Some of the following information formed part of a successful application for internet research funding from InternetNZ. A full literature review encompassing socio-technical attacks, online scams and the forms and impact of human vulnerabilities will follow later in the research timetable.
To discuss the project, please get in touch with Chris Hails via email to firstname.lastname@example.org.
What is this research about?
Securing the Human: Identifying an individual’s ‘Security Quotient’ score and the behavioural qualities that may pre-dispose people to fall victim to socio-technical internet attacks.
The aim of this study is to evaluate the programmatic identification of cyber security risk profiles that may in future facilitate the delivery of targeted or personalised risk mitigation interventions.
“Only amateurs attack machines; professionals target people” – Bruce Schneier, Semantic Attacks: The Third Wave of Network Attacks, 2000
Cyber security is of growing importance for New Zealand internet users. With the proliferation of connected devices, ubiquitous access and the increasing impact of IoT, there has been limited focus on best practice in the science of cyber security when it comes to securing the human end user.
Human error – whether accidental or malicious – and the failure of layered logical security controls to successfully adapt to end user behaviours is believed to be the root cause of between 42% and almost 90% of cyber security incidents globally (dependent on research sources and security incident classification).
A ‘socio-technical attack’ is possible because of the presence of human components in a system. This project looks to build on existing security, human behaviour and health promotion research to evaluate the programmatic identification of cyber security risk profiles – and ultimately the generation of an individual’s ‘Security Quotient’ score – that may in future facilitate the delivery of targeted or personalised risk mitigation interventions.
Funding this project embraces the established concept of valuing people as a core part of an effective security system, alongside ongoing development of identification and authentication controls such as DKIM, SPF, DMARC and U2F. Completion of this research may benefit New Zealand internet users and enhance security of the internet as a whole.
What is a socio-technical attack?
“A socio-technical vulnerability is the conjunction of a human behaviour, the factors that foster the occurrence of this behaviour, and a system”
“A socio-technical attack is possible because of the human components in a system.” – Jean-Louis Huynen, Socio-technical aspects of security analysis
This table created by Jean-Louis Huynen gives explicit examples where human error, insider threat or social engineering result in a security incident:
Some of the most common – and most financially and/or emotionally harmful – forms of socio-technical attacks encountered by the researcher in New Zealand include:
- Romance fraud
- Investment fraud
- Business Email Compromise (BEC)
The key is that in the majority of those cases, the weakest link in the system was often a human being – a human who responded to the charms of a scammer or was curious enough to infect their own system and encrypt essential data.
What is the problem or opportunity being addressed?
Current cyber security best practice is predominantly based on probabilistic risk assessments that take account of known technological system vulnerabilities.
Once risk factors have been identified, spending and investment is often focused on black box security products and layering proprietary technologies to detect, delay or defeat external attackers.
“If you really want to breach them, forget the zero day [exploit], forget memory corruption bugs, you’re going to send a phishing mail and you’ve got your success.” Marco Slaviero of Canary.Tools on Risky Business #437, November 2016
“People are the main vulnerabilities to a secure enterprise. Respondents believe that inadvertent human error (48%), lack of staff awareness (33%) and weaknesses in vetting individuals (17%), were all contributing factors in causing the single worst breach that organisations suffered” – HM Government Information Security Breaches Survey, 2015
“The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people” – Verizon Data Breach Investigation Report, 2015
In reality, many current cyber security incidents are initiated by trusted insiders who have privileged access to systems and data and may ultimately be motivated and influenced by emotional, spontaneous, and unconscious human biases that could be considered as equivalent human vulnerabilities to be targeted by skilled attackers.
In order to fully address cyber security risks it is therefore necessary to understand and quantify the nature of human risk factors.
This research project looks to explore the concept of testing for inherent high risk human behaviours that could – in future – be mitigated through additional customised security controls and/or by educating individuals in a targeted manner.
What needs to happen and how do you plan to go about it?
Safety management processes and health promotion models developed over the last fifty years offer mature approaches to address psychological or cognitive factors that influence human behaviours when it comes to healthy living and adopting safer working practices in human-machine systems.
Early research in the science of cyber security suggests that good security behaviours may also be influenced by personality traits and be tied to long-term thinking. This research project will look to confirm this position and establish if it is possible to identify high risk human behaviours applicable to cyber security scenarios; to accurately assess an individual’s ‘Security Quotient’ score and, at a later stage, if pre-existing education models could be adapted to deliver targeted early intervention to reduce the impact of socio-technical attacks.
“It may be possible to target prevention and intervention efforts to the subset of individuals at the greatest risk” The Power of Personality – The Comparative Validity of Personality Traits, Socioeconomic Status, and Cognitive Ability for Predicting Important Life Outcomes
In the world of health promotion, significant research has been undertaken to explore personality trait profiling where levels of conscientiousness, specifically the facets of self control and conventionality, are seen as predictors of mortality/longevity.
This research project will develop a questionnaire that combines key elements of existing security behaviour measurement and risk assessment models with health promotion – Future Focused – personality assessment techniques to produce a conceptual scale that can identify ‘high risk’ members of a population group who may benefit from early and targeted intervention in the form of adaptive security controls and/or personalised education materials that suit their stage of learning.
The questionnaire will build upon previous published work in the fields of human computer interaction, risk management and social psychology to develop a model that can be tested in a single sitting that may help identify technology end users who are predisposed towards risk taking behaviours and, as such, more likely to fall for social engineering and other cyber security exploits that rely on common human biases. Following the development of the research questionnaire, the project will look to recruit respondents via social media for analysis of the model’s effectiveness through the submission of completed online surveys.
A number of interviews that look to confirm or deny the existence of risk-taking behaviours will also be completed with a random selection of survey participants. Interviews will be transcribed and data from both quantitative and qualitative research methods analysed and combined to evaluate the effectiveness of the model in a final written report.
How will this research help inform the development of the internet in New Zealand and/or the availability, use and benefit of the internet for New Zealanders?
The researcher was previously employed as a security consultant at NetSafe and in 2010 developed and launched the Online Reporting Button service (The ORB) in partnership with NZ Police, DIA and MBIE’s Consumer Protection team.
New Zealanders reported almost 28,500 online incidents between August 2010 and August 2016 that involved the loss of more than $35m to a wide variety of cyber-enabled threat actors. The researcher developed extensive experience in incident triage and response and has spoken at length with many New Zealand victims of sociotechnical attacks.
A desire to work towards reducing the impact of these attacks on New Zealanders lies at the heart of this research proposal. Cross-border cybercrime and the increasing ubiquity of cyber-enabled attacks is growing year on year and the vulnerability of internet users to a subset of attacks that rely on ‘human vulnerabilities’ ultimately threatens the inherent trust that users place on the online environment.
Funding this project embraces the established concept of valuing people as a core part of an effective security system, alongside ongoing development of identification and authentication controls such as DKIM, SPF, DMARC and U2F. Completion of this research may benefit New Zealand internet users and enhance the security of the internet as a whole.
At a later stage, it may be possible to utilise the research outcomes to adapt pre-existing education models to deliver targeted early intervention and/or adaptive security controls to reduce the effectiveness of sociotechnical attacks and, ultimately, to reduce the financial, emotional and social impacts on victims and their families.
What outcomes do you expect?
Ultimately, the research proposal aims to:
- Identify an easy to use questionnaire or proof of concept ‘personality model’ that can identify high risk human behaviours applicable to cyber security scenarios.
- Confirm if combining existing ‘cyber psychometrics’ research can identify psychological or cognitive factors that influence human behaviours and make individuals vulnerable to socio-technical attacks.
- Validate the proposal that assessing an individual’s ‘Security Quotient’ score could in future facilitate the delivery or targeted training and/or context aware security controls to reduce risk.