( 2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies,Queens University Belfast. Rogers, M. K., Seigfried, K., & Tidke, K. (2006). Self-reported computer criminal behavior: A psychological analysis. Digital Investigation, 3, 116–120. doi: /j.diin , p. S119 Shinder, D. (2010). Profiling and categorizing cybercriminals Slane, A. (2007). Democracy, social space, and the Internet. University of Toronto Law Journal, 57(1), 81–105. doi: /tlj , p. 97 Vishik, C. (2014). Belfast 2014: 4th World Cyber Security Technology Research Summit. (2014). In Centre for Secure Information Technologies, Queens University Belfast.