A Social Cognitive Neuroscience Approach to Information Security

Information security (InfoSec) represents a significant challenge for private citizens, corporations, and government entities. Breaches of InfoSec, may lower consumer confidence (Yayla & Hu, 2011), shape national and international politics (Groll, 2017), and represent a significant threat to the world economy (e.g., estimated costs of breaches related to cybercrime were $3 trillion in 2015; Cybersecurity Ventures). Significant progress has been made in the context of developing and refining hardware and software infrastructure to thwart cybercrime (Ayuso, Gasca, & Lefevre, 2012; Choo, 2011). However, much less attention has been devoted to understanding the factors that lead individuals within an organization to compromise the digital assets of a company or government entity (Posey, Bennett, & Roberts, 2011; Warkentin & Willison, 2009). The need to for a greater understanding of the causes of insider threat becomes readily apparent when one considers that roughly 50% of security violations result from the activities of individuals within an organization (Richardson, 2011). Additionally, in a recent survey 89% of respondents felt that their organizations were at risk from an insider attack, and 34% felt very or extremely vulnerable (Vormetric Data Security, 2015). In this paper we describe our program of research that examines the neural basis of individual decision making related to InfoSec, and is grounded in a social cognitive neuroscience approach. We also consider evidence from studies examining the effects of individual and cultural differences on decision making related to InfoSec. Together this evidence may serve to motivate future research that integrates theories from neuroscience and the social and behavioral sciences in order to deepen our understanding of the factors that lead individuals to compromise InfoSec

Malicious User Experience Design Research for Cybersecurity

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approac

Toward a Rational Choice Process Theory of Internet Scamming: The Offender’s Perspective

Internet fraud scam is a crime enabled by the Internet to swindle Internet users. The global costs of these scams are in the billions of US dollars. Existing research suggests that scammers maximize their economic gain. Although this is a plausible explanation, since the idea of the scam is to fool people to send money, this explanation alone, cannot explain why individuals become Internet scammers. An equally important, albeit unexplored riddle, is the question of what strategies Internet scammers adopt to perform the act. As a first step to address these gaps, we interviewed five Internet scammers in order to develop a rational choice process theory of Internet scammers’ behavior. The initial results suggest that an interplay of socioeconomic and dynamic thinking processes explains why individuals drift into Internet scamming. Once an individual drifts into Internet scamming, a successful scam involves two processes: persuasive strategy and advance fee strategy

An inward focus of attention during information security decision making: Electrophysiological evidence

Insider threat represents a significant source of violations of information security. Our previous research using event-related potentials (ERPs) has revealed patterns of neural activity that distinguish ethical decision making from decisions that do not involve an ethical component. In the current study, we sought to gain insight into the locus of the effect of ethical decision making on the posterior N2 component of the ERPs. The ERP data revealed that the N2 was greater in amplitude for control trials relative to ethical violation trials, and time-frequency analyses revealed that this resulted from a reduction in phase-locked activity across trials rather than a decrease in EEG power. These findings may indicate that ethical decision making related to information security is associated with a greater inward focus of attention than is the case for decision making on control trials

Markets for Zero-Day Exploits: Ethics and Implications

A New Security Paradigms Workshop (2013) panel discussed the topic of ethical issues and implications related to markets for zero-day exploits, i.e., markets facilitating the sale of previously unknown details on how to exploit software vulnerabilities in target applications or systems. The related topic of vulnerability rewards programs (“bug bounties ” offered by software vendors) was also discussed. This note provides selected background material submitted prior to the panel presentation, and summarizes discussion resulting from the input of both the panelists and NSPW participants

Measuring Hacking Ability Using a Conceptual Expertise Task

Hackers pose a continuous and unrelenting threat to organizations. Industry and academic researchers alike can benefit from a greater understanding of how hackers engage in criminal behavior. A limiting factor of hacker research is the inability to verify that self-proclaimed hackers participating in research actually possess their purported knowledge and skills. This paper presents current work in developing and validating a conceptual-expertise based tool that can be used to discriminate between novice and expert hackers. The implications of this work are promising since behavioral information systems researchers operating in the information security space will directly benefit from the validation of this tool. Keywords: hacker ability, conceptual expertise, skill measuremen

Cyber-offenders versus traditional offenders: An empirical comparison

Bernasco, W. [Promotor]Ruiter, S. [Promotor]Gelder, J.-.L. van [Copromotor

The Economics of Hacking

Hacking is becoming more common and dangerous. The challenge of dealing with hacking often comes from the fact that much of our wisdom about conventional crime cannot be directly applied to understand hacking behavior. Against this backdrop, this essay reviews hacking studies, with a focus on discussing the new features of cybercrime and how they affect the application of classical economic theory of crime in the cyberspace. Most findings of hacking studies can be interpreted with a parsimonious demand and supply framework. Hackers decide whether and how much to “supply” hacking by calculating the return on hacking over other opportunities. Defenders optimally tolerate some level of hacking risks because defense is costly. This tolerance can be interpreted as an indirect “demand” for hacking. Variations in law enforcement, hacking benefits, hacking costs, legal alternatives, private defense, and the dual use problem can variously affect the supply or demand for hacking, and in turn the equilibrium observation of hacking in the market. Overall, this essay suggests that the classical economic theory of crime remains a powerful framework to explain hacking behaviors. However, the application of this theory calls for considerations of different assumptions and driving forces, such as psychological motives and economies of scale in offenses, that are often less prevalent in conventional (offline) criminal behaviors, but that tend to underscore hacking in the cyberspace