How To Hack the Hackers: The Human Side Of Cybercrime

As cyber-attacks grow ever more sophisticated, those who defend against them are embracing behavioural science and economics to understand both the perpetrators and their victims. 

Say what you will about cyber-criminals, says Dr. Angela Sasse a psychologist and computer scientist at University College London who heads the Research Institute in Science of Cyber Security, “their victims rave about the customer service”. Sasse is talking about ransomware: an extortion scheme in which hackers encrypt the data on a user's computer, then demand money for the digital key to unlock them. 

Victims get detailed, easy-to-follow instructions for the payment process (all major credit cards accepted), and how to use the key. If they run into technical difficulties, there are 24/7 call centres.

“It's better support than they get from their own Internet service providers,” says Sasse. That, she adds, is today's cybersecurity challenge in a nutshell: “The attackers are so far ahead of the defenders, it worries me quite a lot.”

Long gone are the days when computer hacking was the domain of thrill-seeking teenagers and college students: since the mid-2000s, cyber-attacks have become dramatically more sophisticated.  Today, shadowy, state-sponsored groups launch exploits such as the 2014 hack of Sony Pictures Entertainment and the 2015 theft of millions of records from the US Office of Personnel Management, allegedly sponsored by North Korea and China, respectively. 'Hacktivist' groups such as Anonymous carry out ideologically driven attacks on high-profile terrorists and celebrities.  

A vast criminal underground traffics in everything from counterfeit Viagra to corporate espionage. By one estimate, cybercrime costs the global economy between US$375 billion and $575 billion each year. 

Increasingly, researchers and security experts are realising that they cannot meet this challenge just by building higher and stronger digital walls around everything. They have to look inside the walls, where human errors, such as choosing a weak password or clicking on a dodgy e-mail, are implicated in nearly one-quarter of all cybersecurity failures. They also have to look outwards, tracing the underground economy that supports the hackers and finding weak points that are vulnerable to counterattack.

“We've had too many computer scientists looking at cybersecurity, and not enough psychologists, economists and human-factors people,” says Douglas Maughan, head of cybersecurity research at the US Department of Homeland Security. That is changing fast. Maughan's agency and other US research funders have been increasing their spending on the human side of cybersecurity for the past five years or so. 

In February, as part of his fiscal-year 2017 budget request to Congress, US President Barack Obama proposed to spend more than $19 billion on federal cybersecurity funding, a 35% increase over the previous year, and included a research and development plan that, for the first time, makes human-factors research an explicit priority. The same sort of thinking is taking root in other countries. In the United Kingdom, Sasse's institute has a multiyear, £3.8-million (US$5.5-million) grant from the

Work from the social sciences is providing an unprecedented view of how cyber-criminals organise their businesses, as well as better ways to help users to choose an uncrackable yet memorable password.

The fixes are not easy, says Sasse, but they're not impossible. “We've actually got good science on what does and doesn't work in changing habits,” she says. “Applying those ideas to cyber-security is the frontier.”

Nature

You Might Also Read:

CIOs Defend Against Cybersecurity Threats Using Behavioral Analytics:
 

« Machine Learning Algorithms & Police Decision-Making
Tesco Bank Fined £16.4m For Exposing Customers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

K&D Insurance Brokers

K&D Insurance Brokers

K&D provide insurance for all sectors of industry and commerce including cyber risk cover.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

Nouveau

Nouveau

Nouveau Solutions is a specialist IT managed services company with a strategic focus on delivering cloud, infrastructure, compliance, network and security solutions.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

ShardSecure

ShardSecure

ShardSecure Microshard technology eliminates data sensitivity, providing security, privacy and compliance beyond encryption.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

PCS Security (PCSS)

PCS Security (PCSS)

PCS Security provides secure, reliable and state-of-the-art security solutions to help our customers address their security concerns.

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies offer an advanced innovation for AI security. The Bosch AIShield is the definite answer to safeguard your business against model extraction attacks.

Emtec

Emtec

Emtec’s cyber security team provides advisory, assessment, & managed security services that help you build the cyber security policies, toolsets & best practices to elevate your cyber security posture

MyCISO

MyCISO

MyCISO is the World’s first SaaS application that will vastly simplify security management for all.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

ZEUSS

ZEUSS

ZEUSS is a diversified data center, cybersecurity, and green energy company.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.