by Ganna Pogrebna, Karen Renaud, and Boris Taratine
Why “One-Size-Fits-All” Cybersecurity Fails to Deliver
Significant financial and human resources are devoted to alleviating the negative consequences of cybercrime. Yet the prevention and forecasting techniques used by the overwhelming majority of individuals, organizations, and states fail, allowing adversaries to breach valuable targets. Why haven’t we yet found the antidote? One of the most important reasons for this is the mismatch between the methodological approaches of adversaries and defenders.
Why Cybercriminals Succeed
Adversaries have become increasingly sophisticated and successful in offering personalized “on demand” dis-services to their victims. They use modern marketing principles to target and execute their criminal intentions. Consider ransomware attacks. Adversaries use personalization and marketing techniques to profile potential victims, design spear-phishing campaigns to entice specific targets, demand ransoms commensurate with the victim’s financial status, and provide “customer support” to help victims pay the ransom.
Sophisticated Criminals Facing Outdated Prevention Mechanisms
Adversaries use sophisticated victim targeting techniques, including personalization and segmentation. Yet there is little evidence of similar techniques being used to develop cyber defence. We are still building higher and thicker walls, trying to apply the same “one-size-fits-all” tools. Current tools can be categorized as either technical solutions or social marketing, both approaches often justified by anecdotes rather than by hard evidence. Technical solutions are primarily targeted at enhancing resistance. In other words, build thicker walls and stronger gates with sophisticated locks. Cybercriminals are becoming progressively successful at avoiding the gates altogether or using social engineering to persuade an insider to open the gate and invite them in.
Many organizations conduct large-scale marketing campaigns to inform customers of potential cybersecurity risks. Everyone usually receives exactly the same information. Even though attempts have been made to develop segmentation frameworks for social marketing (e.g., Fine, 1980), early marketing literature (e.g., Bloom and Novelli, 1981) identified 3 major issues with using market segmentation for tackling social issues such as cybersecurity. They maintained that social marketers: (1) face pressure against segmentation, especially when it ignores certain segments (to avoid accusations of discrimination); (2) face difficulties identifying segments; (3) have to bear those negatively predisposed customers in mind (for example, people who are particularly reckless online should be targeted first). Recent advances in marketing and behavioural science allow us to use behavioural segmentation techniques to design multi-layered cybersecurity for smart cyber defence (technology-based systems) and preventive social marketing (human-based resilience).
Using Marketing Principles to Design Multi-layered Security Systems
Contemporary marketing systems are built on 4 principles: considerations of product (service), price (cost), place (location), and promotion (communication). Figure 1 shows how these marketing “4-P principles” could be applied to cybersecurity. For example, smart cyber defence can employ behavioural segmentation to profile cybercriminals and use the information about types to design multiple layers of cybersecurity system (product); understand business models of cybercriminals to learn how the cost of cyberattack could be increased (price); consider the place and channel attacks are likely to target to position technical preventive tools (place); and to learn how better to trap cybercriminals by using active cyber defence mechanisms (Cooper, 2016) (promotion). At the same time, preventive social marketing can use behavioural segmentation of organizational staff and consumers to develop targeted social marketing measures based on behavioural type vulnerabilities (product); designing measures to reduce potential cost of cybercrime by activating measures which are most likely to make a difference (price); optimizing channel and information delivery time (place); and creating targeted educational rather than prescriptive information campaigns (i.e. education vs. training) to increase individual ability to detect and prevent potential cyber attacks.
Figure 1: Cybersecurity Marketing
If you want to know more, see:
Bloom, P. N., & Novelli, W. D. (1981). Problems and challenges in social marketing. The Journal of Marketing, 79-88.
Cooper, P., 2016. Cognitive Active Cyber Defense: Finding Value through Hacking Human Nature. JL & Cyber Warfare, 5, p.57.
Fine, S. H. (1980). Toward a theory of segmentation by objectives in social marketing. Journal of Consumer Research, 7(1), 1-13.