Advertisement

A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems

  • Tasmina Islam
  • Ingolf Becker
  • Rebecca Posner
  • Paul Ekblom
  • Michael McGuire
  • Hervé Borrion
  • Shujun LiEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1123)

Abstract

The focus on cyber security as an interaction between technical elements and humans has typically confined consideration of the latter to practical issues of implementation, conventionally those of ‘human performance factors’ of vigilance etc., ‘raising awareness’ and/or ‘incentivization’ of people and organizations to participate and adapt their behavior. But this is far too narrow a view that seriously constrains the ability of cyber security as a whole to adapt and evolve to keep up with adaptive, innovative attackers in a rapidly-changing technological, business and social landscape, in which personal preferences of users are also dynamically evolving.

While there is isolated research across different research areas, we noticed the lack of a holistic framework combining a range of applicable theoretical concepts (e.g., cultural co-evolution such as technological arms races, opportunity management, behavioral and business models) and technological solutions on reducing human-related risks in the cyber security and cybercrime ecosystems, which involve multiple groups of human actors including offenders, victims, preventers and promoters. This paper reports our ongoing work in developing such a socio-technical framework (1) to allow a more comprehensive understanding of human-related risks within cyber security and cybercrime ecosystems and (2) to support the design of more effective approaches to engaging individuals and organizations in the reduction of such risks. We are in the process of instantiating this framework to encourage behavioral changes in two use cases that capture diverse and complicated socio-technical interactions in cyber-physical systems.

Keywords

Socio-technical Framework Human factors Human behavior Risk management Cyber security Cybercrime Co-evolution Ontology Transportation Human-as-a-Security-Sensor (HaaSS) Crime prevention 

Notes

Acknowledgments

This work was supported by the research project, “ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks” (http://accept.cyber.kent.ac.uk/), funded by the EPSRC (Engineering and Physical Sciences Research Council) in the UK, under grant number EP/P011896/1 and EP/P011896/2.

References

  1. 1.
    Operando. https://www.operando.eu/. Accessed 26 Apr 2019
  2. 2.
    PlusPrivacy. https://plusprivacy.com/. Accessed 26 Apr 2019
  3. 3.
    Privacy Flag. https://privacyflag.eu/. Accessed 26 Apr 2019
  4. 4.
    SPECIAL. https://www.specialprivacy.eu/. Accessed 26 Apr 2019
  5. 5.
    Ablon, L., Libicki, M.C., Golay, A.A.: Markets for cybercrime tools and stolen data: Hackers’ bazaar. Technical report, RAND Corporation (2014). https://www.rand.org/pubs/research_reports/RR610.html
  6. 6.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999).  https://doi.org/10.1145/322796.322806CrossRefGoogle Scholar
  7. 7.
    Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, M.A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Proceedings of 12th Symposium on Usable Privacy and Security. USENIX Association (2016). https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement
  8. 8.
    Behdad, M., Barone, L., Bennamoun, M., French, T.: Nature-inspired techniques in the context of fraud detection. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 42(6), 1273–1290 (2012).  https://doi.org/10.1109/TSMCC.2012.2215851CrossRefGoogle Scholar
  9. 9.
    Bernasco, W.: Foraging strategies of homo criminalis: lessons from behavioral ecology. Crime Patterns Anal. 2(1), 5–16 (2009)Google Scholar
  10. 10.
    Bichler, G., Bush, S., Malm, A.: Regulatory foresight: estimating policy effects on transnational illicit markets. Contemp. Crim. Justice 31(3), 297–318 (2015).  https://doi.org/10.1177/1043986215575138CrossRefGoogle Scholar
  11. 11.
    Bold, K.: Inspired by nature, researcher develops new cyber security techniques (2014). https://phys.org/news/2014-05-nature-cyber-techniques.html
  12. 12.
    Clarke, R.V.: Seven misconceptions of situational crime prevention. In: Handbook of Crime Prevention and Community Safety, pp. 39–70. Routledge (2013)Google Scholar
  13. 13.
    Collins, B.S., Mansell, R.: Cyber trust and crime prevention: a synthesis of the state-of-the-art science reviews. Technical report, Office of Science and Technology, UK (2004). http://eprints.lse.ac.uk/4252/
  14. 14.
    Demertzis, K., Iliadis, L.: A bio-inspired hybrid artificial intelligence framework for cyber security. In: Daras, N.J., Rassias, M.T. (eds.) Computation, Cryptography, and Network Security, pp. 161–193. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18275-9_7CrossRefGoogle Scholar
  15. 15.
    Dykstra, J.A., Orr, S.R.: Acting in the unknown: the Cynefin framework for managing cybersecurity risk in dynamic decision making. In: Proceedings of 2016 International Conference on Cyber Conflict, pp. 1–6. IEEE (2016).  https://doi.org/10.1109/CYCONUS.2016.7836616
  16. 16.
    Ehrlich, P.R., Raven, P.H.: Butterflies and plants: a study in coevolution. Evolution 18(4), 586–608 (1964).  https://doi.org/10.1111/j.1558-5646.1964.tb01674.xCrossRefGoogle Scholar
  17. 17.
    Ekblom, P.: Crime Prevention, Security and Community Safety Using the 5IS Framework. Springer, London (2010).  https://doi.org/10.1057/9780230298996CrossRefGoogle Scholar
  18. 18.
    Ekblom, P.: Terrorism: lessons from natural and human co-evolutionary arms races. In: Evolutionary Psychology and Terrorism, pp. 82–113. Routledge (2015)Google Scholar
  19. 19.
    Ekblom, P.: Crime, situational prevention and technology: the nature of opportunity and how it evolves. In: The Routledge Handbook of Technology, Crime and Justice, pp. 379–400. Routledge (2017)Google Scholar
  20. 20.
    Ekblom, P.J.: Conjunction of criminal opportunity theory. Encycl. Victimology Crime Prev. (2010).  https://doi.org/10.1057/9780230298996CrossRefGoogle Scholar
  21. 21.
    Evans, M., He, Y., Maglaras, L., Janicke, H.: HEART-IS: a novel technique for evaluating human error-related information security incidents. Comput. Secur. 80, 74–89 (2019).  https://doi.org/10.1016/j.cose.2018.09.002CrossRefGoogle Scholar
  22. 22.
    Freilich, J.D., Newman, G.R.: Situational Crime Prevention, vol. 1. Oxford University Press(2017).  https://doi.org/10.1093/acrefore/9780190264079.013.3
  23. 23.
    Ganin, A.A., et al.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. (2017).  https://doi.org/10.1111/risa.12891CrossRefGoogle Scholar
  24. 24.
    Grace, P., Surridge, M.: Towards a model of user-centered privacy preservation. In: Proceedings of 12th International Conference on Availability, Reliability and Security, p. 91. ACM (2017).  https://doi.org/10.1145/3098954.3104054
  25. 25.
    Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018).  https://doi.org/10.1016/j.cose.2018.02.020CrossRefGoogle Scholar
  26. 26.
    Jablonka, E., Lamb, M.J.: Evolution in Four Dimensions, Revised Edition: Genetic, Epigenetic, Behavioral, and Symbolic Variation in the History of Life. MIT Press, Cambridge (2014)CrossRefGoogle Scholar
  27. 27.
    Johnson, S.D., Ekblom, P., Laycock, G., Frith, M.J., Sombatruang, N., Valdez, E.R.: Future crime. In: Routledge Handbook of Crime Science, Chapter 30. Palgrave Macmillan, London (2018)Google Scholar
  28. 28.
    Joinson, A., van Steen, T.: Human aspects of cyber security: behaviour or culture change? Cyber Secur. Peer Rev. J. 1(4), 351–360 (2018)Google Scholar
  29. 29.
    Kelly, R.: Almost 90% of cyber attacks are caused by human error or behavior (2017). https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/
  30. 30.
    Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009).  https://doi.org/10.1016/J.COSE.2009.04.006CrossRefGoogle Scholar
  31. 31.
    Laland, K.N.: Darwin’s Unfinished Symphony: How Culture Made the Human Mind. Princeton University Press, Princeton (2017)CrossRefGoogle Scholar
  32. 32.
    Lee, C., Iesiev, A., Usher, M., Harz, D., McMillen, D.: IBM X-force threat intelligence index 2019. Technical report, IBM security (2019). https://www.ibm.com/downloads/cas/ZGB3ERYD
  33. 33.
    Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3–4), 215–228 (2009).  https://doi.org/10.1016/j.cose.2008.11.003CrossRefGoogle Scholar
  34. 34.
    Magliocca, N.R., et al.: Modeling cocaine traffickers and counterdrug interdiction forces as a complex adaptive system. Proc. Natl. Acad. Sci. 116(16), 7784–7792 (2019).  https://doi.org/10.1073/pnas.1812459116CrossRefGoogle Scholar
  35. 35.
    McGuire, M.: Hypercrime: The New Geometry of Harm. Routledge-Cavendish, London (2007)CrossRefGoogle Scholar
  36. 36.
    McGuire, M.: Technology crime and technology control: contexts and history. In: The Routledge Handbook of Technology, Crime and Justice. Palgrave Macmillan, London (2016)Google Scholar
  37. 37.
    Newman, G.R., Clarke, R.: Superhighway Robbery: Preventing E-commerce Crime. Willan, Portland (2003)Google Scholar
  38. 38.
    Quan-Haase, A., Wellman, B.: Local virtuality in an organization: implications for community of practice. In: Van Den Besselaar, P., De Michelis, G., Preece, J., Simone, C. (eds.) Communities and Technologies 2005, pp. 215–238. Springer, Dordrecht (2005).  https://doi.org/10.1007/1-4020-3591-8_12CrossRefGoogle Scholar
  39. 39.
    Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-92925-5_14CrossRefGoogle Scholar
  40. 40.
    Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70241-4_16CrossRefGoogle Scholar
  41. 41.
    Rush, G., Tauritz, D.R., Kent, A.D.: Coevolutionary agent-based network defense lightweight event system (CANDLES). In: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 859–866. ACM (2015).  https://doi.org/10.1145/2739482.2768429
  42. 42.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001).  https://doi.org/10.1023/A:1011902718709CrossRefGoogle Scholar
  43. 43.
    Wortley, R.: Affordance and situational crime prevention: implications for counter terrorism. In: Terrorism and Affordance: New Directions in Terrorism Studies, Chapter 2, pp. 17–32. Bloomsbury Publishing (2012).  https://doi.org/10.5040/9781501301155.ch-002

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.University of KentCanterburyUK
  2. 2.University College LondonLondonUK
  3. 3.TRL Ltd.WokinghamUK
  4. 4.Central Saint MartinsUniversity of the Arts LondonLondonUK
  5. 5.University of SurreyGuildfordUK

Personalised recommendations