Shujun Li

Shujun Li

The root of the Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks (ACCEPT) project, says its leader, Shujun Li (Surrey and Kent) is that while research has found that personalisation and contextualisation are crucial elements in many digital systems involving human users, not enough has been done to include them in cyber security applications especially those promoting awareness.

Take, for example, password advice. People are constantly told what kind of passwords they should or should not choose, but these instructions rarely take context into account and are often too abstract to be actionable. In many cases, complicated password policies even make the advice irrelevant. Yes, you want a strong, unique password for your bank account, but the same does not apply for a news site that requires you to create an account just to read a few articles. More seriously, the victims of work-at-home scams have a problem that can’t be solved just by changing their password to one that’s more robust. Instead, their problem is that they’ve been lured into committing illegal acts without their understanding, and they may wind up in prison as co-conspirators. A yet different context applies to operational staff in the control room of a nuclear power plant, where a password is often used in tandem with other authentication mechanisms such as biometrics and hardware tokens. In the last example, because the consequences of any attacks may be disastrous, the security of the whole system cannot be guaranteed with just a password, no matter how carefully staff follow guidelines in creating it.

“To us, the solution is as simple as, bringing humans back into the whole picture,” says Li. “We need to have a human-centric approach, and do it constantly and consistently. Watching what they do and providing timely feedback can create a virtuous circle that both encourages them to behave in desirable ways and helps the rest of us understand better what the criminals are doing with the people they target. Better reporting about the problems they encounter also helps us gather data to provide personalised feedback through profiling, data mining, and machine learning.” The goal, Li says, is to be able to find solutions that can be adapted to different groups of people (personalisation) and different types of problems (contextualisation) in cyber security and cybercrime. In social science, delivering this kind of targeted message is often called a “segmented approach”; law enforcement – notably Neighbourhood Watch and the Home Office – has adopted it for fighting both physical-world and cyber crime.

It seems obvious to say that one security message cannot possibly fit all – children and old people, men and women, of all levels of education, and with all attitudes toward privacy. “We need different ways of encouraging and engaging. Even small differences in wording may matter a lot.”

The ACCEPT project intends to support this personalisation and contextualisation by combining knowledge drawn from social sciences (criminology, psychology, business), engineering, and physical sciences (computer science, security engineering) to create a theoretical socio-technical framework and a set of software tools. The framework and tools are intended to help organisations both to personalise and contextualise communications and provide feedback to users in a more human-centric manner. They will draw on both our understanding of human behaviour – how criminals target victims and why victims fall prey to scams – and emerging ICT technologies such as machine learning and mobile computing. Creating this framework, Li hopes, will make it possible to improve upon current cyber security awareness campaigns to better engage people and influence them more effectively in a positive direction. In what remains of 2017, ACCEPT will conduct a number of workshops, interviews, and other user studies to gain feedback on the nascent framework and its application to real-world scenarios from police forces and other stakeholders, as well as the general public.

This work was partly inspired by a white paper written as part of the first phase of RISCS in collaboration with Hewlett Packard Enterprise, Awareness Is Only the First Step: A Framework for Progressive Engagement of Staff in Cyber Security (PDF). This paper, which studied methods for raising awareness of cyber security among an organisation’s staff, made the point that awareness training can’t just be done once. To be effective, it has to be a continuous campaign so that security-aware behaviour becomes a habit. It’s this stage – habit – that Li would like the broader public to attain: “Our approach is to make it to the level of just being part of life.”

One of the tools the project hopes to create is a digital platform that would allow individuals to share data about their behaviour with trusted organisations they select. In return, the organisations would provide helpful information regarding cyber security and cybercrime, creating a feedback loop that would both habituate good behaviour, as above, while giving communities and organisations a better understanding of what is happening in the real world.

“We understand it’s very ambitious,” says Li, “but we want to create preliminary evidence facilitated by a number of technologies that actually help people to be more willing to share information and make them feel safer.”

The project intends to investigate two use cases to make the research more focused (contextualised). One is “traditional” cybercrimes such as work-at-home scams, in which people are promised commission fees for transferring money (“money mules”) or reshipping online purchases (“reshipping mules”) abroad. The people who are recruited for these “jobs” may not really understand what the job is or what the potential consequences are for either themselves or the people whose money is being stolen. The 2015 paper Drops for Stuff: An Analysis of Reshipping Mule Scams (PDF) suggested that some criminals who recruited reshipping mules seemed to cease communicating around the time the first monthly payments are due. If this hypothesis, which was purely data-driven, can be verified through software tools that engage directly with reshipping mules, it can be used to warn future potential victims so that they will not fall into the trap.

“Many of those people are not clear about those consequences and can’t evaluate them,” Li says, noting that one of that paper’s authors, Gianluca Stringhini, is a member of the ACCEPT project team. Like this paper, much other similar research work has been data-driven, but Li hopes that by adding human behaviour and user opinions collected via software tools the project will be able to “fill the gap of what is happening in the real world”, understand why criminals are successful, and how we can help potential victims and law enforcement to outwit criminals.

“If we can engage money mules, whether in the process of looking for jobs or already recruited to work at home, we can actually push more meaningful messages to them,” Li says. “For instance, if we know they are likely already working as money mules we can show them the consequences to victims of what they do, which could lead to an empathy effect so that some of them stop cooperating with the criminals or even decide to cooperate with law enforcement to track down the criminals. We can also show them the legal risk attached to being accomplices in order to persuade them to stop if they know they are working for criminals. Legal messages like these must be context-dependent, since the laws regarding money mules differ from one jurisdiction to another.”

The project wants the second use case to reflect the most likely future as the Internet of Things is being more and more widely deployed: hybrid cyber-physical crimes and the much more difficult problems they will cause. The group is particularly interested in transport, an area in which the project’s partner TRL, a transport research company, has a lot of expertise.

“We know much less for this part,” Li says. There is already a good deal of coverage of car hacking and ongoing work studying the potential for cyber attacks on infrastructure such as the railways and energy systems. For ACCEPT, infrastructure is a very different challenge to think about. First, employees become the main source of human-related risks. As a user group, employees are vastly different from citizens; there are greater opportunities for monitoring within an organisation since many employment contracts already allow it for security and safety reasons. Second, many forms of cyber-physical crimes are so new that even law enforcement lacks sufficient information, and the technologies are evolving so quickly. The project will treat this use case as more speculative, focusing on what will happen in the future and what we can do now.

Wendy M. Grossman

Freelance writer specializing in computers, freedom, and privacy. For RISCS, I write blog posts and meeting and talk summaries