SINGAPORE – Over the last 20 years, the digital security industry has focused on technological solutions to solve its complex problems. To level the battlefield, we have witnessed the birth of enterprises providing Security-as-a-Service, sophisticated threat detection software, and advanced Machine-Learning Products. However, despite the myriad of security products and services developed over the years, threats are only becoming more complex and difficult to effectively respond to. Perhaps it’s time for a strategic shift, designed to assist defenders in gaining a tactical advantage. The answer could be found in Behavioral Cyber Security.
|Fig 1. Tripartite Sociological-Psychological-Criminology forming the foundations of the Behavioral Cyber Security model.|
Behavioral Cyber Security (BCS) can be defined as a defender strategy build upon behavioral science foundations under cyber threat and security contexts. To better understand this concept, let us briefly explore its theoretical foundations.
Academics have been examining the implications of technology under various social-science disciplines. The theoretical underpinnings of BCS could be broadly supported under three core social science concepts of sociology, psychology, and criminology (see Fig 1).
Within the subject of sociology, we have Science and Technological Studies as a broad scholastic pursuit, examining technology’s ‘historical and contemporary production and their associated forms of knowledge, expertise, social organization and controversy’. Next, most digital solutions today are fundamentally designed to be an extension of human intentions. Thus, we have Cyber Psychology examining the behavioral dynamics underpinning mankind’s interaction and communications with machines. Finally, Cyber Criminology examines the cyber-crime paradigm addressing everything from anti-social behavior, to hacktivism, and terrorism. Thus, this discipline provides practitioners and policy-makers highly contextualized information to support their securitization objectives. But how practical is BCS within contemporary contexts?
Almost all discussions about cyber today are technically-focused, with social-policy considerations usually paid insufficient attention to as a result of a technologists’ bias plaguing the industry. However, we forget that digital technologies are but malleable tools of the users, and an extension of their intentions which are governed by the human psyche. Mankind is instinctively lazy, reluctant to change, and this is evident throughout our social-political history. In security (mainly military) contexts, attackers fundamentally stick to known strategies, only upgrading them to enhance tactical elements. Today, contemporary cyber security strategies primarily adopt a reactive stance, following a ‘Detect, Contain, and Control’ procedure, which is reflected in most information security products.
The practicality of BCS lies in its capability as a security amplifier.
First, understanding our cyber-sociology, albeit on national, organizational or personal levels, can enable better deployment strategies. This allows security practitioners to be deployed effectively with minimal impediment to business expansionism or progress, and supports the detection of possible attack vectors for penetration-testing. Such mapping of our socio-cyber ecology is highly useful to organizations of all sizes but especially to those possessing extensive System Control and Data Acquisition networks, as postulated by Rob Hayes, Deloitte’s Director of ICS Cyber Security in the United Kingdom.
Moreover, the approach of understanding the psychological drivers guiding attackers is already used today, in defensive honeypots and (arguably underutilized) counter-intelligence strategies. However, by reversing the focus internally, two objectives can be achieved. Technically, cyber security teams can develop better defense strategies structured through providing some context beyond the mathematical truth of our ‘data-driven’ technical-security. Strategically, understanding psychological drivers can empower internet profiling with psychological intelligence to curb insider-threats, and support the cultivation of reactive security penetration-testing.
Finally, as malicious cyber-activity is primarily conducted with criminal intentions (i.e. Data-Theft, Mental Harm), understanding cyber criminology can not only assist the development of better security strategies, but also empowers attribution procedures to enable legal responses. Therefore, criminological contextualization further refines defensive strategies against specific malicious orientations.
Thus far, we have addressed the theory and practicality of the BCS model within contemporary cyber security contexts. However, why do enterprises need this now more than ever?
Why do Enterprises Need BCS
As mentioned earlier, enterprises constantly focus on the ‘technical’ when describing threats, vulnerabilities and solutions. This remains so despite the abundance of computer network exploitations that have been achieved through social-engineering, i.e. human vulnerability. Therefore, we often hear the following narratives: There is a Cyber Security Skills Gap; Companies are Not the Only Targets; Multi-Factor Authentication Makes Cyber Safer; Machine-Learning Security is the Future, et cetera. While all these narratives hold varying levels of truths, most counter-arguments echo the social-theoretical foundations of the BCS model that look at the human-element.
As mankind continues to create high-tech innovations dependent on a human-digital interface, they indeed need more employees with technical skills to maintain and upgrade those systems. However, the social ramifications and subsequent vulnerabilities are brushed aside as pseudo-science or subsumed under the responsibility paradigm of Chief Information Security Officers (CISOs). However, most of CISOs are choked with increasing regulatory compliance demands, a point that has been reinforced by security expert Samuil Shah in his ‘Seven Axioms of Security’ briefing at Black Hat Asia 2017. While some corporations have Chief Compliance Officers (CCOs) to alleviate the stress, most CISOs are still limited by funding. This potentially means restricted access to better security equipment or courses that could be used to enhance enterprise defense. Understanding this, the BCS provides a solution designed to amplify the effectiveness of existing solutions.
Integrating the BCS
The BCS is a model. It is adaptive, and can be implement in various forms in accordance with the demands and infrastructure of the user-organization. For enterprises with the financial capability, the BCS model can be exclusively re-purposed for a standalone unit positioned between the cyber security human resources, and business departments. Able to connect business intelligence with relevant threat intelligence, the unit’s existence can thus enhance attribution accuracy for security or legal objectives. The unit should be adopting operating cultures much like internal-affairs departments in law-enforcement or military organizations, in addition to having a pro-active security approach.
The benefits don’t end there. The generated intelligence from a BCS team can also be used to enhance marketing and internal management procedures. Allowing management and leadership a window to monitor employee performance while preventing insider threats.
Enterprises need to acknowledge that not everything can be solved through technical avenues. Communities of people, i.e. individuals with unique psychologies can be leveraged and manipulated for malicious pursuits. Thus, it is the foundation of social-engineering that initiates the Cyber Kill Chain. Therefore, as enterprises seek to enhance their information technology vulnerabilities through advanced technical solutions, they should also seek to enhance their human vulnerabilities through advanced socio-behavioral solutions.