Plugging the “Phishing” Hole: Legislation Versus Technology

This iBrief analyzes the Anti-Phishing Act of 2005, legislation aimed at curbing the problem of phishing. Phishing is the sending of fraudulent emails which appear to be from legitimate businesses and thereby fooling the recipients into divulging personal information such as credit card numbers. While this legislation may provide some assistance in the fight against phishing, it is limited by the global nature of the Internet and the ease with which phishers can hide and avoid judgments. This iBrief therefore concludes that although the Anti-Phishing Act can play a supporting role in the battle, technological solutions are the most effective means of reducing or eliminating phishing attacks

Plugging the “Phishing” Hole: Legislation Versus Technology

This iBrief analyzes the Anti-Phishing Act of 2005, legislation aimed at curbing the problem of phishing. Phishing is the sending of fraudulent emails which appear to be from legitimate businesses and thereby fooling the recipients into divulging personal information such as credit card numbers. While this legislation may provide some assistance in the fight against phishing, it is limited by the global nature of the Internet and the ease with which phishers can hide and avoid judgments. This iBrief therefore concludes that although the Anti-Phishing Act can play a supporting role in the battle, technological solutions are the most effective means of reducing or eliminating phishing attacks

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system