Social Engineering in Cyber Security at Work

This is what I do as a Social Engineer! How to Hack the Hackers: The Human Side of Cyber Crime #science

How to Hack the Hackers: The Human Side of Cyber Crime

As cyber attacks grow thwarting cyber security, those who defend against them are embracing behavioral science and economics to understand both the perpetrators and their victims…..By M. Mitchell Waldrop, Nature magazine on May 12, 2016

Say what you will about cyber criminals, says Angela Sasse, “their victims rave about the customer service”.

Sasse is talking about ransomware: an extortion scheme in which hackers encrypt the data on a user’s computer, then demand money for the digital key to unlock them. Victims get detailed, easy-to-follow instructions for the payment process (all major credit cards accepted), and how to use the key. If they run into technical difficulties, there are 24/7 call centers. Cyber Security is threatened…

“It’s better support than they get from their own Internet service providers,” says Sasse, a psychologist and computer scientist at University College London who heads the Research Institute in Science of Cyber Security. That, she adds, is today’s cyber security challenge in a nutshell: “The attackers are so far ahead of the defenders, it worries me quite a lot.”

Long gone are the days when computer hacking was the domain of thrill-seeking teenagers and college students: since the mid-2000s, cyber attacks have become dramatically more sophisticated. Today, shadowy, state-sponsored groups launch exploits such as the 2014 hack of Sony Pictures Entertainment and the 2015 theft of millions of records from the US Office of Personnel Management, allegedly sponsored by North Korea and China, respectively. ‘Hacktivist’ groups such as Anonymous carry out ideologically driven attacks on high-profile terrorists and celebrities. And a vast criminal underground traffics in everything from counterfeit Viagra to corporate espionage. By one estimate, cyber crime costs the global economy between US$375 billion and $575 billion each year.

Increasingly, researchers and security experts are realizing that they cannot meet this challenge just by building higher and stronger digital walls around everything. They have to look inside the walls, where human errors, such as choosing a weak password or clicking on a dodgy e-mail, are implicated in nearly one-quarter of all cybersecurity failures. They also have to look outwards, tracing the underground economy that supports the hackers and finding weak points that are vulnerable to counterattack.

“We’ve had too many computer scientists looking at cyber security, and not enough psychologists, economists and human-factors people,” says Douglas Maughan, head of cyber security research at the US Department of Homeland Security.

That is changing—fast. Maughan’s agency and other US research funders have been increasing their spending on the human side of cyber security for the past five years or so. In February, as part of his fiscal-year 2017 budget request to Congress, US President Barack Obama proposed to spend more than $19 billion on federal cyber security funding—a 35% increase over the previous year—and included a research and development plan that, for the first time, makes human-factors research an explicit priority.

The same sort of thinking is taking root in other countries. In the United Kingdom, Sasse’s institute has a multiyear, £3.8-million (US$5.5-million) grant from the UK government to study cyber security in businesses, governments and other organizations. Work from the social sciences is providing an unprecedented view of how cyber criminals organize their businesses—as well as better ways to help users to choose an uncrackable yet memorable password.

The fixes are not easy, says Sasse, but they’re not impossible. “We’ve actually got good science on what does and doesn’t work in changing habits,” she says. “Applying those ideas to cyber security is the frontier.”