Skip to main content

A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems

Part of the Communications in Computer and Information Science book series (CCIS,volume 1123)

Abstract

The focus on cyber security as an interaction between technical elements and humans has typically confined consideration of the latter to practical issues of implementation, conventionally those of ‘human performance factors’ of vigilance etc., ‘raising awareness’ and/or ‘incentivization’ of people and organizations to participate and adapt their behavior. But this is far too narrow a view that seriously constrains the ability of cyber security as a whole to adapt and evolve to keep up with adaptive, innovative attackers in a rapidly-changing technological, business and social landscape, in which personal preferences of users are also dynamically evolving.

While there is isolated research across different research areas, we noticed the lack of a holistic framework combining a range of applicable theoretical concepts (e.g., cultural co-evolution such as technological arms races, opportunity management, behavioral and business models) and technological solutions on reducing human-related risks in the cyber security and cybercrime ecosystems, which involve multiple groups of human actors including offenders, victims, preventers and promoters. This paper reports our ongoing work in developing such a socio-technical framework (1) to allow a more comprehensive understanding of human-related risks within cyber security and cybercrime ecosystems and (2) to support the design of more effective approaches to engaging individuals and organizations in the reduction of such risks. We are in the process of instantiating this framework to encourage behavioral changes in two use cases that capture diverse and complicated socio-technical interactions in cyber-physical systems.

Keywords

  • Socio-technical
  • Framework
  • Human factors
  • Human behavior
  • Risk management
  • Cyber security
  • Cybercrime
  • Co-evolution
  • Ontology
  • Transportation
  • Human-as-a-Security-Sensor (HaaSS)
  • Crime prevention

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-981-15-1304-6_22
  • Chapter length: 17 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-981-15-1304-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.

Notes

  1. 1.

    https://www.unodc.org/e4j/en/tertiary/cybercrime.html.

  2. 2.

    This is less straightforward for victim and promoter roles, as both could develop into preventers or even offenders.

References

  1. Operando. https://www.operando.eu/. Accessed 26 Apr 2019

  2. PlusPrivacy. https://plusprivacy.com/. Accessed 26 Apr 2019

  3. Privacy Flag. https://privacyflag.eu/. Accessed 26 Apr 2019

  4. SPECIAL. https://www.specialprivacy.eu/. Accessed 26 Apr 2019

  5. Ablon, L., Libicki, M.C., Golay, A.A.: Markets for cybercrime tools and stolen data: Hackers’ bazaar. Technical report, RAND Corporation (2014). https://www.rand.org/pubs/research_reports/RR610.html

  6. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). https://doi.org/10.1145/322796.322806

    CrossRef  Google Scholar 

  7. Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, M.A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Proceedings of 12th Symposium on Usable Privacy and Security. USENIX Association (2016). https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement

  8. Behdad, M., Barone, L., Bennamoun, M., French, T.: Nature-inspired techniques in the context of fraud detection. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 42(6), 1273–1290 (2012). https://doi.org/10.1109/TSMCC.2012.2215851

    CrossRef  Google Scholar 

  9. Bernasco, W.: Foraging strategies of homo criminalis: lessons from behavioral ecology. Crime Patterns Anal. 2(1), 5–16 (2009)

    Google Scholar 

  10. Bichler, G., Bush, S., Malm, A.: Regulatory foresight: estimating policy effects on transnational illicit markets. Contemp. Crim. Justice 31(3), 297–318 (2015). https://doi.org/10.1177/1043986215575138

    CrossRef  Google Scholar 

  11. Bold, K.: Inspired by nature, researcher develops new cyber security techniques (2014). https://phys.org/news/2014-05-nature-cyber-techniques.html

  12. Clarke, R.V.: Seven misconceptions of situational crime prevention. In: Handbook of Crime Prevention and Community Safety, pp. 39–70. Routledge (2013)

    Google Scholar 

  13. Collins, B.S., Mansell, R.: Cyber trust and crime prevention: a synthesis of the state-of-the-art science reviews. Technical report, Office of Science and Technology, UK (2004). http://eprints.lse.ac.uk/4252/

  14. Demertzis, K., Iliadis, L.: A bio-inspired hybrid artificial intelligence framework for cyber security. In: Daras, N.J., Rassias, M.T. (eds.) Computation, Cryptography, and Network Security, pp. 161–193. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18275-9_7

    CrossRef  Google Scholar 

  15. Dykstra, J.A., Orr, S.R.: Acting in the unknown: the Cynefin framework for managing cybersecurity risk in dynamic decision making. In: Proceedings of 2016 International Conference on Cyber Conflict, pp. 1–6. IEEE (2016). https://doi.org/10.1109/CYCONUS.2016.7836616

  16. Ehrlich, P.R., Raven, P.H.: Butterflies and plants: a study in coevolution. Evolution 18(4), 586–608 (1964). https://doi.org/10.1111/j.1558-5646.1964.tb01674.x

    CrossRef  Google Scholar 

  17. Ekblom, P.: Crime Prevention, Security and Community Safety Using the 5IS Framework. Springer, London (2010). https://doi.org/10.1057/9780230298996

    CrossRef  Google Scholar 

  18. Ekblom, P.: Terrorism: lessons from natural and human co-evolutionary arms races. In: Evolutionary Psychology and Terrorism, pp. 82–113. Routledge (2015)

    Google Scholar 

  19. Ekblom, P.: Crime, situational prevention and technology: the nature of opportunity and how it evolves. In: The Routledge Handbook of Technology, Crime and Justice, pp. 379–400. Routledge (2017)

    Google Scholar 

  20. Ekblom, P.J.: Conjunction of criminal opportunity theory. Encycl. Victimology Crime Prev. (2010). https://doi.org/10.1057/9780230298996

    CrossRef  Google Scholar 

  21. Evans, M., He, Y., Maglaras, L., Janicke, H.: HEART-IS: a novel technique for evaluating human error-related information security incidents. Comput. Secur. 80, 74–89 (2019). https://doi.org/10.1016/j.cose.2018.09.002

    CrossRef  Google Scholar 

  22. Freilich, J.D., Newman, G.R.: Situational Crime Prevention, vol. 1. Oxford University Press(2017). https://doi.org/10.1093/acrefore/9780190264079.013.3

  23. Ganin, A.A., et al.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. (2017). https://doi.org/10.1111/risa.12891

    CrossRef  Google Scholar 

  24. Grace, P., Surridge, M.: Towards a model of user-centered privacy preservation. In: Proceedings of 12th International Conference on Availability, Reliability and Security, p. 91. ACM (2017). https://doi.org/10.1145/3098954.3104054

  25. Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018). https://doi.org/10.1016/j.cose.2018.02.020

    CrossRef  Google Scholar 

  26. Jablonka, E., Lamb, M.J.: Evolution in Four Dimensions, Revised Edition: Genetic, Epigenetic, Behavioral, and Symbolic Variation in the History of Life. MIT Press, Cambridge (2014)

    CrossRef  Google Scholar 

  27. Johnson, S.D., Ekblom, P., Laycock, G., Frith, M.J., Sombatruang, N., Valdez, E.R.: Future crime. In: Routledge Handbook of Crime Science, Chapter 30. Palgrave Macmillan, London (2018)

    Google Scholar 

  28. Joinson, A., van Steen, T.: Human aspects of cyber security: behaviour or culture change? Cyber Secur. Peer Rev. J. 1(4), 351–360 (2018)

    Google Scholar 

  29. Kelly, R.: Almost 90% of cyber attacks are caused by human error or behavior (2017). https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/

  30. Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009). https://doi.org/10.1016/J.COSE.2009.04.006

    CrossRef  Google Scholar 

  31. Laland, K.N.: Darwin’s Unfinished Symphony: How Culture Made the Human Mind. Princeton University Press, Princeton (2017)

    CrossRef  Google Scholar 

  32. Lee, C., Iesiev, A., Usher, M., Harz, D., McMillen, D.: IBM X-force threat intelligence index 2019. Technical report, IBM security (2019). https://www.ibm.com/downloads/cas/ZGB3ERYD

  33. Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3–4), 215–228 (2009). https://doi.org/10.1016/j.cose.2008.11.003

    CrossRef  Google Scholar 

  34. Magliocca, N.R., et al.: Modeling cocaine traffickers and counterdrug interdiction forces as a complex adaptive system. Proc. Natl. Acad. Sci. 116(16), 7784–7792 (2019). https://doi.org/10.1073/pnas.1812459116

    CrossRef  Google Scholar 

  35. McGuire, M.: Hypercrime: The New Geometry of Harm. Routledge-Cavendish, London (2007)

    CrossRef  Google Scholar 

  36. McGuire, M.: Technology crime and technology control: contexts and history. In: The Routledge Handbook of Technology, Crime and Justice. Palgrave Macmillan, London (2016)

    Google Scholar 

  37. Newman, G.R., Clarke, R.: Superhighway Robbery: Preventing E-commerce Crime. Willan, Portland (2003)

    Google Scholar 

  38. Quan-Haase, A., Wellman, B.: Local virtuality in an organization: implications for community of practice. In: Van Den Besselaar, P., De Michelis, G., Preece, J., Simone, C. (eds.) Communities and Technologies 2005, pp. 215–238. Springer, Dordrecht (2005). https://doi.org/10.1007/1-4020-3591-8_12

    CrossRef  Google Scholar 

  39. Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14

    CrossRef  Google Scholar 

  40. Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70241-4_16

    CrossRef  Google Scholar 

  41. Rush, G., Tauritz, D.R., Kent, A.D.: Coevolutionary agent-based network defense lightweight event system (CANDLES). In: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 859–866. ACM (2015). https://doi.org/10.1145/2739482.2768429

  42. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). https://doi.org/10.1023/A:1011902718709

    CrossRef  Google Scholar 

  43. Wortley, R.: Affordance and situational crime prevention: implications for counter terrorism. In: Terrorism and Affordance: New Directions in Terrorism Studies, Chapter 2, pp. 17–32. Bloomsbury Publishing (2012). https://doi.org/10.5040/9781501301155.ch-002

Download references

Acknowledgments

This work was supported by the research project, “ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks” (http://accept.cyber.kent.ac.uk/), funded by the EPSRC (Engineering and Physical Sciences Research Council) in the UK, under grant number EP/P011896/1 and EP/P011896/2.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shujun Li .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Islam, T. et al. (2019). A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems. In: Wang, G., Bhuiyan, M.Z.A., De Capitani di Vimercati, S., Ren, Y. (eds) Dependability in Sensor, Cloud, and Big Data Systems and Applications. DependSys 2019. Communications in Computer and Information Science, vol 1123. Springer, Singapore. https://doi.org/10.1007/978-981-15-1304-6_22

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-1304-6_22

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-1303-9

  • Online ISBN: 978-981-15-1304-6

  • eBook Packages: Computer ScienceComputer Science (R0)