Systemic Risk Analysis of Human Factors in Phishing

The scope of this study is the systemic risk of the role of humans in the risk of phishing. The relevance to engineering managers and systems engineers of the risks of phishing attacks is the theft of data which has significantly increased in the past couple of years. Phishing has become a systemic persistent threat to all internet users. Understanding the role of humans in phishing from a systemic perspective is a critical objective towards creating a strong defense against complex and manipulative phishing attacks. The systemic view of phishing concentrates on how phishing affects the entire organizational system, not just parts or individual components of a system. This study will address the systemic view of phishing which puts focus on how the entire organizational system performs and the purposeful tasks and goals to minimize phishing. This study will use a grounded theory approach to the following questions. First, how can the interaction between the human and the phishing lure be adjusted to mitigate the risk of phishing (i.e., from a systemic perspective)? Second, how can developing a systematic method help in mitigating the risk of phishing by reducing the likelihood of a successful attack? With the advanced persistent threat of phishing, this study anticipates assisting organizations in measuring how proficiently they are presently handling the risk of phishing and to suggest how the organizations can increase their proficiency and mitigate the risk of phishing

Development of a Social Engineering eXposure Index (SEXI) using Open-Source Personal Information

Millions of people willingly expose their lives via Internet technologies every day, and even the very few ones who refrain from the use of the Internet find themselves exposed through data breaches. Billions of private information records are exposed through the Internet. Marketers gather personal preferences to influence shopping behavior. Providers gather personal information to deliver enhanced services, and underground hacker networks contain repositories of immense data sets. Few users of Internet technologies have considered where their information is going or who has access to it. Even fewer are aware of how decisions made in their own lives expose significant pieces of information, which can be used by cyber hackers to harm the very organizations with whom they are affiliated. While this threat can affect any person holding any position at an organization, upper management poses a significantly higher risk due to their level of access to critical data and finances targeted by cybercrime. The goal of this research was to develop and validate a Social Engineering eXposure Index (SEXI)™ using Open-Source Personal Information (OSPI) to assist in identifying and classifying social engineering vulnerabilities. This study combined an expert panel using the Delphi method, developmental research, and quantitative data collection. The expert panel categorized and assessed information privacy components into three identifiability groups, subsequently used to develop an algorithm that formed the basis for a SEXI. Validation of the algorithm used open-source personal information found on the Internet for 50 executives of Fortune 500 organizations and 50 Hollywood celebrities. The exposure of each executive and persona was quantified and the collected data were evaluated, analyzed, and presented in an anonymous aggregated form. Phase 1 of this study developed and evaluated the SEXI benchmarking instrument via an expert panel using the Delphi expert methodology. During the first round, 3,531 data points were collected with 1,530 having to do with the demographics, qualifications, experience, and working environments of the panel members as well as 2,001 attributing levels of exposure to personal information. The second Delphi round presented the panel members with the feedback of the first-round tasking them with categorizing personal information, resulting in 1,816 data points. Phase 2 of this study used the composition, weights, and categories of personal information from Phase 1 in the development of a preliminary SEXI benchmarking instrument comprised of 105 personal information items. Simulated data was used to validate the instrument prior to the data collection. Before initiating Phase 3, the preliminary SEXI benchmarking instrument was fully tested to verify the accuracy of recorded data. Phase 3 began with discovering, evaluating, and validating repositories of publicly available data sources of personal information. Approximately two dozen sources were used to collect 11,800 data points with the SEXI benchmarking index. Upon completion of Phase 3, data analysis of the Fortune 500 executives and Hollywood personas used to validate the SEXI benchmarking index. Data analysis was conducted in Phase 3 by one-way Analysis of Variance (ANOVA). The results of the ANOVA data analysis from Phase 3 revealed that age, gender, marital status, and military/police experience were not significant in showing SEXI differences. Additionally, income, estimated worth, industry, organization position, philanthropic contributions are significant, showing differences in SEXI. The most significant differences in SEXI in this research study were found with writers and chief information officers. A t-test was performed to compare the Fortune 500 executives and the Hollywood personas. The results of the t-test data analysis showed a significant difference between the two groups in that Hollywood Personas had a higher SEXI than the Fortune 500 Executives suggesting increased exposure due to OSPI. The results of this research study established, categorized, and validated a quantifiable measurement of personal information. Moreover, the results of this research study validated that the SEXI benchmarking index could be used to assess an individual’s exposure to social engineering due to publicly available personal information. As organizations and public figures rely on Internet technologies understanding the level of personal information exposure is critical is protecting against social engineering attacks. Furthermore, assessing personal information exposure could provide an organization insight into exposed personal information facilitating further mitigation of threats or potential social engineering attack vectors. Discussions and implications for future research are provided

A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

The relentless and often haphazard process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge they face is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the single point of failure in an otherwise formidable defense. This means one of the biggest challenges in vulnerability management relates to prioritization. Given that so few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We identify the data mining steps needed to acquire, standardize, and integrate publicly available cyber intelligence data sets into a robust knowledge graph from which stakeholders can infer business logic related to known threats. We tested our approach by identifying vulnerabilities in academic and common software associated with six universities and four government facilities. Ranking policy performance was measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% to 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The ROI of patching using our policies resulted in a savings in the range of 23.3% to 25.5% in annualized unit costs. Our results demonstrate the efficiency of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies. Additionally, our framework uses only open standards, making implementation and improvement feasible for cyber practitioners and academia

Determining Small Business Cybersecurity Strategies to Prevent Data Breaches

Cybercrime is one of the quickest growing areas of criminality. Criminals abuse the speed, accessibility, and privacy of the Internet to commit diverse crimes involving data and identity theft that cause severe damage to victims worldwide. Many small businesses do not have the financial and technological means to protect their systems from cyberattack, making them vulnerable to data breaches. This exploratory multiple case study, grounded in systems thinking theory and routine activities theory, encompassed an investigation of cybersecurity strategies used by 5 small business leaders in Middlesex County, Massachusetts. The data collection process involved open-ended online questionnaires, semistructured face-to-face interviews, and review of company documents. Based on methodological triangulation of the data sources and inductive analysis, 3 emergent themes identified are policy, training, and technology. Key findings include having a specific goal and tactical approach when creating small business cybersecurity strategies and arming employees with cybersecurity training to increase their awareness of security compliance. Recommendations include small business use of cloud computing to remove the burden of protecting data on their own, thus making it unnecessary to house corporate servers. The study has implications for positive social change because small business leaders may apply the findings to decrease personal information leakage, resulting from data breaches, which affects the livelihood of individuals or companies if disclosure of their data occurs

Preparedness against cybersecurity threats : A study of SMEs in the Nordic region

Along with the advantages and opportunities of the use of technological solutions, new threats have risen in the form of cyber threats. The importance of cybersecurity has grown and as opposed to general misconceptions, this research indicates that even SMEs are likely to encounter cyber risks and the consequences might include significant monetary losses. Nevertheless, according to previous research and empirical findings, the level of cybersecurity in SMEs seems to generally be rather low. Therefore, this research was directed to examining why the level of cybersecurity varies in Nordic SMEs and how it could be improved. The theoretical framework used in this research concentrated on operational risk management, cyber risk management and challenges that SMEs encounter regarding cybersecurity. These theories were utilized later in the analysis of applying the theoretical framework with the use of empirical findings to the context of SMEs. The research was conducted qualitatively by conducting semi-structured interviews with six industry experts. The empirical findings show that it is rather common that also SMEs nowadays encounter cyberattacks due to e.g. automatization, simplicity of cyberattacks and the fact that SMEs are often easier targets. In addition, study’s results showed three categories of most common cyberattacks for SMEs: extorsion attacks, attacks that aim to steal sensitive data, and attacks that exploit the target company’s IT resources. In addition, the study’s results indicated that the most common reasons for why SMEs might not have prepared for cyberattacks include the lack of awareness, limited financial and human resources, and lack of cybersecurity governance. Moreover, the study’s results indicated different normative suggestions on how to improve the level or cybersecurity in Nordic SMEs. Strategical and operational level suggestions followed the theoretical framework by adapting the different phases of cyber risk management to the context of SMEs. The technical level suggestions, on the other hand, presented more practical tools on how to improve the level of cybersecurity in Nordic SMEs. These results of the study were used to apply the existing theories in cyber risk management to suit the context of SMEs thus, representing the theoretical contribution of the research. In addition, the results regarding the threats these Nordic SMEs might encounter and how they could improve their cybersecurity can be regarded as practical contribution of this research.Teknologian ja sen tuomien hyötyjen ja mahdollisuuksien mukana yritykset ovat kohdanneet myös uusia uhkia. Kyberuhkien vuoksi kyberturvallisuuden merkitys on kasvanut ja tämä tutkimus osoittaa, että vastoin yleisiä väärinkäsityksiä, myös pk-yritykset saattavat hyvin todennäköisesti joutua kyberhyökkäysten kohteiksi ja seuraukset saattavat johtaa merkittäviinkin taloudellisiin menetyksiin. Siitä huolimatta tutkimuksen tulokset sekä aiempi aiheesta tehty tutkimus viittaa siihen, että kyberturvallisuuden taso pk-yrityksissä on yleisellä tasolla suhteellisen matala. Tästä syystä tämän tutkimuksen aiheena on tutkia syitä kyberturvallisuuden tasojen vaihtelulle pohjoismaisissa pk-yrityksissä sekä mahdollisuuksia, miten kyberturvallisuuden tasoa voisi pk-yrityksissä parantaa. Tutkimuksessa käytetty teoreettinen viitekehys koostuu operatiivisen riskijohtamisen sekä kyberriskijohtamisen teorioista. Lisäksi teoreettinen viitekehys sisältää olemassa olevan kirjallisuuden tutkimustuloksia siitä, millaisia haasteita pk-yritykset kohtaavat kyberturvallisuuteen liittyen. Tätä teoreettista viitekehystä on lisäksi käytetty tutkimustulosten analyysissä. Tutkimustulosten analyysin avulla teoreettista viitekehystä on sovellettu sopimaan pk-yritysten kontekstiin. Tutkimus on toteutettu käyttäen kvalitatiivista menetelmää ja tutkimuksen data on kerätty tekemällä kuusi puolistrukturoitua haastattelua kyberturvallisuusalan asiantuntijoiden kanssa. Tutkimustulokset osoittavat, että on suhteellisen yleistä, että myös pk-yritykset joutuvat kohtaamaan kyberhyökkäyksiä. Syinä tähän ilmiöön olivat esim. hyökkäysten automatisointi, hyökkäysten helppous ja se, että pk-yritykset ovat usein helppoja kohteita hyökkääjille. Lisäksi tulokset indikoivat kolmea kyberhyökkäysten kategoriaa, joita pk-yritykset saattaisivat kohdata: kiristys hyökkäykset, hyökkäykset, joiden tavoitteena on varastaa arkaluontoista dataa sekä hyökkäykset, joiden tavoitteena on hyväksikäyttää kohteen tietoteknisiä resursseja. Lisäksi tulokset osoittivat, että pk-yritysten kyberturvallisuus saattaa olla heikolla tasolla, jos tietoisuus ei ole riittävällä tasolla. Lisäksi tekijät, kuten rajalliset taloudelliset ja henkilöstöresurssit sekä kyberturvallisuuden vastuuttamisen sekä johtamisen puute saattavat tutkimustulosten mukaan vaikuttaa alhaiseen varautumisen tasoon. Lisäksi tulokset tuottivat erinäisiä ehdotuksia sille, kuinka pohjoismaisten pk-yritysten kyberturvallisuutta voisi parantaa

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. / Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. / Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. / Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. / Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations

TECHNOLOGY THREAT AVOIDANCE FACTORS AS PREDICTORS OF RISKY CYBERSECURITY BEHAVIOR WITHIN THE ENTERPRISE

Recent research of information technology (IT) end-user cybersecurity-related risky behaviors has focused on items such as IT user decision-making, impulsiveness, and internet use as predictors of human cyber vulnerability. Theories which guide user human behavioral intent, such as protection motivation theory (PMT, introduced by Rogers, 1975) and technology threat avoidance theory (TTAT, introduced by Liang and Xue, 2009) have not been widely investigated as antecedents of risky cybersecurity behavior (RScB). This dissertation describes exploratory research that analyzed and evaluated PMT/TTAT factors as predictors of RScB by enterprise IT users. This work uniquely contributes to the literature by investigating associations between accepted behavioral motivation models and RScB. Findings are intended to provide human resource development (HRD) practitioners and researchers innovative techniques to identify factors which may compel enterprise IT users to avoid risky cybersecurity behaviors in the workplace. Findings, based on survey responses by 184 working professionals in the United States, were largely consistent with previous TTAT-focused works. New insights arose regarding the predictive impact of perceived cost as a predictor of RScB (p = .003) with small-to-medium effect sizes. Predictability was further leveraged using discriminant analysis to predict RScB category membership derived from k-means clustering. Significant outcomes were noted with practical utility. An overarching goal of this study was to more fully inform the HRD community of scholar-practitioners of the urgent need to design, deliver, implement, and evaluate initiatives that could be utilized to diminish inappropriate and costly cybersecurity behaviors in various workplace environments

Three Essays on Information Security Risk Management

Today's environment is filled with the proliferation of cyber-attacks that result in losses for organizations and individuals. Hackers often use compromised websites to distribute malware, making it difficult for individuals to detect. The impact of clicking through a link on the Internet that is malware infected can result in consequences such as private information theft and identity theft. Hackers are also known to perpetrate cyber-attacks that result in organizational security breaches that adversely affect organizations' finances, reputation, and market value. Risk management approaches for minimizing and recovering from cyber-attack losses and preventing further cyber-attacks are gaining more importance. Many studies exist that have increased our understanding of how individuals and organizations are motivated to reduce or avoid the risks of security breaches and cyber-attacks using safeguard mechanisms. The safeguards are sometimes technical in nature, such as intrusion detection software and anti-virus software. Other times, the safeguards are procedural in nature such as security policy adherence and security awareness and training. Many of these safeguards fall under the risk mitigation and risk avoidance aspects of risk management, and do not address other aspects of risk management, such as risk transfer. Researchers have argued that technological approaches to security risks are rarely sufficient for providing an overall protection of information system assets. Moreover, others argue that an overall protection must include a risk transfer strategy. Hence, there is a need to understand the risk transfer approach for managing information security risks. Further, in order to effectively address the information security puzzle, there also needs to be an understanding of the nature of the perpetrators of the problem – the hackers. Though hacker incidents proliferate the news, there are few theory based hacker studies. Even though the very nature of their actions presents a difficulty in their accessibility to research, a glimpse of how hackers perpetrate attacks can be obtained through the examination of their knowledge sharing behavior. Gaining some understanding about hackers through their knowledge sharing behavior may help researchers fine-tune future information security research. The insights could also help practitioners design more effective defensive security strategies and risk management efforts aimed at protecting information systems. Hence, this dissertation is interested in understanding the hackers that perpetrate cyber-attacks on individuals and organizations through their knowledge sharing behavior. Then, of interest also is how individuals form their URL click-through intention in the face of proliferated cyber risks. Finally, we explore how and why organizations that are faced with the risk of security breaches, commit to cyberinsurance as a risk management strategy. Thus, the fundamental research question of this dissertation is: how do individuals and organizations manage information security risks

An Explanatory Model of Motivation for Cyber-Attacks Drawn from Criminological Theories

A new influence model for Cyber Security is presented that deals with security attacks and implementation of security measures from an attacker's perspective. The underlying hypothesis of this model is that Criminological theories of Rational Choice, Desire for Control, and Low Self-Control are relevant to cybercrime and thereby aid in the understanding its basic Motivation. The model includes the roles of Consequences, Moral Beliefs such as Shame and Embarrassment together with Formal Sanctions in deterring cybercrime, as well as role of Defense Posture to limit the Opportunity to attack and increase the likelihood that an attacker will be detected and exposed. One of the motivations of the study was the observation that few attempts have been made to understand cybercrime, in the context of typical crime because: (a) an attacker may consider his actions as victimless due to remoteness of the victim; (b) ease to commit cybercrimes due to opportunities afforded by the Internet and its accessibility, and readily available tools and knowledge for an attack; and (c) vagueness of cybercrime laws that makes prosecution difficult. In developing the model, information from studies in classical crime was related to Cybercrime allowing for analysis of past cyber-attacks, and subsequently preventing future IS attacks, or mitigating their effects. The influence model's applicability is demonstrated by applying it to case studies of actual information attacks which were prosecuted through the United States Courts, and whose judges' opinions are used for statements of facts. Additional, demonstration of the use and face validity of the model is through the mapping of the model to major annual surveys' and reports' results of computer crime. The model is useful in qualitatively explaining "best practices" in protecting information assets and in suggesting emphasis on security practices based on similar results in general criminology

Legal Phantoms in Cyberspace: The Problematic Status of Information as a Weapon and a Target Under International Humanitarian Law

Reports of state-sponsored harmful cyber intrusions abound. The prevailing view among academics holds that if the effects or consequences of such intrusions are sufficiently damaging, international humanitarian law (IHL) should generally govern them-and recourse to armed force may also be justified against states responsible for these actions under the jus ad bellum. This Article argues, however, that there are serious problems and perils in relying on analogies with physical armed force to extend these legal regimes to most events in cyberspace. Armed conflict models applied to the use of information as a weapon and a target are instead likely to generate legal phantoms in cyberspace-that is, situations in which numerous policy questions and domestic criminal issues are often misinterpreted as legal problems governed by the IHL framework or the jus ad bellum. This Article assesses this dilemma in the context of four key problem areas relating to dimensions of information: (1) problems of origin, organization, and availability; (2) problems of access and control; (3) problems of exploitation; and (4) problems of manipulation and content