How To Hack the Hackers: The Human Side Of Cybercrime

As cyber-attacks grow ever more sophisticated, those who defend against them are embracing behavioural science and economics to understand both the perpetrators and their victims. 

Say what you will about cyber-criminals, says Dr. Angela Sasse a psychologist and computer scientist at University College London who heads the Research Institute in Science of Cyber Security, “their victims rave about the customer service”. Sasse is talking about ransomware: an extortion scheme in which hackers encrypt the data on a user's computer, then demand money for the digital key to unlock them. 

Victims get detailed, easy-to-follow instructions for the payment process (all major credit cards accepted), and how to use the key. If they run into technical difficulties, there are 24/7 call centres.

“It's better support than they get from their own Internet service providers,” says Sasse. That, she adds, is today's cybersecurity challenge in a nutshell: “The attackers are so far ahead of the defenders, it worries me quite a lot.”

Long gone are the days when computer hacking was the domain of thrill-seeking teenagers and college students: since the mid-2000s, cyber-attacks have become dramatically more sophisticated.  Today, shadowy, state-sponsored groups launch exploits such as the 2014 hack of Sony Pictures Entertainment and the 2015 theft of millions of records from the US Office of Personnel Management, allegedly sponsored by North Korea and China, respectively. 'Hacktivist' groups such as Anonymous carry out ideologically driven attacks on high-profile terrorists and celebrities.  

A vast criminal underground traffics in everything from counterfeit Viagra to corporate espionage. By one estimate, cybercrime costs the global economy between US$375 billion and $575 billion each year. 

Increasingly, researchers and security experts are realising that they cannot meet this challenge just by building higher and stronger digital walls around everything. They have to look inside the walls, where human errors, such as choosing a weak password or clicking on a dodgy e-mail, are implicated in nearly one-quarter of all cybersecurity failures. They also have to look outwards, tracing the underground economy that supports the hackers and finding weak points that are vulnerable to counterattack.

“We've had too many computer scientists looking at cybersecurity, and not enough psychologists, economists and human-factors people,” says Douglas Maughan, head of cybersecurity research at the US Department of Homeland Security. That is changing fast. Maughan's agency and other US research funders have been increasing their spending on the human side of cybersecurity for the past five years or so. 

In February, as part of his fiscal-year 2017 budget request to Congress, US President Barack Obama proposed to spend more than $19 billion on federal cybersecurity funding, a 35% increase over the previous year, and included a research and development plan that, for the first time, makes human-factors research an explicit priority. The same sort of thinking is taking root in other countries. In the United Kingdom, Sasse's institute has a multiyear, £3.8-million (US$5.5-million) grant from the

Work from the social sciences is providing an unprecedented view of how cyber-criminals organise their businesses, as well as better ways to help users to choose an uncrackable yet memorable password.

The fixes are not easy, says Sasse, but they're not impossible. “We've actually got good science on what does and doesn't work in changing habits,” she says. “Applying those ideas to cyber-security is the frontier.”

Nature

You Might Also Read:

CIOs Defend Against Cybersecurity Threats Using Behavioral Analytics:
 

« Machine Learning Algorithms & Police Decision-Making
Tesco Bank Fined £16.4m For Exposing Customers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

PlaxidityX

PlaxidityX

PlaxidityX (formerly Argus Cyber Security) is a global leader in mobility cyber security, provides DevSecOps, vehicle protection and fleet protection technologies and services.

Netsparker

Netsparker

Netsparker provide a web application security scanner to automatically find security flaws in your websites, web applications and web services.

2Secure

2Secure

2Secure is one of Sweden's largest private security companies. Service inlcude personal security, corporate security, information and cyber security.

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

NowSecure

NowSecure

NowSecure are the experts in mobile app security testing software and services.

Rafael

Rafael

Rafael has more than 15 years of proven experience in the cyber arena providing solutions for national security as well as commercial applications.

Signifyd

Signifyd

Signifyd is the world's largest provider of Guaranteed e-Commerce Fraud Protection.

Assured Enterprises

Assured Enterprises

Assured Enterprises provides comprehensive cyber risk identification, management and mitigation across all platforms.

VIPRE Security Group

VIPRE Security Group

VIPRE Security Group is an award-winning global cybersecurity, privacy and data protection company.

S4x Events

S4x Events

S4x are the most advanced and largest ICS cyber security events in the world.

3wSecurity

3wSecurity

3wSecurity provides visibility to your company’s internet facing systems throughout the security life cycle, allowing for a more thorough approach to vulnerability management.

Content+Cloud

Content+Cloud

Content+Cloud is a leading technology services business and Managed Services Provider (MSP) with a genuine passion for helping your organisation to succeed, whatever your ambitions.

Xmirror Security

Xmirror Security

Xmirror Security focuses on integrated detection and defense of the continuous threat to the DevSecops software supply-chain with artificial intelligence technology as the core.

Pillr

Pillr

Pillr is a cybersecurity operations platform capable of adapting to the demands of your business and team — and the global threat landscape.

Ronet Cyber Security

Ronet Cyber Security

Ronet Cyber Security offers crypto forensics services for regulators, law enforcement, companies and individuals to ensure that your transactions are safe and secure.