[BreachExchange] Don’t Forget Victimology as a Cybersecurity Strategy
Destry Winant
destry at riskbasedsecurity.com
Tue Aug 7 21:23:46 EDT 2018
https://www.secureworks.com/blog/dont-forget-victimology-as-a-cybersecurity-strategy
As cybersecurity professionals overwhelmed with compliance
requirements, regulations, and a multitude of tradecraft frameworks,
we sometimes lose focus on what we really are at our roots. We are
cybercrime fighters. We move through our day as cybersecurity leaders
defending our organization's employee data, customer data, and trade
secrets from cybercriminals. As such, we must focus on our adversaries
just as much as we focus on the people, processes, and technology used
to defeat them. This is an all-too-often overlooked element of
effective cybersecurity and when used correctly, this – along with
aligning sound cybersecurity principles with the business goals of our
organizations in a risk-based approach – can help an organization
achieve cybersecurity efficacy.
Aligning cybersecurity practices to criminological and criminal
justice principles is frequently overlooked in the cybersecurity
industry because we tend to focus on IT fundamentals. In actuality,
when technology is being used to facilitate a crime or the technology
itself is the target of a crime – this is the very definition of
cybercrime. Integrating criminological and criminal justice principles
into a cybersecurity program helps to achieve effective cybercrime
protection thereby protecting the assets of an organization as well as
the personal and private data of its employees and consumers. Bottom
line – when we are talking about cybersecurity, we're often talking
about fighting crime, and one proven technique used in criminology is
the science of victimology.
Cyber Victimology – Protecting Individuals and Organizations
In criminology, the term victimology is described as studying victims
of crimes, the emotional and psychological effects of the crime, and
relationships between perpetrators and victims. Important to note here
is that studying the victim provides law enforcement investigators
insight into who likely committed the crime, why they committed the
crime, and the methods they use. This is no different in cybercrime.
In fact, Professor Jaishankar of the International Journal of Cyber
Criminology has a wealth of research specifically on this topic as
well as other specific cyber criminology topics. Professor Jaishankar
discusses phenomenon in cybercrime, which includes the overlap between
physical crime and online crime. He is a proponent of the new
cybercrime theory known as the Space Transition Theory, a theory that
proposes that people behave differently in cyberspace than they do in
the physical world. Cybercrime is no longer simply hacking and
attacking systems – it is an attack on people, their organizations,
and the people who make up those organizations. In Jaishankar's book
Cybercrime and Victimization of Women, the professor clarifies the
definition of cybercrime from the perspective of the victim. So how is
this perspective relevant to a business organization's cybersecurity
practice?
Just as an individual person has victimology-based characteristics, so
do organizations. An organization's business interests, political
action campaigns, vigilance level, protection abilities, and cyber
risk tolerance are just some of the characteristics that can determine
if an organization is more likely to be attacked, by whom, how, and
why. This can provide a cybersecurity leader actionable information
about how to best protect their organization and its executive
leadership from attacks. For example, an organization that performs
some type of excavation or resource mining may be a direct target for
an eco-terrorist group. A high profile CEO at an organization whose
business or political action campaigns do not resonate well with
certain hacktivist groups can personally be targeted for both physical
attacks as well as cyber-based attacks. Taking the time to establish
what an organization's victimology is can help a CISO and their team
parallel the right protections and determine what risk posture the
organization should assume. This places the business risk into
perspective for the Board of Directors. It adds likelihood and impact,
which are details that have influence in the boardroom.
Mapping Victimology to Cybersecurity Strategy
Organizations have leadership and each member of that leadership team
is a human being with traits of victimology. Along with the
leadership, the organization takes on its own unique victimology
profile as well. This profile is made up of its core business goals,
employee cybersecurity awareness, individual vigilance, organizational
awareness, organizational risk appetite and overall cybersecurity
protection efficacy. These characteristics make organizational cyber
victimology much more complex. The key task for CISOs is to understand
the victimological profile of both their organization and their
organization's leadership. Then the CISO must map these to the
specific cybersecurity program they build while identifying potential
adversaries, commonly used tactics, and the subsequent prioritized
protections that need to be put into place for the organization's
defense.
This is a key reason CISOs need to consider cyber executive protection
for key executive staff – they and their families are often the
primary victims of complex cybercrime attacks due to their
victimology. They can also become triggers for attacks against their
organizations or vice versa. A few of the key considerations taken
into account in cyber executive protection include the following:
1. Analysis of the principal's cyber habits
2. The principal's cyber and cyber-physical vulnerability
3. Profiles of the principal's inner circle
4. The risk of attack
For instance, a CEO of an organization which profits from animal
byproducts may attract attention and become a target of organizations
such as the Earth Liberation Front or Anonymous, well-known hacktivist
groups that established cyber-attack campaigns in the name of animal
rights. These groups utilize specific behavioral tactics, techniques,
and procedures (TTP), and organizations should employ the victimology
traits of an organization and its executive leadership to identify the
weaknesses that these types of adversaries will likely attack. TTP's
such as spear phishing, watering hole attacks, and brute forcing all
used by advanced persistent threat (APT) groups are just one example
of TTP's used by specific hacking groups. This provides a roadmap for
an organization's cybersecurity defense efficacy and key components of
what the cybersecurity program should include.
Adapt Your Cybersecurity Program to Your Risk Profile
This leads to a few major considerations for the CISO or executive
cybersecurity leadership of an organization:
1. A CISO should develop a comprehensive victimology profile of their
organization, the organization's key leadership, and key leadership's
close staff.
2. Organizations should deploy effective threat intelligence. An
effective threat intelligence service should include criminal
intelligence analysis along with technical intelligence. This helps
with both preemptive protection mechanisms as well as post-event
attribution.
3. Don't exclusively focus on technology and IT frameworks – also
consider criminological elements when building your cybersecurity
plan.
4. A good solution to solving the major shortage of cybersecurity
talents is to leverage criminal justice and criminology majors for
roles and not just technologists. They bring this essential (and often
overlooked) element of cybersecurity.
An effective cybersecurity program also includes social science
elements such as sociology, criminology, and victimology. These
elements are specifically those found in criminology and criminal
justice. Combining victimology profiling both organizationally and
individually can provide effective information in building an
effective cybersecurity plan. CISOs must stop falling into the trap of
only centering on IT frameworks or methodologies. Inevitably, security
leaders and their teams fight crime and help secure their
organizations from threat actors. Embracing a holistic approach that
incorporates victimology, includes solid threat intelligence, and
cyber executive protection will help ensure your cybersecurity program
has achieved maturity and efficacy.
More information about the BreachExchange
mailing list