Here are some interesting news items or blogs, which caught my eye this week.

Note that listing an item here is NOT EQUIVALENT to an endorsement. In many cases, cited items may be controversial and/or may require discussion or further research.

Thats all for this week! Have a great weekend!

Updated: Feb 22, 2020

by Ganna Pogrebna, Karen Renaud, and Boris Taratine



Why “One-Size-Fits-All” Cybersecurity Fails to Deliver


Significant financial and human resources are devoted to alleviating the negative consequences of cybercrime. Yet the prevention and forecasting techniques used by the overwhelming majority of individuals, organizations, and states fail, allowing adversaries to breach valuable targets. Why haven’t we yet found the antidote? One of the most important reasons for this is the mismatch between the methodological approaches of adversaries and defenders.


Why Cybercriminals Succeed


Adversaries have become increasingly sophisticated and successful in offering personalized “on demand” dis-services to their victims. They use modern marketing principles to target and execute their criminal intentions. Consider ransomware attacks. Adversaries use personalization and marketing techniques to profile potential victims, design spear-phishing campaigns to entice specific targets, demand ransoms commensurate with the victim’s financial status, and provide “customer support” to help victims pay the ransom.


Sophisticated Criminals Facing Outdated Prevention Mechanisms


Adversaries use sophisticated victim targeting techniques, including personalization and segmentation. Yet there is little evidence of similar techniques being used to develop cyber defence. We are still building higher and thicker walls, trying to apply the same “one-size-fits-all” tools. Current tools can be categorized as either technical solutions or social marketing, both approaches often justified by anecdotes rather than by hard evidence. Technical solutions are primarily targeted at enhancing resistance. In other words, build thicker walls and stronger gates with sophisticated locks. Cybercriminals are becoming progressively successful at avoiding the gates altogether or using social engineering to persuade an insider to open the gate and invite them in.

Many organizations conduct large-scale marketing campaigns to inform customers of potential cybersecurity risks. Everyone usually receives exactly the same information. Even though attempts have been made to develop segmentation frameworks for social marketing (e.g., Fine, 1980), early marketing literature (e.g., Bloom and Novelli, 1981) identified 3 major issues with using market segmentation for tackling social issues such as cybersecurity. They maintained that social marketers: (1) face pressure against segmentation, especially when it ignores certain segments (to avoid accusations of discrimination); (2) face difficulties identifying segments; (3) have to bear those negatively predisposed customers in mind (for example, people who are particularly reckless online should be targeted first). Recent advances in marketing and behavioural science allow us to use behavioural segmentation techniques to design multi-layered cybersecurity for smart cyber defence (technology-based systems) and preventive social marketing (human-based resilience).


Using Marketing Principles to Design Multi-layered Security Systems


Contemporary marketing systems are built on 4 principles: considerations of product (service), price (cost), place (location), and promotion (communication). Figure 1 shows how these marketing “4-P principles” could be applied to cybersecurity. For example, smart cyber defence can employ behavioural segmentation to profile cybercriminals and use the information about types to design multiple layers of cybersecurity system (product); understand business models of cybercriminals to learn how the cost of cyberattack could be increased (price); consider the place and channel attacks are likely to target to position technical preventive tools (place); and to learn how better to trap cybercriminals by using active cyber defence mechanisms (Cooper, 2016) (promotion). At the same time, preventive social marketing can use behavioural segmentation of organizational staff and consumers to develop targeted social marketing measures based on behavioural type vulnerabilities (product); designing measures to reduce potential cost of cybercrime by activating measures which are most likely to make a difference (price); optimizing channel and information delivery time (place); and creating targeted educational rather than prescriptive information campaigns (i.e. education vs. training) to increase individual ability to detect and prevent potential cyber attacks.



Figure 1: Cybersecurity Marketing


If you want to know more, see:


Bloom, P. N., & Novelli, W. D. (1981). Problems and challenges in social marketing. The Journal of Marketing, 79-88.


Cooper, P., 2016. Cognitive Active Cyber Defense: Finding Value through Hacking Human Nature. JL & Cyber Warfare, 5, p.57.


Fine, S. H. (1980). Toward a theory of segmentation by objectives in social marketing. Journal of Consumer Research, 7(1), 1-13.


Updated: Dec 17, 2020

by Boris Taratine and Ganna Pogrebna



For many centuries, the progress of humanity was fostered by setting up important goals for the future. These goals reflected major challenges faced by the humankind. In 2015, global leaders under the umbrella of the United Nations set up 17 goals to reach a “better” world by 2030. Each of the UN goals targets an important problem such as poverty, hunger, climate change, etc. Yet, none of these goals target cyber spaces, concentrating primarily on the physical world. This seems to be rather short-sighted as the humanity is facing a number of important challenges in digital spaces and it is necessary to consider these challenges now to ensure that humanity advances in both physical and digital domains in sync. We do not pretend to know all the questions, yet, it would seem that the public debate on important digital goals is long overdue. Some of these goals could be: protection of digital human rights; better cybersecurity for all; prevention of digital inequality; harmonization of AI and human interactions; to name a few.

Such goal-setting is important not only at the global level, but also zooming in on individual domains. Think of David Hilbert, who presented a set of important problems in mathematics at the International Congress of Mathematicians in the Sorbonne, Paris in 1900. These problems outlined the roadmap for the development of mathematics for many years and continue to do so as some of them still remain unresolved.




Major Cyber Security and Cyber Defence Problems


In the digital world, Cyber Security is among the important digital domains where such problem identification is necessary. While many organizations and outlets regularly overview the trends in cyber security or discuss major cyber threats, fostering progress requires building sustainable cyber infrastructures through setting fundamental goals. We believe that there are 12 goals informed by important problems, which can be partitioned into 4 clusters forming the ticking clock of fundamental future cyber security problems.



SYSTEMS PROBLEMS:


1. How to consistently define the security of a system and the methods to demonstrate it?

Defining system cyber security: While many definitions exist, coming up with a universal set of necessary and sufficient characteristics of what constitutes as secure system is a fundamental challenge of the future.

2. How to compare the relative security of two systems?

Comparing security levels: We know very little about how to conduct the relative comparisons between several systems in terms of their cyber security, that yet to be defined too.

3. What is the relationship between the security of a system and its compliance to an arbitrarily chosen cyber security framework?

Separating security and compliance: Organizations make their systems compliant with various cyber security frameworks. Yet, the number of cyber security breaches increase year by year suggesting that compliance does not increase systems’ security.


DEFENCE PROBLEMS:


4. How to strengthen the security of a system without increasing strength of its adversary?

Increasing security without empowering adversaries: Advances in cyber security become known to the cybercriminals almost immediately. Therefore, increased security often makes adversaries stronger. One of the main challenges is to find ways in which security can be achieved without raising the adversarial competence. Maybe we are solving the wrong problem? Maybe instead of building "more secure" systems we rather learn how to run insecure systems in the hostile environments safely?

5. How to identify and prevent the adversary's code from running on shared hardware/environment?

Securing shared spaces: In a shared environment, the possibility does not equal zero because the hardware does not have a moral imperative to tell the “good” and “bad” apart and the software that offers separation cannot be proven perfect. This makes the question of safety of shared environments opened.

6. How to remotely tell apart the legit user of a remote system and an adversary who remotely controls the system when this system is compromised?

Remote identification of adversaries: Even the ever-popular so-called “zero-trust” does not consider this problem or offers a reliable solution.


TECHNOLOGY PROBLEMS:


7. How to identify and eliminate finite number of all bugs in the arbitrary program code?

Efficient bug detection: Vulnerabilities may remain dormant for years even in open source code. Exploitable vulnerability is an often cause for successful compromise. Eradicating the bugs will eradicate the large class of attacks.

8. How to compare the strength of two passwords against a non-brute force compromise?

Password efficiency: A random adversary facing a random user would unlikely make a successful guess should the password be not in the top popular passwords list. Finding the balance between the password strength and its appropriateness for various environments is an important problem for the future because a “something you know” factor would likely be in use for long.

9. How to deconflict security and privacy?

Deconflicting security and privacy: Security is often achieved at the expense of privacy. Yet, is it really necessary to invade someone’s privacy to make the system or an environment safer? Understanding whether and what can offer a solution to this problem is a key question.


BEHAVIOURAL PROBLEMS:


10. How to educate users to recognize, detect and avoid cyber security threats?

Quality cyber security education: Many of cyber security measures concentrate on improving technology. Yet, it is also necessary to improve human understanding of cyber threats and educate people to deal with these threats more effectively.

11. How do we make sure that security systems are understood by all users?

Inclusive cyber security design: Cyber security measures are often not accessible to an average user as they are often too complex. Providing simple and accurate explanations to sophisticated cyber rationales is necessary for building inclusive cyber security systems.

12. How to eradicate justification of the security measures by narrative fallacies?

Cyber fallacies eradication: Many arguments in cyber security are built on logical fallacies. For example, “zero trust” cyber security is built on “never trust always verify” principle, which is impossible in principle due to the fact that a security system ultimately needs to trust something/someone. Avoiding such contradictions is necessary to prevent flaws in system design.


We admit that we do not know all answers, however, we believe some of these goals can be set and achieved in our lifetime through interdisciplinary collaboration and public debate.


In your opinion, what are the top 3 fundamental cyber security problems? Fill out our survey by clicking HERE. You do not have to agree with the problems listed above. Just tell us what you think!