Security Quotient: Preliminary Research Results
A big thank you goes to the ISACA Auckland board for the invite last week to present an update on my two year passion project to mitigate the harm caused by cybercrime.
As I noted on the day, the rather provocative session title – using the S word and TV show imagery – was chosen to keep people engaged for the always difficult post-lunch slot when audiences are fighting the urge to drift off into a light snooze as the body focuses on physical rather than mental digestion.
Presenting on the day felt like coming home – I originally gave a presentation at the November 2016 ISACA Cybersecurity Day on the need to move away from a model of being the ambulance at the bottom of the cliff and increasingly targeting prevention and intervention efforts towards a subset of individuals who may be at the greatest risk of falling victim to cybercrime and common socio-technical internet attacks like phishing.
Six years spent listening to horror stories around small businesses impacted by ransomware or Business Email Compromise incidents or of individuals emotionally and financially harmed by romance and investment scams has provided the drive to get this far and I hope the insights shared were of some interest to the audience.
The SeBIS and CFC-F scales appear to offer good ‘predictive’ insights where there’s a correlation with internet safety and security knowledge/ability and future focused behaviours. Eleven ‘Very High Risk’ (VHR) individuals were identified in the survey data, including four previous cybercrime victims who had lost up to $10,000. Combining the three scale scores via weighting or other means is now required to produce a final Security Quotient metric.
I owe a big thank you to all those who took the time to help promote the Security Quotient survey earlier this year to their networks and especially to those individuals who took the time to complete the survey and provided the very important data to draw from.
After promotion via mainstream and social media, through Google and Facebook PPC campaigns (thanks CFFC!), 167 responses were received. I will now be working with the University of Auckland to validate the preliminary findings I presented on identifying Very High Risk individuals via psychometric scales and the ‘Victor’ and ‘Victim’ clusters of behaviours.
Combining Safety and Security
As security professionals, we focus much of our efforts on securing data and devices, using risk assessments and security controls to protect information and information systems to provide confidentiality, integrity, and availability, to protect corporate reputations and share prices, to comply with standards and regulations, and to avoid punitive fines (#GDPR).
In this environment, end users – the ‘people’ in the three pillars of infosec – are often viewed as the weakest link in the security chain, too stupid, incapable or uninterested to count for much in a security programme, viewed often as a burden rather than a force multiplier to leverage when developing a stronger security culture.
The Security Quotient project has been firmly about securing and safeguarding people and to move on from a mindset of victim blaming.
What struck me last Thursday at the ISACA 2018 Cybersecurity Day was how the security world is evolving and how our historic focus on data and devices is also evolving to reflect the changing nature of technology itself and the increasing likelihood of harm potentially being caused by cyberphysical incidents and events.
Richard Harrison spoke about current and future digital crime in a healthcare context, of our increasing reliance on the integrity of data from connected medical devices and the future of healthcare implantables where cybersecurity will apply not just to connected devices but to connected people too.
John Martin’s talk on the current and future states of IoT illustrated how diverse standards and a lack of comprehensive guidance and regulation is leading to increasing risk as we connect anything and everything to the internet with little effort made to include security by design or default.
And, of course, Chris Roberts’ fantastic presentation on plane, train and agricultural cybersecurity was supplemented by his research into weaponising nanotechnology, hacking the human and how ‘brainwave’ authentication is only years away.
I remember being asked whilst interviewing for Deloitte “what is your proudest work achievement?” and talking about the development and operation of the ORB reporting platform. From small beginnings in August 2010 through to August 2016, the system enabled New Zealanders to report almost 28,500 incidents and record $35m in direct financial losses.
The platform provided a real time reporting dashboard and allowed partner agencies to stay up to date with incident trends; writing monthly intelligence reports for partners delivered a picture of the harm across NZ and allowed targeted educational resources to be focused where required.
I’ve taken the learnings from this experience at the bottom of the proverbial cyber incident cliff and want to build something that delivers an opportunity to prevent further harm from being caused to the most vulnerable. In a Security Quotient ‘product’ roadmap, now would mark the end of the Alpha phase with this harm reduction vision validated through prototyping and a Minimum Viable Product defined.
If the model can be assessed further with assistance from the University of Auckland, it should be possible to deliver a Quotient value through an online service that presents both a risk rating and guidance to the user at the end of the survey.
My next aim – after rapidly writing up the research completed to date – will be to build a ‘human vulnerability scanner’ on a par with the likes of Nessus or Qualys which work to identify risks through CVSS scores. If the Security Quotient predictive model can be further validated through statistical analysis, developing an online platform will give me a chance to return to delivering digital tools that provide real value to the user.
Ultimately, it would be great to also develop a ‘human firewall’ capability in the form of targeted education and/or an operating system with individualised, adaptive security that can wrap a more effective safety net around the internet user.
With cybercrime now more lucrative than the global drugs trade, developing predictive analytics to prevent internet users from falling victim seems more important than ever.
Can you help?
There’s no doubt that the small dataset is an issue for validating the predictive nature of the Security Quotient metric. If you’re a CISO, CSO, ISM or security practitioner interested in the concept and able to assist with getting a large NZ workforce involved, do please reach out: firstname.lastname@example.org.
Connecting to a current security culture programme or large phishing simulation dataset would be an interesting next step too.
A larger dataset could also allow respondent nationality to be assessed for evaluation of Hofstede’s cultural ‘Individualism’ measure as a protective/risk factor.