Interdisciplinary Approaches to Cyber Security for Organisations
Interdisciplinary Approaches to Cyber Security for Organisations
Dr Jason R.C. Nurse Asst. Prof. in Cybersecurity, School of Computing, University of Kent Visiting Academic in Cybersecurity, University of Oxford Visiting Fellow in Defence & Security, Cranfield University
[email protected] @jasonnurse “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Robert Mueller, Former Director of the FBI
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 2 The uniqueness of cyber security and cyber risk
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 3 Cyber criminals are thinking beyond technology
https://xkcd.com/538/
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 4 Tackling future cyber risk requires collaboration and engagement beyond ‘just’ technology as well…
Case 1: Insider Case 2: Security Threat Case 3: Cyber- Awareness harm
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 5 Case 1: Insider threat
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 6 Corporate insider threat
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 7 Framework for insider threat analysis, detection and prevention
Nurse et al. “Understanding insider threat: A framework for characterising attacks”. In IEEE Security and Privacy Workshops.
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 8 The ‘new’ cyber risk • New technologies (e.g., smart devices, wearables, present personal IoT) create several new ways to attack with organisations insiders using smart tech
Nurse et al., “Smart Discrete audio recording Insiders: Exploring the (e.g., in private meetings) Discrete video recording Threat from Insiders using & leaking that information Raspberry pi the Internet-of-Things”. In allowing password theft Workshop on Secure disguised and left to Internet of Things at allow remote access ESORICS.
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 9 Case 2: Security Awareness
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 10 https://stopthinkconnect.org.ag/campaigns/details/?id=266
https://www.pinterest.co.uk/pin/502292164690414631
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 11 • Combine several different To change approaches (training sessions, future awareness material, supportive security technologies, etc.) • Be carefully planned and behaviour tailored to the organisation and create a • Use simple consistent rules of security behaviour that people can follow • Use engaging and appropriate aware culture, materials we need to • Arrange multiple training exercises – option of offering *really* general training and specific understand sessions • Assess/measure/refine the people awareness programmes
https://www.instituteforgovernment.org.uk/sites/default/files/publications/MINDSPACE.pdf Bada et al. “Cyber Security Awareness Campaigns: Why do they fail to change behaviour?” In CSSS Conference.
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 12 Approaches to cyber risk constantly need to be updated and refined based on the environment and context
In our study, we found that training people to listen to the padlock only has meant that cybercriminals now know exactly how to deceive people.
Iuga, et al. “Baiting the hook: factors impacting susceptibility to phishing attacks”. Human-centric Computing and Information Sciences, 6(1), pp.1-20.
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 13 Case 3: Cyber-harm
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 14 Cyber attacks have a much larger impact than many companies realise, and this impact is often not considered in risk assessments
Deloitte. Beneath the surface of a cyberattack: A deeper look at business impacts
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 15 Cyber-harm Organisational Cyber Harm can be used Physical / Social / Economic Psychological Reputational to emphasise Digital Societal the wider Negative changes in Damaged or Disrupted Damaged public Confusion public perception unavailable operations perception spectrum (e.g., of technology)
Disrupted Reduced corporate Disruption in daily Destroyed Discomfort of harms sales/turnover goodwill life activities that can Damaged Negative impact on Theft Reduced customers Frustration relationship with nation (e.g., result from a customers services, economy) Compromised (e.g., Damaged Drop in internal open to access that Reduced profits Worry/anxiety relationship with organisation morale cyber-attack is unauthorised) suppliers
Reduced business Damage to Infected Reduced growth Feeling upset opportunities corporate culture Agrafiotis et al. “A … taxonomy of cyber- Reduced Inability to recruit Exposed/leaked Depressed harms: Defining the investments desired staff impacts of cyber-attacks and understanding how Corrupted Fall in stock price Embarrassed Media scrutiny they propagate." Journal of Cybersecurity. … … … …
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 16 Modelling Investigation cyber-harms costs Confusion Damaged resulting relationship with Media scrutiny customers Disrupted Regulatory from the BA operations fines Damaged public data breach perception Organisation Fall in stock Fall in stock Exposed/leaked in 2018 price price Time
Disruption in daily Confusion life activities
Agrafiotis et al. “A Feeling upset taxonomy of cyber- Worry/anxiety Identity theft? harms: Defining the Customers impacts of cyber-attacks and understanding how they propagate." Journal of Cybersecurity. …
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 17 To tackle Education and Finance future Computer awareness International cyber risk, Science an inter- Sociology relations Enterprise disciplinary War studies approach is Psychology Operations Management Criminology required… Business Economics Psychological profiling Visual analytics Organisational culture Data science
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 18 Dr Jason R.C. Nurse
[email protected] @jasonnurse
JasonJason R.C.R.C. Nurse Nurse | @jasonnurse | @jasonnurse 19