Academic Perspectives on
Cybersecurity Victimization and Research
Stephen Burd (burd@unm.edu)
UNM Information Assurance Scholarship for Service Program
UNM Center for Information Assurance Research & Education
Presentation copies available online
http://averia.unm.edu
Last revised: 7/17/2016 3:38 AM
Introducing the Players
Arief & Adzmi, Understanding Cybercrime from Its Stakeholder’s Perspectives:
Part 2 – Defenders and Victims, IEEE Security & Privacy, March/April 2015
Victim Characteristics
Arief & Adzmi, Understanding Cybercrime from Its Stakeholder’s Perspectives:
Part 2 – Defenders and Victims, IEEE Security & Privacy, March/April 2015
One Research Thread

Individual phishing victims focusing on their
behavior and cognition
 Context
Who targets them?
 For what purpose?
 How are they targeted?

 What makes them vulnerable?
Online and related behaviors
 Cognitive models and processes

 How can their vulnerabilities be mitigated?
Education and training
 Designing systems to match cognitive models/processes
 Technology-assisted risk awareness

A Cognitive Processing Model
M. Metzger, Making Sense of
Credibility on the Web: Models for
Evaluating Online Information and
Recommendations for Future
Research, Journal of The American
Society for Information Science and
Technology, volume 58:13 (2007),
pp. 2078–2091.

Dual-processing model of Web site credibility assessment:
 Dual processing is drawn from research in social psychology
 Posits two modes of human information processing:


Heuristic – Quick snap judgement using informal rules/clues
Systematic – Slower careful analysis with possible follow-up research
 Choice of processing mode influenced by motivation and ability
Long-Term Research Program

Test and validate the model – Does it accurately describe user behavior
in phishing scenarios?
 Evidence to date suggests yes
 Limitations – small sample experiments using undergraduate Guinea Pigs

Develop strategies to employ the model in ways that avoid or mitigate
individual vulnerability, e.g.,
 Preprocess content and provide subtle or overt cues to warn of high risk
 Define a phishing training program based on training supplemented by posttraining fake “traps”

Empirically test each strategy and measure the results
 Build related software, embed in an ordinary browser, do a large sample A/B test
and measure successful phishes and their consequences for both groups
 Run the training/trap program as an A/B test, measure results and compare
across groups or over time – Is the behavioral impact real? Does it fade?
 In either case, does systematic processing increase and does that result in fewer
adverse phishing outcomes?

Strategy development and empirical testing are typically described in a
“Future Research Directions” section of a model testing/validation paper
 How often are the next steps actually taken?
Academic Motivation for the Research
Program

What motivates academic researchers?
 Promotion/tenure, based on
Number/quality of publications
 Number of mentored research-oriented graduate students
 Grant $

 Money
Direct compensation – e.g., summer salary
 Indirect compensation – e.g., equipment and travel funds
 Grants that cover other research costs – e.g., graduate student
salaries, software licenses, survey/experiment costs, …

 Prestige – Do my colleagues, chair, and dean value
what I’m doing?
Research Realities/Impediments

Model development and testing is easy to publish
 Clear line of development from others’ work
 Low cost of experimentation
 Clear standards of quality – easier to target an “A” journal

Developing ways to put the model into practice
 This is perceived as a design and engineering task
 Generally hard to publish until empirically tested

Empirically testing




Relatively high cost of experimentation
Difficult access to real-world data and testing environments
Clearance to publish can be tough to obtain
Less clear standards of quality combined with shorter-term
engineering perspective – harder to target an “A” journal
Critical Research Impediment
Access to Data and Other Resources

“… both chambers are expected to consider a
major cybersecurity bill designed to encourage
private companies to share data with each other,
the Department of Homeland Security and,
through the department, ultimately the nation’s
intelligence agencies. But past efforts have
faltered on the issue of liability protection for
the firms. Such legislation is desired by the White
House, which views information sharing by
private industry as critical to detecting and
deterring threats.” – NY Times, 4/14/2015
Some Recommendations

Target an appropriate portion of research funds to
the kinds of research that produce practical “fieldtested” results

Ask journal editors and editorial boards to more
highly value research beyond model testing and
validation

Provide researchers (and their students) with
access to existing data

Provide researchers (and their students) with test
beds for experimentation
UNM’s Human Centric Security Initiative

The Human-Centric Security (HuCS) Initiative is a
collaborative effort between UNM’s





Department of Computer Science
Department of Electrical and Computer Engineering
Anderson School of Management
Sandia National Laboratories
Goals:
 Establish a problem-driven agenda for cutting-edge,
human-centric research
 Educate the next generation of ethical hackers
 Facilitate technology transfer to benefit society
UNM Cybersecurity/IA Faculty
Rich Brody
Fraud, forensic accounting
Stephen Burd
IA education, behavioral modeling
Jed Crandall
Privacy, digital forensics, Internet surveillance
Michalis Faloutsos
Network security
Stephanie Forrest
Biological methods in cybersecurity
Greg Heileman
Information security, digital rights management
Xin Luo
Behavioral modeling, financial fraud
Alex Seazzu
Digital forensics, IA education