A Socio-Technical Approach to Cyber-Risk Assessment
Evaluating the levels of cyber-security risks within an enterprise is most important in protecting its information system, services and all its digital assets against security incidents (e.g. accidents, malicious acts, massive cyber-attacks). The existing risk assessment methodologies (e.g. eBIOS, OCTAVE, CRAMM, NIST-800) adopt a technical approach considering as attack factors only the capability, intention and target of the attacker, and not paying attention to the attacker’s psychological profile and personality traits. In this paper, a socio-technical approach is proposed in cyber risk assessment, in order to achieve more realistic risk estimates by considering the personality traits of the attackers. In particular, based upon principles from investigative psychology and behavioural science, a multi-dimensional, extended, quantifiable model for an attacker’s profile is developed, which becomes an additional factor in the cyber risk level calculation.
[1] Morgan S. 2019 Official Annual Cybercrime Report, 2019 https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf
[2] ENISA. Inventory of risk assessment methodologies and tools, 2005 https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools
[3] Nikolic B, Ruzic-Dimitrijevic L. Risk Assessment of Information Technology Systems. Issues In Informing Science And Information Technology 2009; 6:595-615.
[4] Papastergiou S, Polemi N, Kotzanikolaou P. Design and validation of the Medusa supply chain risk assessment methodology and system. International Journal of Critical Infrastructures 2018; 14:1-39.
[5] Krombholz K, Hobel H, Hubel M, et al. Advanced social engineering attacks. Journal of Information Security and Applications 2014; 22:113-122.
[6] Lickiewicz J. Cyber Crime Psychology-Proposal of an offender psychological profile. Problems of Forensic Sciences 2011; 86:239-252.
[7] McCrae RR, Costa PT. Validation of the five-factor model of personality across instruments and observers. Journal of Personality and Social Psychology 1987; 52:81-90.
[8] McCrae RR, John OP. An introduction to the five-factor model and its applications. Journal of Personality 1992; 60:175-215.
[9] National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
[10] Fogg BJ. A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology (p. 40). ACM;2009.
[11] Fogg BJ, Hreha J. Behavior Wizard: A Method for Matching Target Behaviors with Solutions. In: Ploug T., Hasle P., Oinas-Kukkonen H. (eds) Persuasive Technology. Lecture Notes in Computer Science; vol 6137. Springer, Berlin, Heidelberg; 2009.
[12] Embarking on certification to Cyber Essentials and ISO 27001. https://www.itgovernance.co.uk/iso27001-and-the-cyber-essentials-scheme
[13] Kocsis R, Hayes A, Irwin H. Investigative Experience and Accuracy in Psychological Profiling of a Violent Crime. Journal Of Interpersonal Violence 2002; 17:811-823.
[14] ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, 2018 https://www.thehaguesecuritydelta.com/media/com_hsd/report/228/document/WP2018-O-3-3-2-Review-of-Behavioural-Sciences-Research-in-the-Field-of-Cybersecurity.pdf
[15] Spitzner L. Public Wi-Fi Attacks,2019 https://www.sans.org/security-awareness-training/blog/public-wi-fi-attacks
[16] Pervin LA, Cervone D, John OP. Personality: Theory and research. 9-edition. USA: Wiley; 2005.
[17] Power R, Pluess M. Heritability estimates of the Big Five personality traits based on common genetic variants. Translational Psychiatry 2015;5: e604-e604.
[18] ISO 27005. https://www.itgovernance.co.uk/iso27005
[19] Silic M, & Lowry PB. Breaking bad in cyberspace: Understanding why and how black hat hackers manage their nerves to commit their virtual crimes. Information Systems Frontiers 2019; 6(1):1-13
[20] Moore R. Cybercrime: Investigating high technology computer crime. Matthew Bender and Company; 2005.
[21] Matulessy A, Humaira NH. Hacker Personality Profiles Reviewed in Terms of the Big Five Personality Traits. Psychology and Behavioral Sciences 2016; 5:137-142.
[22] Öztürk C, Bektas M, Ayar D, et al. Association of Personality Traits and Risk of Internet Addiction in Adolescents. Asian Nursing Research 2015; 9:120-124.
[23] Khan, Rafiullah, et al. "STRIDE-based threat modeling for cyber-physical systems." 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe). IEEE, 2017.
[24] Sion, Laurens, et al. "Solution-aware data flow diagrams for security threat modeling." Proceedings of the 33rd Annual ACM Symposium on Applied Computing. 2018.
[25] Groth-Marnat G. Handbook of psychological assessment. Hoboken, NJ: John Wiley and Sons; 2009.
[26] Weiner IB. The assessment process. In: Weiner IB, editor. Handbook of psychology. Hoboken, NJ: John Wiley and Sons;2003.
[27] Aiken LR. Rating scales and checklists: Evaluating behavior, personality, and attitudes. Oxford, England: John Wiley and Sons;1996.
[28] Selzer MA., Kernberg P, Fibel B, et al. The personality assessment interview: Preliminary Report. Psychiatry 1987; 50:142-152.
[29] McCrae R. The Counterpoint of Personality Assessment: Self Reports and Observer Ratings. Assessment 1994; 1:159-172.
[30] MITRE Adversarial Tactics, Techniques, and Common Knowledge https://attack.mitre.org
[31] Cramm. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html(5
[32] ENISA. Threat Landscape Reports 2013 https://www.enisa.europa.eu/publications/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats and 2018 http://topintelanalysts.com/wp/wp-content/uploads/2019/02/ENISA-Threat-Landscape-Report-2018.pdf
[33] ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, 2018 https://www.thehaguesecuritydelta.com/media/com_hsd/report/228/document/WP2018-O-3-3-2-Review-of-Behavioural-Sciences-Research-in-the-Field-of-Cybersecurity.pdf
[34] The NIS Regulations. https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018
[35] Policies on Cybersecurity-The EU cybersecurity Act. https://ec.europa.eu/digital-single-market/en/policies/75984/3587
[36] ENISA. Inventory of risk assessment methodologies and tools, 2005 https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools
[37] Papastergiou S, Polemi N, Karantjias A. CYSM: An Innovative Physical/Cyber Security Management System for Ports. In: Tryfonas T., Askoxylakis I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2015. Lecture Notes in Computer Science, vol 9190. Springer, Cham; 2015.
[38] Ani U, He H, Tiwari A. Human factor security: evaluating the cybersecurity capacity of the industrial workforce. Journal Of Systems And Information Technology 2019; 21:2-35.
[1] Morgan S. 2019 Official Annual Cybercrime Report, 2019 https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf
[2] ENISA. Inventory of risk assessment methodologies and tools, 2005 https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools
[3] Nikolic B, Ruzic-Dimitrijevic L. Risk Assessment of Information Technology Systems. Issues In Informing Science And Information Technology 2009; 6:595-615.
[4] Papastergiou S, Polemi N, Kotzanikolaou P. Design and validation of the Medusa supply chain risk assessment methodology and system. International Journal of Critical Infrastructures 2018; 14:1-39.
[5] Krombholz K, Hobel H, Hubel M, et al. Advanced social engineering attacks. Journal of Information Security and Applications 2014; 22:113-122.
[6] Lickiewicz J. Cyber Crime Psychology-Proposal of an offender psychological profile. Problems of Forensic Sciences 2011; 86:239-252.
[7] McCrae RR, Costa PT. Validation of the five-factor model of personality across instruments and observers. Journal of Personality and Social Psychology 1987; 52:81-90.
[8] McCrae RR, John OP. An introduction to the five-factor model and its applications. Journal of Personality 1992; 60:175-215.
[9] National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
[10] Fogg BJ. A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology (p. 40). ACM;2009.
[11] Fogg BJ, Hreha J. Behavior Wizard: A Method for Matching Target Behaviors with Solutions. In: Ploug T., Hasle P., Oinas-Kukkonen H. (eds) Persuasive Technology. Lecture Notes in Computer Science; vol 6137. Springer, Berlin, Heidelberg; 2009.
[12] Embarking on certification to Cyber Essentials and ISO 27001. https://www.itgovernance.co.uk/iso27001-and-the-cyber-essentials-scheme
[13] Kocsis R, Hayes A, Irwin H. Investigative Experience and Accuracy in Psychological Profiling of a Violent Crime. Journal Of Interpersonal Violence 2002; 17:811-823.
[14] ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, 2018 https://www.thehaguesecuritydelta.com/media/com_hsd/report/228/document/WP2018-O-3-3-2-Review-of-Behavioural-Sciences-Research-in-the-Field-of-Cybersecurity.pdf
[15] Spitzner L. Public Wi-Fi Attacks,2019 https://www.sans.org/security-awareness-training/blog/public-wi-fi-attacks
[16] Pervin LA, Cervone D, John OP. Personality: Theory and research. 9-edition. USA: Wiley; 2005.
[17] Power R, Pluess M. Heritability estimates of the Big Five personality traits based on common genetic variants. Translational Psychiatry 2015;5: e604-e604.
[18] ISO 27005. https://www.itgovernance.co.uk/iso27005
[19] Silic M, & Lowry PB. Breaking bad in cyberspace: Understanding why and how black hat hackers manage their nerves to commit their virtual crimes. Information Systems Frontiers 2019; 6(1):1-13
[20] Moore R. Cybercrime: Investigating high technology computer crime. Matthew Bender and Company; 2005.
[21] Matulessy A, Humaira NH. Hacker Personality Profiles Reviewed in Terms of the Big Five Personality Traits. Psychology and Behavioral Sciences 2016; 5:137-142.
[22] Öztürk C, Bektas M, Ayar D, et al. Association of Personality Traits and Risk of Internet Addiction in Adolescents. Asian Nursing Research 2015; 9:120-124.
[23] Khan, Rafiullah, et al. "STRIDE-based threat modeling for cyber-physical systems." 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe). IEEE, 2017.
[24] Sion, Laurens, et al. "Solution-aware data flow diagrams for security threat modeling." Proceedings of the 33rd Annual ACM Symposium on Applied Computing. 2018.
[25] Groth-Marnat G. Handbook of psychological assessment. Hoboken, NJ: John Wiley and Sons; 2009.
[26] Weiner IB. The assessment process. In: Weiner IB, editor. Handbook of psychology. Hoboken, NJ: John Wiley and Sons;2003.
[27] Aiken LR. Rating scales and checklists: Evaluating behavior, personality, and attitudes. Oxford, England: John Wiley and Sons;1996.
[28] Selzer MA., Kernberg P, Fibel B, et al. The personality assessment interview: Preliminary Report. Psychiatry 1987; 50:142-152.
[29] McCrae R. The Counterpoint of Personality Assessment: Self Reports and Observer Ratings. Assessment 1994; 1:159-172.
[30] MITRE Adversarial Tactics, Techniques, and Common Knowledge https://attack.mitre.org
[31] Cramm. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html(5
[32] ENISA. Threat Landscape Reports 2013 https://www.enisa.europa.eu/publications/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats and 2018 http://topintelanalysts.com/wp/wp-content/uploads/2019/02/ENISA-Threat-Landscape-Report-2018.pdf
[33] ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, 2018 https://www.thehaguesecuritydelta.com/media/com_hsd/report/228/document/WP2018-O-3-3-2-Review-of-Behavioural-Sciences-Research-in-the-Field-of-Cybersecurity.pdf
[34] The NIS Regulations. https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018
[35] Policies on Cybersecurity-The EU cybersecurity Act. https://ec.europa.eu/digital-single-market/en/policies/75984/3587
[36] ENISA. Inventory of risk assessment methodologies and tools, 2005 https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools
[37] Papastergiou S, Polemi N, Karantjias A. CYSM: An Innovative Physical/Cyber Security Management System for Ports. In: Tryfonas T., Askoxylakis I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2015. Lecture Notes in Computer Science, vol 9190. Springer, Cham; 2015.
[38] Ani U, He H, Tiwari A. Human factor security: evaluating the cybersecurity capacity of the industrial workforce. Journal Of Systems And Information Technology 2019; 21:2-35.
@article{"International Journal of Electrical, Electronic and Communication Sciences:79917", author = "Kitty Kioskli and Nineta Polemi", title = "A Socio-Technical Approach to Cyber-Risk Assessment", abstract = "Evaluating the levels of cyber-security risks within an enterprise is most important in protecting its information system, services and all its digital assets against security incidents (e.g. accidents, malicious acts, massive cyber-attacks). The existing risk assessment methodologies (e.g. eBIOS, OCTAVE, CRAMM, NIST-800) adopt a technical approach considering as attack factors only the capability, intention and target of the attacker, and not paying attention to the attacker’s psychological profile and personality traits. In this paper, a socio-technical approach is proposed in cyber risk assessment, in order to achieve more realistic risk estimates by considering the personality traits of the attackers. In particular, based upon principles from investigative psychology and behavioural science, a multi-dimensional, extended, quantifiable model for an attacker’s profile is developed, which becomes an additional factor in the cyber risk level calculation.
", keywords = "Attacker, behavioural models, cyber risk assessment, cyber-security, human factors, investigative psychology, ISO27001, ISO27005.", volume = "14", number = "10", pages = "305-5", }
