How To Hack the Hackers: The Human Side Of Cybercrime

As cyber-attacks grow ever more sophisticated, those who defend against them are embracing behavioural science and economics to understand both the perpetrators and their victims. 

Say what you will about cyber-criminals, says Dr. Angela Sasse a psychologist and computer scientist at University College London who heads the Research Institute in Science of Cyber Security, “their victims rave about the customer service”. Sasse is talking about ransomware: an extortion scheme in which hackers encrypt the data on a user's computer, then demand money for the digital key to unlock them. 

Victims get detailed, easy-to-follow instructions for the payment process (all major credit cards accepted), and how to use the key. If they run into technical difficulties, there are 24/7 call centres.

“It's better support than they get from their own Internet service providers,” says Sasse. That, she adds, is today's cybersecurity challenge in a nutshell: “The attackers are so far ahead of the defenders, it worries me quite a lot.”

Long gone are the days when computer hacking was the domain of thrill-seeking teenagers and college students: since the mid-2000s, cyber-attacks have become dramatically more sophisticated.  Today, shadowy, state-sponsored groups launch exploits such as the 2014 hack of Sony Pictures Entertainment and the 2015 theft of millions of records from the US Office of Personnel Management, allegedly sponsored by North Korea and China, respectively. 'Hacktivist' groups such as Anonymous carry out ideologically driven attacks on high-profile terrorists and celebrities.  

A vast criminal underground traffics in everything from counterfeit Viagra to corporate espionage. By one estimate, cybercrime costs the global economy between US$375 billion and $575 billion each year. 

Increasingly, researchers and security experts are realising that they cannot meet this challenge just by building higher and stronger digital walls around everything. They have to look inside the walls, where human errors, such as choosing a weak password or clicking on a dodgy e-mail, are implicated in nearly one-quarter of all cybersecurity failures. They also have to look outwards, tracing the underground economy that supports the hackers and finding weak points that are vulnerable to counterattack.

“We've had too many computer scientists looking at cybersecurity, and not enough psychologists, economists and human-factors people,” says Douglas Maughan, head of cybersecurity research at the US Department of Homeland Security. That is changing fast. Maughan's agency and other US research funders have been increasing their spending on the human side of cybersecurity for the past five years or so. 

In February, as part of his fiscal-year 2017 budget request to Congress, US President Barack Obama proposed to spend more than $19 billion on federal cybersecurity funding, a 35% increase over the previous year, and included a research and development plan that, for the first time, makes human-factors research an explicit priority. The same sort of thinking is taking root in other countries. In the United Kingdom, Sasse's institute has a multiyear, £3.8-million (US$5.5-million) grant from the

Work from the social sciences is providing an unprecedented view of how cyber-criminals organise their businesses, as well as better ways to help users to choose an uncrackable yet memorable password.

The fixes are not easy, says Sasse, but they're not impossible. “We've actually got good science on what does and doesn't work in changing habits,” she says. “Applying those ideas to cyber-security is the frontier.”

Nature

You Might Also Read:

CIOs Defend Against Cybersecurity Threats Using Behavioral Analytics:
 

« Machine Learning Algorithms & Police Decision-Making
Tesco Bank Fined £16.4m For Exposing Customers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Thycotic

Thycotic

Thycotic prevents cyber attacks by securing passwords, protecting endpoints and controlling application access.

Actiphy

Actiphy

Actiphy provides a tried and proven backup and disaster recovery software solution to ensure business continuity at all times.

TUV Sud

TUV Sud

TÜV SÜD is a leading technical service organisation. We specialize in testing, certification, auditing, training, and advisory services for different industries.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

Modux

Modux

Modux focus on a number of core competencies across cyber security including; cyber intelligence & analytics, penetration testing and training.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Langner

Langner

Langner is a software and consulting firm specialized in cyber security for critical infrastructure and large-scale manufacturing.

Belle de Mai Incubator

Belle de Mai Incubator

Belle de Mai Incubator supports and funds innovative startup ideas in digital industries.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

SIXGEN

SIXGEN

SIXGEN provides incident response, operational and penetration testing, red teaming, tool development, cyber training development and continuous monitoring.

Plante Moran

Plante Moran

Plante Moran is a leading audit, tax, consulting, and wealth management firm. Areas of consulting expertise include cybersecurity.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

inSOC

inSOC

inSOC is an enterprise-grade AI-driven SOCaaS solution detecting breaches 24/7 with vulnerability management built-in. Designed for MSPs and MSSPs.

Klarytee

Klarytee

Protect your data wherever it goes. Klarytee is a SaaS platform that builds security into sensitive content to enable granular control in AI, public cloud and SaaS.