From cyber-security deception to manipulation and gratification through gamification

Over the last two decades the field of cyber-security has experienced numerous changes associated with the evolution of other fields, such as networking, mobile communications, and recently the Internet of Things (IoT) [3]. Changes in mindsets have also been witnessed, a couple of years ago the cyber-security industry only blamed users for their mistakes often depicted as the number one reason behind security breaches. Nowadays, companies are empowering users, modifying their perception of being the weak link, into being the center-piece of the network design [4]. Users are by definition "in control" and therefore a cyber-security asset. Researchers have focused on the gamification of cyber- security elements, helping users to learn and understand the concepts of attacks and threats, allowing them to become the first line of defense to report anoma- lies [5]. However, over the past years numerous infrastructures have suffered from malicious intent, data breaches, and crypto-ransomeware, clearly showing the technical "know-how" of hackers and their ability to bypass any security in place, demonstrating that no infrastructure, software or device can be consid- ered secure. Researchers concentrated on the gamification, learning and teaching theory of cyber-security to end-users in numerous fields through various techniques and scenarios to raise cyber-situational awareness [2][1]. However, they overlooked the users’ ability to gather information on these attacks. In this paper, we argue that there is an endemic issue in the the understanding of hacking practices leading to vulnerable devices, software and architectures. We therefore propose a transparent gamification platform for hackers. The platform is designed with hacker user-interaction and deception in mind enabling researchers to gather data on the techniques and practices of hackers. To this end, we developed a fully extendable gamification architecture allowing researchers to deploy virtualised hosts on the internet. Each virtualised hosts contains a specific vulnerability (i.e. web application, software, etc). Each vulnerability is connected to a game engine, an interaction engine and a scoring engine

Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses

As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by-downloads are some prime examples. The work in this dissertation is structured to enhance the security of computer systems by using means of deception and deceit

Malicious User Experience Design Research for Cybersecurity

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approac

A STUDY OF SOCIAL ENGINEERING CONCEPTS WITHIN A DECEPTIVE DEFENSE

Organizations fall victim to costly attacks every year. This has created a need for more successful layers of defense. To aid in this need for additional defense, this study researches a way to bolster an underused defense style called deceptive defense. Researchers agree that deceptive defense could be the future of cybersecurity, and they call for more research in the deceptive category. The unresolved question from these researchers is what attack style could be used with a deception-based defense against an attacker. From this unresolved question, it was also determined that social engineering should be used in this culminating experience project as the attack style in question. This led to the question: “How can cyber defensive deception borrow concepts from social engineering to aid in bolstering a deception-based defense?” This project focused on researching concepts from both deceptive defense and social engineering, and to apply concepts from a popular attack style to a less popular defense style. This was done through a path of research into techniques, influence concepts, and two popular frameworks. It takes a 4-phased approach: researching deceptive defense techniques, researching social engineering concepts, researching two popular frameworks, and then applying one to the other. The findings are that: (1) there are similar concepts from both attack and defense styles; (2) there are techniques with similar applications but applied to the opposite parties (attackers or defenders); (3) and that it was possible to pull concepts from the social engineering framework to plan a deception-based defense. Further research would be desirable in an applied approach of how an attacker reacts to each persuasion principle. More research would also be recommended in the honeypot technique as an alerting and profiling technique

Architectural Style: Distortions for Deploying and Managing Deception Technologies in Software Systems

Deception technologies are software tools that simulate/dissimulate information as security measures in software systems. Such tools can help prevent, detect, and correct security threats in the systems they are integrated with. Despite the continued existence and use of these technologies (~20+ years) the process for integrating them into software systems remains undocumented. This is due to deception technologies varying greatly from one another in a number of different ways. To begin the process of documentation, I have proposed an architectural style that describes one possible way deception technologies may be integrated into software systems. To develop this architectural style, I performed a literature review on deception technologies and the art of deception as a discipline. I break down how deception technologies work according to the art of deception through the simulation and dissimulation of software components. I then examined existing deception technologies and categorize them according to their simulations/dissimulations. The documented and proposed architectural style describes how software systems deploy and manage deceptions. Afterwards, I propose a number of future research opportunities surrounding this subject

Defensive Cyber Maneuvers to Disrupt Cyber Attackers

erimeter based defenses are limited in deterring and defeating cyberattacks. Multi-layered approaches are needed to provide robust cybersecurity and defend against Advanced Persistent Threats. Proactive defensive cyber actions can provide positional or temporal advantages over an adversary in the cognitive, technical, and physical domains. These actions comprise cyber maneuvers, which are implemented reconfigurations to a network that aim to make attackers more visible and detectable, impede attacker progress, and reduce attackers’ chances of mission success. Technical actions and response are the primary focus of most current cyber defense frameworks with little attention on adversary behavioral and cognitive effects. We describe the enhanced cyber maneuver framework which addresses cognitive and behavioral responses to cyber effects. We present experimental results that demonstrate the framework and a testing approach to collect supporting findings on the effects of cyber maneuvers

Combating IS Fraud: A Teaching Case Study

People are becoming more creative in use of classic fraud schemes via information systems. This paper presents a case study resource for teaching information security controls to help combat information systems fraud. The Health First Case Study is designed to give undergraduate computer science, information systems, and information technology students an opportunity to plan security for a doctor’s office, with the guidance of another useful resource, the Small Business Security Workbook. The case study addresses social engineering, ethics, requirements documentation, security design, incident response, and personnel security. Course implementation examples are included for both face-to-face and online courses