Abstract
The focus on cyber security as an interaction between technical elements and humans has typically confined consideration of the latter to practical issues of implementation, conventionally those of ‘human performance factors’ of vigilance etc., ‘raising awareness’ and/or ‘incentivization’ of people and organizations to participate and adapt their behavior. But this is far too narrow a view that seriously constrains the ability of cyber security as a whole to adapt and evolve to keep up with adaptive, innovative attackers in a rapidly-changing technological, business and social landscape, in which personal preferences of users are also dynamically evolving.
While there is isolated research across different research areas, we noticed the lack of a holistic framework combining a range of applicable theoretical concepts (e.g., cultural co-evolution such as technological arms races, opportunity management, behavioral and business models) and technological solutions on reducing human-related risks in the cyber security and cybercrime ecosystems, which involve multiple groups of human actors including offenders, victims, preventers and promoters. This paper reports our ongoing work in developing such a socio-technical framework (1) to allow a more comprehensive understanding of human-related risks within cyber security and cybercrime ecosystems and (2) to support the design of more effective approaches to engaging individuals and organizations in the reduction of such risks. We are in the process of instantiating this framework to encourage behavioral changes in two use cases that capture diverse and complicated socio-technical interactions in cyber-physical systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
This is less straightforward for victim and promoter roles, as both could develop into preventers or even offenders.
References
Operando. https://www.operando.eu/. Accessed 26 Apr 2019
PlusPrivacy. https://plusprivacy.com/. Accessed 26 Apr 2019
Privacy Flag. https://privacyflag.eu/. Accessed 26 Apr 2019
SPECIAL. https://www.specialprivacy.eu/. Accessed 26 Apr 2019
Ablon, L., Libicki, M.C., Golay, A.A.: Markets for cybercrime tools and stolen data: Hackers’ bazaar. Technical report, RAND Corporation (2014). https://www.rand.org/pubs/research_reports/RR610.html
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). https://doi.org/10.1145/322796.322806
Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, M.A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Proceedings of 12th Symposium on Usable Privacy and Security. USENIX Association (2016). https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement
Behdad, M., Barone, L., Bennamoun, M., French, T.: Nature-inspired techniques in the context of fraud detection. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 42(6), 1273–1290 (2012). https://doi.org/10.1109/TSMCC.2012.2215851
Bernasco, W.: Foraging strategies of homo criminalis: lessons from behavioral ecology. Crime Patterns Anal. 2(1), 5–16 (2009)
Bichler, G., Bush, S., Malm, A.: Regulatory foresight: estimating policy effects on transnational illicit markets. Contemp. Crim. Justice 31(3), 297–318 (2015). https://doi.org/10.1177/1043986215575138
Bold, K.: Inspired by nature, researcher develops new cyber security techniques (2014). https://phys.org/news/2014-05-nature-cyber-techniques.html
Clarke, R.V.: Seven misconceptions of situational crime prevention. In: Handbook of Crime Prevention and Community Safety, pp. 39–70. Routledge (2013)
Collins, B.S., Mansell, R.: Cyber trust and crime prevention: a synthesis of the state-of-the-art science reviews. Technical report, Office of Science and Technology, UK (2004). http://eprints.lse.ac.uk/4252/
Demertzis, K., Iliadis, L.: A bio-inspired hybrid artificial intelligence framework for cyber security. In: Daras, N.J., Rassias, M.T. (eds.) Computation, Cryptography, and Network Security, pp. 161–193. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18275-9_7
Dykstra, J.A., Orr, S.R.: Acting in the unknown: the Cynefin framework for managing cybersecurity risk in dynamic decision making. In: Proceedings of 2016 International Conference on Cyber Conflict, pp. 1–6. IEEE (2016). https://doi.org/10.1109/CYCONUS.2016.7836616
Ehrlich, P.R., Raven, P.H.: Butterflies and plants: a study in coevolution. Evolution 18(4), 586–608 (1964). https://doi.org/10.1111/j.1558-5646.1964.tb01674.x
Ekblom, P.: Crime Prevention, Security and Community Safety Using the 5IS Framework. Springer, London (2010). https://doi.org/10.1057/9780230298996
Ekblom, P.: Terrorism: lessons from natural and human co-evolutionary arms races. In: Evolutionary Psychology and Terrorism, pp. 82–113. Routledge (2015)
Ekblom, P.: Crime, situational prevention and technology: the nature of opportunity and how it evolves. In: The Routledge Handbook of Technology, Crime and Justice, pp. 379–400. Routledge (2017)
Ekblom, P.J.: Conjunction of criminal opportunity theory. Encycl. Victimology Crime Prev. (2010). https://doi.org/10.1057/9780230298996
Evans, M., He, Y., Maglaras, L., Janicke, H.: HEART-IS: a novel technique for evaluating human error-related information security incidents. Comput. Secur. 80, 74–89 (2019). https://doi.org/10.1016/j.cose.2018.09.002
Freilich, J.D., Newman, G.R.: Situational Crime Prevention, vol. 1. Oxford University Press(2017). https://doi.org/10.1093/acrefore/9780190264079.013.3
Ganin, A.A., et al.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. (2017). https://doi.org/10.1111/risa.12891
Grace, P., Surridge, M.: Towards a model of user-centered privacy preservation. In: Proceedings of 12th International Conference on Availability, Reliability and Security, p. 91. ACM (2017). https://doi.org/10.1145/3098954.3104054
Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018). https://doi.org/10.1016/j.cose.2018.02.020
Jablonka, E., Lamb, M.J.: Evolution in Four Dimensions, Revised Edition: Genetic, Epigenetic, Behavioral, and Symbolic Variation in the History of Life. MIT Press, Cambridge (2014)
Johnson, S.D., Ekblom, P., Laycock, G., Frith, M.J., Sombatruang, N., Valdez, E.R.: Future crime. In: Routledge Handbook of Crime Science, Chapter 30. Palgrave Macmillan, London (2018)
Joinson, A., van Steen, T.: Human aspects of cyber security: behaviour or culture change? Cyber Secur. Peer Rev. J. 1(4), 351–360 (2018)
Kelly, R.: Almost 90% of cyber attacks are caused by human error or behavior (2017). https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/
Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009). https://doi.org/10.1016/J.COSE.2009.04.006
Laland, K.N.: Darwin’s Unfinished Symphony: How Culture Made the Human Mind. Princeton University Press, Princeton (2017)
Lee, C., Iesiev, A., Usher, M., Harz, D., McMillen, D.: IBM X-force threat intelligence index 2019. Technical report, IBM security (2019). https://www.ibm.com/downloads/cas/ZGB3ERYD
Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3–4), 215–228 (2009). https://doi.org/10.1016/j.cose.2008.11.003
Magliocca, N.R., et al.: Modeling cocaine traffickers and counterdrug interdiction forces as a complex adaptive system. Proc. Natl. Acad. Sci. 116(16), 7784–7792 (2019). https://doi.org/10.1073/pnas.1812459116
McGuire, M.: Hypercrime: The New Geometry of Harm. Routledge-Cavendish, London (2007)
McGuire, M.: Technology crime and technology control: contexts and history. In: The Routledge Handbook of Technology, Crime and Justice. Palgrave Macmillan, London (2016)
Newman, G.R., Clarke, R.: Superhighway Robbery: Preventing E-commerce Crime. Willan, Portland (2003)
Quan-Haase, A., Wellman, B.: Local virtuality in an organization: implications for community of practice. In: Van Den Besselaar, P., De Michelis, G., Preece, J., Simone, C. (eds.) Communities and Technologies 2005, pp. 215–238. Springer, Dordrecht (2005). https://doi.org/10.1007/1-4020-3591-8_12
Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14
Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70241-4_16
Rush, G., Tauritz, D.R., Kent, A.D.: Coevolutionary agent-based network defense lightweight event system (CANDLES). In: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 859–866. ACM (2015). https://doi.org/10.1145/2739482.2768429
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). https://doi.org/10.1023/A:1011902718709
Wortley, R.: Affordance and situational crime prevention: implications for counter terrorism. In: Terrorism and Affordance: New Directions in Terrorism Studies, Chapter 2, pp. 17–32. Bloomsbury Publishing (2012). https://doi.org/10.5040/9781501301155.ch-002
Acknowledgments
This work was supported by the research project, “ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks” (http://accept.cyber.kent.ac.uk/), funded by the EPSRC (Engineering and Physical Sciences Research Council) in the UK, under grant number EP/P011896/1 and EP/P011896/2.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Islam, T. et al. (2019). A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems. In: Wang, G., Bhuiyan, M.Z.A., De Capitani di Vimercati, S., Ren, Y. (eds) Dependability in Sensor, Cloud, and Big Data Systems and Applications. DependSys 2019. Communications in Computer and Information Science, vol 1123. Springer, Singapore. https://doi.org/10.1007/978-981-15-1304-6_22
Download citation
DOI: https://doi.org/10.1007/978-981-15-1304-6_22
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-1303-9
Online ISBN: 978-981-15-1304-6
eBook Packages: Computer ScienceComputer Science (R0)