awardlulzsec

NavigatingNewCyberRisksGannaPogrebna·MarkSkiltonNavigatingNewCyberRisksHowBusinessesCanPlan,BuildandManageSafeSpacesintheDigitalAgeGannaPogrebnaUniversityofBirminghamBirmingham,UKTheAlanTuringInstituteLondon,UKMarkSkiltonWarwickBusinessSchoolUniversityofWarwickCoventry,UKISBN978-3-030-13526-3ISBN978-3-030-13527-0(eBook)https://doi.
org/10.
1007/978-3-030-13527-0LibraryofCongressControlNumber:2019933311TheEditor(s)(ifapplicable)andTheAuthor(s),underexclusivelicencetoSpringerNatureSwitzerlandAG2019Thisworkissubjecttocopyright.
AllrightsaresolelyandexclusivelylicensedbythePublisher,whetherthewholeorpartofthematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynowknownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.
inthispublicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication.
Neitherthepublishernortheauthorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforanyerrorsoromissionsthatmayhavebeenmade.
Thepublisherremainsneutralwithregardtojurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations.
CoverdesignbyAlexanderKharlamovThisPalgraveMacmillanimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAGTheregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland"IfIhadaworldofmyown,everythingwouldbenonsense.
Nothingwouldbewhatitis,becauseeverythingwouldbewhatitisn't.
Andcontrarywise,whatis,itwouldn'tbe.
Andwhatitwouldn'tbe,itwould.
Yousee"LewisCarroll"AliceinWonderland"FormysonMadoc,myhusbandAlex,andallthosewonderfulpeoplewhodidn'tfindmyquesttobeatcybersecuritywithameasuringsticktobepositivelyhysterical—GannaPogrebnaFormymotherAngela—MarkSkiltonixForewordCybercrimeisthefastest-growingindustryintheworldandcybersecurityisthehottesttopicontheplanet.
Theoneaspectofthistopicthathastheindustryinaquandaryishowtoidentify,protect,contain,andmitigateagainstcyberattacksonyourbusiness,customers,partners,estate,systems,andinfrastructure.
Thevariety,complexity,sophistication,andvelocitycontinuetoincreaseandexpandatscale;andthethreatsareendless.
Whilegloballyorganizedcybercriminalgroupscontinuetolaunchincreasinglysophisticatedattacksagainstournetworks,suppliers,andclientsformon-etarygain,itappearsthatsomeoftheoldestandmoresimplistictech-niqueshaveproventobehighlyeffectiveandlucrativeforthesemiscreants.
Forthoseofusengagedincyberdefenseonadailybasis,socialmediahasbecomeamajorenemy,asitisusedbycybercriminalstogettounsuspect-ingcitizensasthesecitizenscomplainonTwitter,Facebookandotherplat-formswhensystemsofaparticularbankorfinancialinstitutionaredownornotworkingproperly.
Adversariesseizethemomenttoofferassistance,usesocialengineeringtotrickinnocentvictimsintogivingthemprivateloginsandcredentialsandwipeouttheirlifetimesavings.
Duetothescaleandvelocitywithwhichsuchmaliciousactivitiespropagate,theimpactofthesecrimesisdevastating.
Formorethan20yearswehavebeeneducatingendusersaboutthedangerofclickingonalinkinanemailand,lateron,ontheirsmartphone.
Yet,phishingattacksbasedonuser-activationofmaliciouslinksarestillwidelyusedandcontinuetobeextremelyeffectiveandprof-itable.
Whilethelargestandmostwidelyknowncybersecurityeventsheldeachyearworldwidefilltheirfloorswithsupplierspromotingtheirproductsandservicesandclaimingtooffer"silverbullet"solutionstoprotectandsavexForewordyouagainstcyberthreats;inreality,thereisnosilverbullet,andthehacks,compromises,andlossescontinuetoincrease.
Notonlyfinancial,butalsoindustrialespionage,counterfeitgoods,theftofintellectualproperty,steal-ingtradesecretsandcompromisingproprietyresearchanddevelopment(justtonameafew)continuetogrowandthreatentheverycoreoftheeconomichealthofourcountriesandsociety.
Perhapsitissimple:technol-ogyaloneisnottheanswer.
Itissimplyatool;andinthemoderndigitalworldtheonlythingthatdistinguishescybercriminalfromanhonestindi-vidualis"opportunity",orthewayinwhichwetakeornottakeadvantageofopportunitieswhicharecomingourway.
Therefore,cybersecurityisnotjustatechnicalscience,itisabehavioralscience.
Itisnowclearthatwekeepdoingthesamethingoverandoveragain(i.
e.
,tryingtobeatcybersecurityproblemswithatechnologicalstick),expectingadifferentresult—thatisthedefinitionofinsanity.
Yet,theproblemswearefacingincybersecuritynotonlyrequireanewanddifferentapproach,butmostcertainlyapara-digmshiftinourthinking.
Inordertosuccessfullyalleviatetheriskofcyber-attacks,weneedtofocusonpeoplebehindthekeyboardorontheothersideofthephoneline.
Weneedtounderstandhowtheybehave,think,act,andreact—onlybydoingthiswewillbeabletopredictand,possibly,pre-venttheircriminalactions.
Thehumanelementofcybersecurityliesattheheartofthisbook'sanalysis,whichisbasedonthereal-worldexamplesofhowbehavioralsciencecanbeeffectiveandcriticalforenhancingourabil-itytoaddresscybersecuritygaps.
Obviously,theredoesnotexistonesimpleanswertocybersecurityproblems.
Cybersecurityisconstantlyevolving,asarethepeopleandmindsbehindcybercrime.
Therefore,weneedtobeagileandunderstandthatwetoomustinnovateandevolveourthinking,tech-nology,processes,education,andskills,whilemakingfulluseoftherecentbreakthroughsinbehavioralscience.
Ifyouhavebeenworkingincybersecurityfordecades,oraremakingyourfirststepsandwanttofeedyourcuriosityaboutthisfieldnotonlyfromarisk,compliance,ortechnologyperspective,butalsofromabehavioralsci-enceperspective,thenIwouldsayyouhavealreadyopenedyourmindtotheartofthepossible,anewanddifferentapproachtotheproblem.
Iwouldthentellyoutoreadon,asthisbookisthebestplaceforyoutostart.
Itwillmostdefinitelyexpandyourmind.
Itchallengesthethinkingofthemostexperiencedandbrightestcybersecuritypractitionersaswellasoffersaniceguidelinetocybersecurityasabehavioralscienceforbeginners.
Itwilltakeyoubackintimeandgiveyouaverythoroughoverviewofwhereitallstarted,chartingthecourseoftheevolutionofcybersecurityand,evenmorefascinatingly,theevolutionofcybercriminal,thecriminality,andtheForewordxiconscienceofthesenefariousactors.
Theauthorsapproachthisasbehavioralscientists,fromtheviewpointofsomeonewhowastryingtomakesenseofthefield.
Theyadopttheperspectiveofatypicalpractitioner(notatechnicalspecialist),someonewhoistryingtounderstandthetruerisksandsimplynavigatethiscomplexfield,byconsideringalternativecybersecuritysolu-tionsandenhancementsaswellasleveragingthepeopleaspecttoimproveoutcomesandachievemoreeffectiveresultsinbuildingsafedigitalspacesforbusinessandbeyond.
Thefirstchaptersofthebookprovideageneralsum-maryofthefieldandsystematizethethreats.
Thesecondpartofthebookdescribeshowbehavioralscience(bothconceptualandalgorithmic)couldcontributetosolvingthemajorityofcybersecurityissues.
Somethingwecanallembrace.
Thisbookoffersadifferentviewoncybersecurityandcyberdefense—abehavioral(human)view.
Itspurposeistoconsiderhowtoframethenewthreatsinthedigitalandphysicalworld,understandtheirnature,andfor-mulatecybersecurityresponses,which,inthefaceofthecontemporarythreats,needtocombinebothtechnicalandbehavioralstrategiesbeyondcompliancecertificationandstandards.
Securityandcompliancearenotthesame;wehavetogetbeyondthinkingthatbeingcompliantisbeingsecure.
Theauthorscalluponrecentevidencefromleadingpractitionersandaca-demicsandoffernewmethodswhichwillhelporganizationstoplan,build,andmanagecyberrisks.
Inthisbook,leadingbusinessthinkersandexpertscametogether,combiningcontemporaryvisionsfromcybersecurity,behavioralscience,human–dataandhuman–computerinteractions,andartificialintelligence(AI)fields,toprovidepracticalinsightsforbusinessesandhelpthemanticipatenewrisksandvulner-abilities,whichtheyhaveneverencounteredearlierindigitalenvironments.
Theauthorsanalysepracticalevidence-basedcyberthreatsandorganizeexpertresponsesintoapracticaltoolboxonhowtoconsiderrisksandvulnerabilitiesacrossdifferentdimensions,aswellassuggestingwaystodiscovernewrisksandvulnerabilities.
Afterreadingthisbook,youwillgainabetterunderstandingofpredictiveanalysisaswellaslearnhowtoanticipatewhatiscomingnext(e.
g.
,futurethreatsandvulnerabilities).
Thisbookfocusesnotonlyonhownewrisksandvulnerabilitiescouldbeidentifiedbutalsoonhumaninterpretationsoftheserisksand,ultimately,onhowtheactualthreatscouldbeoverlookedbyhumans.
Itdeliversapieceofthepuzzlethatmeetsacriticalgapinhelpingtoidentifywaystoembedhumanbehaviorintothedesignofsafehuman-cyberspacessothesesystemsoperateintheserviceofmakinghuman-centereddigitalecosystemsmorexiiForewordsecure.
Theseideashelpusgetclosertosecurity-by-designandmustbecon-sideredwhenthinkingaboutthefutureofsecurityandproactivenetworkdefense.
Theauthorsexplorewhetherandtowhatextendhumanpsychologyispronetodifferentsocial-engineeringtricks,whichcybercriminalsplayonus.
Knowingthisallowsustousecutting-edgebehavioralmeasuresandtoolsinordertocomplementthetechnicalsolutionswhichalreadyexist.
Thisbookwillhelpeveryonewhoreadsit,nomatterhowmuchorhowlittleexperienceyouhaveinthisfield.
Itwillgiveyouinsights,ideas,andstimulatethoughts,challengingthenormandyourusualwayofthinkingabouttheproblemofcybersecurity.
Makenodoubtaboutit:cybersecurityisasystemicandglobalproblem,anarmsracecomplementedbytheloom-ingfeelingthatthecriminalsareoutpacingusineveryway.
Theauthorssuggestalternativewaystoclosetheexistinggap.
Bytreatingcybersecurityasabehavioralissue,wecanopenthedoortoincrediblecriticalandprob-lem-solvingthinkingandinnovationinthisarea.
Justimaginetheexcitingpossibilities,whichbehavioralapproachcanoffer!
Wecanalgorithmicallypredictattacksusingthebehavioraltopologyofcybercriminalsandtheirbusinessmodels.
Thiswillenableustodesignsmartactivecyberdefensemechanismsbyanticipatingattacksandcollectingforensicevidence"onthefly"whenattacksarestillinprogress.
Inthisbook,youwillreceiveprac-ticaltipsaboutincorporatingbehavioralapproachesforunderstandingandimprovingcybersecuritywithinyourorganizationandlearnhowtointegrateitintoyourenvironmenttoenhanceyourholisticapproachtobuildingsafedigitalspaces.
Thereareanumberofnewideasregardingthepsychologyofcybersecurity—behavioralsegmentationofusersandcybercriminals,new"positive"approachestocybersecuritycampaigns,multilayeredcybersecuritysystemstailoredtodifferenttypesofcybercriminals,etc.
Itisafascinatingreadandmakestremendoussense.
Theauthorspro-videuswithwell-definedwaysofthinkingaboutsecurityandgetusonestepclosertouncoveringtheanatomyofthecriminalactivitiesandbusi-nessmodelsand,ultimately,advanceustowardsfindingthatsilverbullet,whichwouldgiveustangibleadvantagesovercybercriminalsinthefuture.
Takinghumanbehaviorintoaccountwhenthinkingaboutcybersecurityisextremelyimportantandshouldnotjustbeafactorweconsiderafterthedesignofsecuritysystemsiscomplete.
Therealitydictatesthatweshouldhaveahuman(andourpropensitytomakeerrors,showbias,etc.
)inmindwhenwebuildsecureenvironmentsandwhenwearetryingtodefendagainstthreats.
AsIsaidatthebeginning—theproblemoftenboilsdowntounderstandingwhoisbehindthekeyboard.
Afterall,cybercriminalsareForewordxiiionlyhuman:theyarejustpeoplewhoexploitthoseendlessopportunitieswhichcometheirwayinthedigitalageandprayontheinnocentwithoutaconscience.
Thisisathought-provoking,compellingbookthataddsawholenewdimensiontohowweaddresscybersecurityandcyberdefensefromtheper-spectiveofhumanbehavior.
Itisamust-readforcybersecuritypractition-ers,cybersecurityprofessionals,researchers,behavioralscientists,andpeoplewhoaresimplyinterestedinthisfieldorworriedabouttheirpersonalsecu-rityincyberspaces.
London,UKMariaVelloCEOoftheCyberDefenceAlliancexvPrefaceThisbookbringstogetherleadingexpertsandbuildsonthelatestexcitingresearchadvancesfromcybersecurity,behavioralscience,human–datainter-action,human–computerinteraction,aswellasartificialintelligence(AI)fields,inordertooffernewpracticalinsightsforbusinessesandhelpthemtoidentifyandaddressnewvulnerabilitiesinhuman-cyberspaces.
Wearepar-ticularlyfocusingonthreatsandvulnerabilities,whichbusinessesotherwisewouldnotbeabletoidentifyinthemoderncomplexdigitalenvironments.
Weconsidercyberthreats,mostrecentlyandfrequentlyobservedinpractice,and,organizeexpertviewsandopinionsintoapracticaltoolkit.
Thistoolkitisintendedtohelppractitionersandbusinessownerstoanticipate,consider,andtacklerisksandvulnerabilitiesacrossdifferentdimensions.
Italsosug-gestswaysinwhichnew(previouslyunobserved)risksandvulnerabilitiescanbediscoveredbylookingatthewiderecosystemofissuesbeyonddataandtechnology.
Ourattentiongoesbeyondtraditionaldetectionofrisksandvulnerabili-ties.
Wepayparticularattentiontohowhumansperceivetheserisksandvul-nerabilitiesandhowthoseperceptionscanmisrepresenttheactualthreats,leadingtounder-oroverreactionwhenresponsestothreatsareformulated.
Wealsolookathowtheabilitytoanticipatenewrisksandvulnerabilitiescaninfluencebusinessmodelsandbusinessmodelinnovation.
Ourgoalistoempowerbusinessestobeabletoapplyanewhuman-centeredvisiontocybersecurityproblemsinordertodetectriskswhichtheyhavenotencoun-teredorhavenotanticipatedbefore.
Furthermore,theserisksandvulnera-bilitiesdonotonlyhavetobedetected,butalsoeffectivelycommunicated.
xviPrefaceWeaimtodemonstratehowunderstandingandeffectivecommunicationofrisk-relatedissuescanhelpbuildsecureandsafehuman-cyberspacesinthenewdigitaleconomy.
Thisbookprovidesadetailedgap-bridgingguide,whichexplainshowtoembedhumanbehaviorintothedesignofsafehuman-cyberspaces.
Itshowsthatcybersecurityshouldnotbeviewedasafixedcostfactorbybusinesses,whichcanonlybeaddressedthroughtechnologicalupgrades.
Itisimpor-tanttounderstand,thatcybersecurityinmanywaysdependonhumansandthereisaneedtodesignandbuildsecuritysystemswithhumansinmind.
Whilethereisaplethoraofcybersecuritybooks,theexistingbookmarketofferslittleguidanceonhowtoanticipateanddiagnosenewthreatsrelatedtoadvancedAIcyberattacksandcriminalsocialengineering,eventhoughthesethreatsarediscussedbygovernmentsandinternationalforums,requir-ingthedevelopmentofnewtheoreticalmethodology,empiricaltools,aswellaspolicy.
Whatseemstobemissingisawayforcurrentbusinessprac-titionerstounderstandthesenewthreatsandrisksandbringthesetogetherintoanintegratedtoolkit.
Thenewapproachdevelopedinthisbookhelpsustoaddresstheseissuesasitdrawsupontheideasandthoughtsofleadingexperts,supportedbythepracticalevidence.
Warwick,UKJanuary2019GannaPogrebnaMarkSkiltonxviiAcknowledgementsThedevelopmentofthisbookhasinvolvedmanyhoursofresearchandinterviewswithleadingpractitionersandacademicsinthefieldsofcyber-security,behavioralscience,machinelearning,artificialintelligence(AI),economics,andbusiness.
WeareextremelygratefultoMs.
MariaVello,CEOoftheCyberDefenceAlliance,whowrotetheforewordforthisbook.
Maria'scontributiontocybersecurityintheUKandinternationallycontinuestoinspiretheauthorsofthisbookaswellasmanycybersecurityscholarsandpractitionersglobally.
Wewouldliketorecognizeandsin-cerelythankthefollowingpeoplewhogavetheirtimeindiscussions,shar-ingthoughtsandideasthathavehelpeduscraftthisbook:DebiAshenden,ProfessorofCyberSecurity,SchoolofComputing,andProgrammeDirectorforProtectiveSecurityandRiskattheCentreforResearchandEvidenceforSecurityThreats(CREST),UniversityofPortsmouth;JonCrowcroft,MarconiProfessorofCommunicationsSystems,ComputerLaboratoryattheUniversityofCambridge,AssociateFellowattheCentreforScienceandPolicy,andFellowoftheAlanTuringInstitute;AnthonyPhipps,cybersecurityexpertandSeniorManagerleadingtheDigitalCyberResearchteamatoneofthelargestfinancialinstitutionsinEurope;HaydnPovey,CEOandFounderofSecureThingzandboardmemberoftheIoTSecurityFoundation;KarenRenaud,ProfessorofCybersecurityatAbertayUniversity,ProfessorExtraordinariusattheUniversityofSouthAfrica,FullbrightScholar,HonoraryResearchFellow(ComputingScience)attheUniversityofGlasgow;BorisTaratine,cybersecurityexpert,passionatevisionary,andaninfluentialambassadorofcybersecurityandcyberdefense;TimWatson,ProfessorofCybersecurityandDirectoroftheCyberSecurityxviiiAcknowledgementsCentreatWarwickManufacturingGroup(WMG)attheUniversityofWarwick;SirAlanWilson,ExecutiveChairoftheAdaLovelaceInstitute,ProfessorofUrbanandRegionalSystemsatUniversityCollegeLondon,andformerCEOoftheAlanTuringInstitute;KarenYeung,ProfessorialFellowinLaw,EthicsandInformatics,UniversityofBirmingham,memberoftheEuropeanUnion(EU)HighLevelExpertGrouponArtificialIntelligence,andmemberandrapporteurfortheCouncilofEurope'sExpertCommitteeonhumanrightsdimensionsofautomateddataprocessinganddifferentformsofartificialintelligence(MSI-AUT).
Wealsothankmanycyberse-curitypractitionersfromleadingfinancial,legal,andtechnologicalindus-tries,aswellasexpertsworkinginlawenforcement,whoseworkandadviceinspiredthisbookbutwhowishedtoremainanonymous.
OriginalartworkforthisbookwasproducedbyAlexanderKharlamov,anaward-winningartistandphotographer,incollaborationwiththeauthors.
DisclaimerAllcompanynames,tradenames,trademarks,tradedressdesigns/logos,copyrightimages,andproductsreferencedinthisbookarethepropertyoftheirrespectiveowners.
Nocompanyreferencesinthisbooksponsoredthisbookorthecontentthereof.
xixContents1Introduction1PartINewCyberthreatsandWhyWeShouldWorryaboutThem2CybersecurityThreats:PastandPresent133ASneakPeekintotheMotivationofaCybercriminal314WakeUp:YouAretheTarget!
55PartIIExistingSolutionsandCybersecurityforBusiness5ExistingSolutionsSummary756CybersecurityBusinessGoalsandStoriesAroundThem977Communication,Communication,Communication105PartIIIFutureThreatsandSolutions8FutureThreats117xxContents9FutureSolutions12510SocialandEthicalAspects137PartIVCybersecurity:TheNewFrontier11TheNext-GenerationCybersecurity14512NavigatingaSafeSpace15113TheTwelvePrinciplesofSafePlaces17114InPlaceofaConclusion199References201Index223xxiAbouttheAuthorsGannaPogrebnaisProfessorofBehavioralEconomicsandDataScienceattheUniversityofBirminghamandFellowattheAlanTuringInstitute.
Blendingbehavioralscience,computerscience,dataanalytics,engineer-ing,andbusinessmodelinnovation,Gannahelpsbusinesses,charities,cit-ies,andindividualstobetterunderstandwhytheymakethedecisionstheymakeandhowtheycanoptimizetheirbehaviortoachievehigherprofit,better(cyber)security,moredesirablesocialoutcomes,aswellasflourishandbolstertheirwell-being.
Sheisinterestedinanalyzingindividualandgroupdecision–makingunderriskanduncertainty(ambiguity)usinglab-oratoryexperiments,fieldexperimentsandnon-experimentaldata(specif-ically,largenon-experimentaldatasets).
Shestudieshowdecision-makersrevealtheirpreferences,learn,co-ordinate,andmaketrade-offsinstaticanddynamicenvironments.
Herworkaimstodevelopquantitativemodelscapa-bleofdescribingandpredictingindividualandgroupbehaviorunderriskanduncertainty.
Usinganalgorithmicapproach,Gannaworksonhybridmodelsattheintersectionbetweendecisiontheoryandmachinelearning(particularly,AnthropomorphicLearning).
Herrecentprojectsfocusonsmarttechnologicalandsocialsystems,cybersecurity,AI,human–computerinteraction(HCI),human–datainteraction(HDI),andbusinessmodels.
GannaisoneoftheauthorsoftheCyberDomain-SpecificRiskTakingscale(CyberDoSpeRT),atoolwhichallowspractitionerstoconstructbehav-ioralsegmentationinordertodesigncybersecuritysolutions,andwhichreceivedtheOrganizationalPsychologyAwardfromtheBritishAcademyofManagementin2018.
Herworkonriskmodelingandunderstand-inghumanbehaviorunderriskanduncertaintywaspublishedinhighlyxxiiAbouttheAuthorsreputablepeer-refereedacademicjournalsandrecognizedbynumerousawards,includingtheLeverhulmeFellowshipAwardaswellastheEconomicandSocialResearchCouncil/theAlanTuringInstituteFellowshipAward.
Since2002,Gannahasusedherexpertisetodeveloppracticalsolutionsforbusinessesasaconsultant.
MarkSkiltonisProfessorofPracticeinInformationSystemsandManagementatWarwickBusinessSchool,theUniversityofWarwick,UK.
Hehasover30years'experienceasaprofessionalconsultantwithatrackrecordinthetop1000companiesinover20countriesandacrossmultiplepublic,private,andstart-upsectors.
HeisalsocurrentlyamemberoftheseniorexecutiveteamasHeadoftheAppliedResearchandCollaborationLabs(ARC)UKatEnzen,aninternationalenergyandutilityconsultancybasedintheUK,India,theEU,Australia,andNorthAmerica.
Hehasdirectindustrialexperienceofcommercialpracticeleadership,boardroom,andinvestorstrategytoprogramteamandtransformationmanagementatscale.
Markhaspreviouslypublishedtwointernationalpractitionerbooksonbuildingthedigitalenterpriseanddigitalecosystemarchitectures.
Heisarecognizedinternationalthoughtleaderindigital,IoT,automationandAI,cyber-physicalsystems,cybersecurity,companystrategy,telecoms,dig-italmarketsandM&Astrategies,CxOpractices,andtechnologygovern-ance.
HisworkandviewshavebeenpublishedintheFinancialTimes,NewYorkTimes,WallStreetJournal,WashingtonPost,NewScientist,Nature,andScientificAmerican,byBloombergandtheAssociatedPress,andonmanyTVandradiochannelsaroundtheworld,includingtheBBC,Sky,ITV,AlJazeera,andmanyothers.
MarkhasanMBAandpostgraduatequalificationsinProductionEngineering,DesignManagement,andMaterialSciencesfromtheUniversityofWarwick,theUniversityofCambridge,andtheUniversityofSheffield,UK,respectively.
xxiiiNotesonAdvisorsDebiAshendenisProfessorofCyberSecurityintheSchoolofComputingattheUniversityofPortsmouth.
DebiwaspreviouslyHeadoftheCentreforCyberSecurityatCranfieldUniversityattheDefenceAcademyoftheUK.
Beforebecominganacademic,shewasaManagingConsultantatQinetiQ(formerlyDERA)andhasworkedincybersecuritysince1998.
DebiholdsaPh.
D.
inComputerSciencefromUCL,anM.
B.
A.
,M.
Sc.
inComputerScience,M.
A.
inVictorianLiteratureandB.
A.
(Hons)inEnglishLiterature.
Shehasworkedextensivelyacrossthepublicandprivatesectorfororganiza-tionssuchastheUKMinistryofDefence(MoD),UKCabinetOffice,UKHomeOffice,Euroclear,Prudential,Barclaycard,Reuters,andCloseBros.
Debihashadanumberofarticlesoncybersecuritypublished,presentedatarangeofconferencesandco-authoredabookforButterworth-Heinemann,RiskManagementforComputerSecurity:ProtectingYourNetworkandInformationAssets.
JonCrowcroftistheMarconiProfessorofCommunicationsSystems,ComputerLaboratory,UniversityofCambridge,UK.
HeisalsoAssociateFellowoftheCentreforScienceandPolicyandFellowattheAlanTuringInstitute,UK.
JonCrowcroftjoinedtheUniversityofCambridgein2001,priortowhichhewasProfessorofNetworkedSystemsatUCLintheComputerScienceDepartment.
HeisaFellowoftheRoyalSociety,FellowoftheAssociationforComputingMachinery,aCharteredFellowoftheBritishComputerSociety,aFellowoftheInstitutionofElectricalEngineersandaFellowoftheRoyalAcademyofEngineering,aswellasaFellowoftheInstituteofElectricalandElectronicsEngineers.
HewasamemberofxxivNotesonAdvisorstheInteractiveAdvertisingBureau(1996–2002)andwenttothefirst50meetingsoftheInternetEngineeringTaskForce;wasGeneralChairfortheACMSIGCOMM(1995–1999)andwasarecipientoftheSIGCOMMAwardin2009.
HeisthePrincipalInvestigatorintheComputerLabfortheEUSocialNetworksproject,theHorizonDigitalEconomyproject,fundedbytheEngineeringandPhysicalSciencesResearchCouncilandhubbedatNottingham,andtheEPSRC–fundedfederatedsensornetworks(i.
e.
,sensornets)projectFRESNEL,incollaborationwithOxford,alongwithanewfive-yearprojecttowardsaCarbonNeutralInternetwithLeeds.
Jonhasmademajorcontributionstoanumberofsuccessfulstart-upprojects,suchastheRaspberryPiandXen.
HehasbeenamemberoftheScientificCouncilofIMDEANetworkssince2007.
HeisalsoontheadvisoryboardoftheMaxPlanckInstituteforSoftwareSystems.
Jonhaswritten,edited,andco-authoredanumberofbooksandpublicationswhichhavebeenadoptedinternationallyinacademiccourses,includingTCP/IPandLinuxProtocolImplementation:SystemsCodefortheLinuxInternet,InternetworkingMultimedia(2001)andOpenDistributedSystems(1995).
Jon'sresearchinter-estsincludecommunications,multimedia,andsocialsystems,especiallyInternetrelated.
AnthonyPhippsisaSeniorManagerleadingtheDigitalCyberResearchteamatoneofthelargestfinancialinstitutionsinEurope.
Tonystartedhiscareerasanengineerandhasworkedinavarietyoffieldsincludingelectricalandelectronicengineering,and,morerecently,informationtechnology.
Forthelast20yearshehasspecializedininformation,cyberandphysicalsecu-rity.
HeobtainedhisfirstdegreeinElectricalandElectronicEngineeringfromtheUniversityofGreenwichin1997andaMaster'sdegreefromtheUniversityofWestminsterinInformationTechnologySecurityin2002.
HeiscurrentlyworkingtowardsobtainingaPh.
D.
incybersecurity.
HaydnPoveyisaCEOandFounderofSecureThingzInc.
HeisalsoaboardmemberoftheIoTSecurityFoundation.
Heisarecognizedinter-nationalexpertinIoTsecuritydevelopment.
PriortoestablishingSecureThingz,hespenttenyearsatARMasDirectorofMarketingofSecurityacrossindustrysectorsandintheProcessorDivisionandproductmanage-ment.
SecureThingzisaproviderofadvancedsecuritysolutionsforembed-dedsystemsintheInternetofThings.
ItwasfoundedbyHaydnin2016andrecentlysoldtoIARSystemsAB,aSwedishdeveloperofembeddedsystemstools,for20million.
Thecompany'sSecureDeployarchitecturehasbeendevelopedtosolvethemajorsecurityissueschallengingtheIoT.
Itclaimsthatitssolutionsensureacost-efficientrootoftrustinlow-costNotesonAdvisorsxxvmicrocontrollerstodeliveracoresetofcriticalservicesthroughtheproductlifecycle,alongsideasecuredeployment,production,andupdateinfrastruc-tureinthefieldofembeddedtrust.
KarenRenaudisProfessorofCybersecurity,DivisionofCybersecurity,attheAbertayUniversity,ProfessorExtraordinariusattheUniversityofSouthAfrica,FulbrightCyberSecurityScholar2016/2017,aswellasHonoraryResearchFellow(ComputingScience)attheUniversityofGlasgow,UK.
KarenisagraduateoftheuniversitiesinPretoria,SouthAfrica,andGlasgow,UK.
HermainresearchinterestisUsableSecurity.
ShepublisheswidelyinthisareaandcollaborateswithacademicsintheUK,SouthAfrica,andCanada.
Shealsohasinterestsinemailusageinorganizations,electronicvoting,andtechnologyacceptance,specificallywithrespecttolearningsupportsystems.
Karen'sresearchinterestsincludetheusabilityofsecuritysystems,graphicalauthenticationmechanisms,securityandemailaccept-able-usepolicies,theuseoftechnologyinorganizations,electronicvoting,andprivacy.
Shehaswrittenmanyacademicpublicationsinthefieldofsecurity,alongwithnumerousbookcontributions,andisafrequentspeakeratcybersecurityconferences.
BorisTaratineisapassionatevisionaryandaninfluentialambassadorofcybersecurityandcyberdefense.
Hehasworkedforworld-renownedcom-paniesacrosstheglobe,holdingdifferentseniorcyberandinformationsecuritytechnicalandleadershiproles,wasengagedinconsultingwithnumerousorganizationsandisanactiveparticipantinvariousindustryandlawenforcementforumsinfluencingglobalcybersecuritydevelopment.
Heisafrequentspeakeratvariousindustryevents.
HeservesasaStrategicExecutiveAdvisortoCEOsandamemberofadvisoryboardstonewcyber-securitystart-ups.
Borishasnearly30years'experienceinthecybersecurity,informationsecurity,andinformationtechnologyfields,spanningdiffer-entindustries.
Hepossessesextremelystronganalyticalandproblem-solv-ingskillsandisabletofindandintegratecomplexsolutionsconsistentwiththecustomerandregulatoryrequirements.
Borisistheauthorofsixscientificpublicationsandninepatents(includingfourgrantedundertheNATOHiTechproject),andhasdozensofpatentspending.
HeisaPh.
D.
candidateandgraduatedfromtheSaint-PetersburgStateUniversitywiththehighesthonor.
MariaVelloisaCEOoftheCyberDefenceAlliance(CDA).
ShejoinedtheCDAinApril2016.
Priortothis,shewastheCEOandPresidentoftheNCFTA(NationalCyber-ForensicsandTrainingAlliance)forthreeyears.
xxviNotesonAdvisorsBeforeherappointmentasCEOandPresident,MariaservedontheBoardofDirectorsoftheNCFTAfromitsinceptionin2002to2012,andastheBoardSecretaryattheNCFTAforfouryears.
UnderMaria'sleadership,theNCFTAweatheredseveralsignificantcyberstorms(e.
g.
,thoseinstigatedbyGameoverZeuSandDarkode),playinganinstrumentalroleinmajorsuccessesacrosscybersecurityindustryandinlawenforcement.
Duringherleadership,in2014,theNCFTAwasnamedinthePresidentObama'sExecutiveOrder.
MariawastheconstantdrivingforcefortheNCFTA'sgrowthinrevenuesandreach.
Shealsohelpedensuretheincreaseinthenumberofcybercriminalarrestsaswellascasestakenonbythelawenforce-mentpartners.
Mariabringsawealthofexperienceintrust-basedcollabo-rationandinformationsharingacrossbusinessedindifferentindustries.
Sheoftenactsasanambassadorlinkingbusinesseswithlawenforcement,governmentandacademiatoproactivelydetect,protect,deter,dismantle,andstopcybercrimeandcyberthreats.
Shehaseffectivelyledmultinationalteamstoleveragecross-sectorresourcesandthreatintelligenceinordertomoreefficientlyanalyze,correlate,andattributecriticalreal-timeintelligenceagainstemergingcyberthreatsaswellastodeliveractionableintelligencetobothindustryandlawenforcement.
Withmorethan25years'experienceinthesecurity,design,integration,risk,architecturaldesign,andimplementationofglobalcorporatesystems,securityarchitectures,andnetworks,Mariahasbeenresponsibleforinte-gratingsecuritybestpractices,risk,andcompliance,aswellasraisingaware-nessateverylevelineveryorganizationforwhichshehasworked.
MariamanagedaFortuneGlobal100networkinfrastructureandsystemsfromsecurity,LAN,WAN,Voice,Video,Voicemail,gatewaystonetworkarchi-tecture.
ShewastheownerofnetworksecurityandvulnerabilityassessmentcompanyandworkedforCiscoSystemsinsecurityfor7years.
Mariahasbeenrecognizedasaleadingexpertinsecuritythroughouthercareer.
ShereceivedtheAT&TLeadersCouncilAward,finishinginthetop2%oftheAT&TexpertrankingsandwasthenumberoneRegionalManagerinSecuritywhilesheworkedforCiscoSystems.
ShewasalsohonoredbytheFBIExecutiveteamwithintheFBICyberUnit,DepartmentofJustice,andtheFBICyberInitiativeResourceandFusionUnit(CIRFU)forherexem-plaryservice,partnership,andcontributionswiththeCyberDivision.
In2014,shewasnamedoneofthetoptenWomeninCloud.
MariareceivedherBachelor'sdegreefromDuquesneUniversity,Pittsburgh,Pennsylvania,andstudiedfurtherattheMassachusettsInstituteofTechnologyandtheUniversityofPennsylvania'sWhartonSchoolofBusiness.
Shehasalsoattendednumerousexecutiveleadershipandmanagementtrainingcourses,NotesonAdvisorsxxviiincludingtheCarnegieMellonUniversitySoftwareEngineeringInstitute'scertificationprograminthedelivery,facilitation,consulting,andtrainingoftheInstitute'sOCTAVEmethodology.
InadditiontobeingaCertifiedInformationSystemsSecurityProfessional(CISSP),MariaalsohastheRAM‐Wphysicalsecuritycertificationforthewaterindustry.
TimWatsonistheDirectoroftheCyberSecurityCentreatWarwickManufacturingGroup(WMG)withintheUniversityofWarwick.
Withmorethan25years'experienceinthecomputingindustryandinacademia,hehasbeeninvolvedwithawiderangeofcomputersystemsonseveralhigh-profileprojectsandhasactedasaconsultantforsomeofthelargesttelecoms,power,andoilcompanies.
HeisanadvisortovariouspartsoftheUKgovernmentandtoseveralprofessionalandstandardsbodies.
Tim'scur-rentresearchincludesEU-fundedprojectsoncombatingcybercrimeandresearchintotheprotectionofinfrastructureagainstcyberattack.
HeistheVicePresident(Academia)oftheTrustworthySoftwareInitiative,aUKgov-ernment–sponsoredprojecttomakesoftwarebetter,andakeydeliverableoftheUKNationalCyberSecurityProgramme.
Timisalsoaregularmediacommentatorondigitalforensicsandcybersecurity.
SirAlanWilsonisacurrentExecutiveChairoftheAdaLovelaceInstitute,aformerCEOoftheAlanTuringInstituteandProfessorofUrbanandRegionalSystemsintheCentreforAdvancedSpatialAnalysisatUCL.
HeisChairoftheHomeOfficeScienceAdvisoryCouncil.
AlanisaCambridgeMathematicsgraduateandbeganhisresearchcareerinelementaryparti-clephysicsattheRutherfordLaboratory.
Heturnedtothesocialsciences,workingoncities,withpostsinOxfordandLondonbeforebecomingProfessorofUrbanandRegionalGeographyinLeedsin1970.
HewasamemberofOxfordCityCouncilfrom1964to1967.
Inthelate1980s,hewastheco-founderofGMAPLtd,auniversityspin-outcompany.
HewasViceChancelloroftheUniversityofLeedsfrom1991to2004,whenhebecameDirector–GeneralforHigherEducationinthethenDfES.
AfterabriefspellinCambridge,hejoinedUCLin2007.
From2007to2013,hewasChairoftheArtsandHumanitiesResearchCouncil;andfrom2013to2015,hewasChairoftheLeadExpertGroupfortheGovernmentOfficeforScienceForesightonTheFutureofCitiesproject.
Hisresearchfieldcoversmanyaspectsofthemathematicalmodelingofcitiesandtheuseofthesemodelsinplanning.
Thesetechniquesarenowincommonuseinter-nationally—includingtheconceptofentropyinbuildingspatialinteractionmodels,summarizedinEntropyinUrbanandRegionalModelling(reissuedin2011byRoutledge).
ThesemodelshavebeenwidelyusedinareassuchxxviiiNotesonAdvisorsastransportplanning,demography,andeconomicmodeling.
Alan'srecentresearchfocusedontheapplicationsofdynamicalsystemstheoryinrelationtomodelingtheevolutionofurbanstructureinbothhistoricalandcontem-porarysettings.
ThisledtothelayingofthefoundationsofacomprehensivetheoryofurbandynamicsdescribedinComplexSpatialSystems(2000).
Hehaspublishedover200papersandhisrecentbooksincludeTheScienceofCitiesandRegions(2012),hisfive-volumeUrbanModelling(2012,edited),ExplorationsinUrbanandRegionalDynamics(2015,withJoelDearden),GlobalDynamics(2016,edited),andGeo-mathematicalModelling(2016,edited).
AlanhasaparticularinterestininterdisciplinarityandpublishedKnowledgePowerin2010;healsowritesthequaestioblog(www.
quaestio.
blogweb.
casa.
ucl.
ac.
uk).
KarenYeungistheUniversityofBirmingham'sfirstInterdisciplinaryChair,takingupthepostofInterdisciplinaryProfessorialFellowinLaw,Ethics,andInformaticsintheSchoolofLawandtheSchoolofComputerScienceinJanuary2018.
ShehasbeenaDistinguishedVisitingFellowatMelbourneLawSchoolsince2016.
TogetherwithAndrewHowesandGannaPogrebna,sheinformallyleadsagroupofover90researchersattheUniversityofBirminghamfromawiderangeofdisciplinesunderthethemeofResponsibleArtificialIntelligence.
KarenisactivelyinvolvedinseveraltechnologypolicyandrelatedinitiativesintheUKandworldwide,includinginitiativescon-cernedwiththegovernanceofAI,whichisoneofherkeyresearchinter-ests.
Inparticular,sheisamemberoftheEU'sHighLevelExpertGrouponArtificialIntelligence(sinceJune2018),aswellasamemberandrap-porteurfortheCouncilofEurope'sExpertCommitteeonhumanrightsdimensionsofautomateddataprocessinganddifferentformsofartificialintelligence(MSI-AUT).
SinceMarch2018,shehasbeentheethicsadvi-sorandmemberoftheExpertAdvisoryPanelonDigitalMedicinefortheTopolIndependentTechnologyReviewfortheNHS.
Between2016and2018,shewasChairoftheNuffieldCouncilonBioethicsWorkingPartyonGenomeEditingandHumanReproduction.
Duringthisperiod,shewasalsoamemberoftheWorldEconomicForumGlobalFutureCouncilonBiotechnology.
HerrecentpublicationsincludeTheOxfordHandbookofLaw,RegulationandTechnology(2017,co-editedwithRogerBrownswordandEloiseScotford),andtheRoyalSociety/BritishAcademyreportDataManagementandUse:Governanceinthe21stCentury(2017).
Sheisquali-fiedtopracticeasabarristerandsolicitorattheSupremeCourtofVictoria(Australia),havingcompletedabriefstintinprofessionallegalpractice.
KarenisontheeditorialboardsofBigData&SocietyandPublicLaw.
AsNotesonAdvisorsxxixanInterdisciplinaryChair,sheiskeentofostercollaborationbetweenaca-demicsfromacrossarangeofdisciplines,andtoinitiatedialoguebetweenacademicsandpolicy–makersacrossvariousdisciplinesconcernedwithexaminingthesocial,legal,democratic,andethicalimplicationsoftechno-logicaldevelopment,aswellasseekingtopromoteinformed,inclusive,andhuman-centeredtechnologypolicy-makingandimplementation.
xxxiAbbreviations,AcronymsandGlossaryAGAttackgraph.
Amodelofvulnerabilitiesandpossibleattackpaths.
AIArtificialintelligence—sometimescalledmachineintel-ligence—isintelligencedemonstratedbymachines,incontrasttothenaturalintelligencedisplayedbyhumansandotheranimals.
Incomputerscience,AIresearchisdefinedasthestudyof"intelligentagents":anydevicethatperceivesitsenvironmentandtakesactionsthatmaximizeitschanceofsuccessfullyachievingitsgoals(PooleandGoebel1998).
Colloquially,theterm"arti-ficialintelligence"isappliedwhenamachinemimics"cognitive"functionsthathumansassociatewithotherhumanminds,suchas"learning"and"problem-solving"(RusselandNorvig2009).
AnonymousAdecentralizedinternationalhacktivistgroupthatiswidelyknownforitsvariousdistributeddenial-of-ser-vice(DDoS)cyberattacksagainstseveralgovernments,governmentinstitutionsandagencies,corporations,andtheChurchofScientology.
APIApplicationProgrammingInterface.
APTAdvancedPersistentThreat.
ATMAutomatedTellerMachine.
AGAttackGraph—thegraphicalmappingofacyberattack.
AttackPolicyAmodelofmethodsandrulestorespondtoanattackgraphmodelofvulnerabilitiesandpossibleattackpaths.
Acontingentattackpolicydefinesanactionforeachsituationthatmayariseduringanattack.
ThisallowsxxxiiAbbreviations,AcronymsandGlossaryidentificationofnotonlytheactionslikelytobeexe-cutedbyarationalattacker,butalsotheorderoftheirexecution.
AttackStrategyTheattackstrategiesareallcontingentplansconsistentwiththeattackgraph.
AttackSurfaceAlsoknownasthreatsurface.
Theattacksurfaceofasoftwareenvironmentisthesumofthedifferentpoints(the"attackvectors")whereanunauthorizeduser(the"Attacker")cantrytoenterdatatoorextractdatafromanenvironment.
Keepingtheattacksurfaceassmallaspossibleisabasicsecuritymeasure(ManadhataandWing2008).
BATBaidu,Alibaba,andTencent,China'sleadingInternetcompanies.
BCTBlockchainTechnology.
BCWBehavior-ChangeWheel.
BlackSecAhackinggroupinvolvedwithLulzSecandAnonymousinOperationAntiSec.
BotnetSeveralInternet-connecteddevices,eachofwhichisrunningoneormorebots.
Botnetscanbeusedtoper-formadistributeddenial-of-service(DDoS)attack,infect(Trojan)andstealdata,sendspam,andallowtheattackertoaccessthedeviceanditsconnection.
BYODBring-You-Own-Device.
CareCERTTheNHSDigitalcybersecurityCERTteam.
CARTAContinuousAdaptiveRiskandTrustAssessment,acommercialframeworkbyGartner.
CBTCognitiveBehavioralTherapy.
CEHCertifiedEthicalHackerfromtheEC-Council.
Alsoknownasawhite-hathacker.
CERTAteamofcybersecurityspecialistswhoinvestigatecybersecurityattacksandcaninvestigateandplanfixes.
Theyprovidealertsonattacksandcanbenotifiedofattackstoinvestigate.
ExamplesincludeUS-CERT,CareCERT.
CIIACriticalInfrastructureInformationAct(2002).
CISSPCertifiedInformationSystemsSecurityProfessionalisanindependentinformationsecuritycertificationgrantedbytheInternationalInformationSystemSecurityCertificationConsortium,alsoknownas(ISC).
CISSPdesignationwasaccreditedundertheANSIISO/IECStandard17024:2003.
ItisalsoformallyapprovedbytheUSDepartmentofDefense(DoD)inboththeirAbbreviations,AcronymsandGlossaryxxxiiiInformationAssuranceTechnical(IAT)andManagerial(IAM)categoriesfortheirDoDD8570certificationrequirement.
CISSPhasbeenadoptedasabaselinefortheUSNationalSecurityAgency'sISSEPprogram.
CISSPisagloballyrecognizedcertificationinthefieldofITsecurity.
Cloud-IAPCloudIdentity-AwareProxy.
CNICriticalnationalinfrastructureattack.
CookiesAHTTPcookie(alsocalledwebcookie,Internetcookie,browsercookie,orsimplycookie)isasmallpieceofdatasentfromawebsiteandstoredontheuser'scomputerbytheuser'swebbrowserwhiletheuserisbrowsing.
Cookiesweredesignedtobeareliablemech-anismforwebsitestorememberstatefulinformation(suchasitemsaddedintheshoppingcartinanonlinestore)ortorecordtheuser'sbrowsingactivity(includ-ingclickingbuttons,loggingin,orrecordingwhichpageswerevisitedinthepast).
Theycanalsobeusedtorememberarbitrarypiecesofinformationthattheuserpreviouslyenteredinformfields,suchasnames,addresses,passwords,andcreditcardnumbers.
Otherkindsofcookiesperformessentialfunctionsinthemodernweb.
Perhapsmostimportantly,authentica-tioncookiesarethemostcommonmethodusedbywebserverstoestablishwhethertheuserisloggedinornot,andwhichaccounttheyareloggedinwith.
Securityvulnerabilitiesmayallowacookie'sdatatobereadbyahacker,usedtogainaccesstouserdata,orusedtogainaccess(withtheuser'scredentials)tothewebsitetowhichthecookiebelongs(seeCross-siteScripting[XSS])andCross-siteRequestForgery[CSRF,XSRF])(Vamosi2008).
CPMICommitteeonPaymentsandMarketInfrastructures.
CRISCCertifiedinRiskandInformationSystemsControlcertifiedbyInformationSystemsAuditandControlAssociation(ISACA).
Cross-siteScriptingCross-sitescripting(XSS)isatypeofcomputersecurityvulnerabilitytypicallyfoundinwebapplications.
XSSenablesattackerstoinjectclient-sidescriptsintowebpagesviewedbyotherusers.
Across-sitescriptingvul-nerabilitymaybeusedbyattackerstobypassaccesscon-trolssuchasthesame-originpolicy.
xxxivAbbreviations,AcronymsandGlossaryCSEACyberSecurityEnhancementAct(2002).
CSISCenterforStrategicandInternationalStudies.
CSLChina'sCyberSecurityLaw,whichtookeffectinJune2017.
ContainstheMLPSframework.
CSRFCross-siterequestforgery,orXSRForSeaSurf,referstoanattackagainstauthenticatedwebapplicationsusingcookies.
CTICyberthreatintelligence.
CyberAssuranceGroundsforconfidencethattheotherfoursecuritygoals(integrity,availability,confidentiality,andaccount-ability)havebeenadequatelymetbyaspecificimple-mentation(NISTGlossary2013).
DARPADefenseAdvancedResearchProjectsAgency.
DCMSDepartmentforDigital,Culture,MediaandSport,UK.
DDoSDistributeddenialofservice.
AtypeofDoSattackwheremultiplecompromisedsystems,whichareofteninfectedwithaTrojan,areusedtotargetasinglesystem,causingadenial-of-service(DoS)attack(seeDoSing).
DDoSingDistributeddenialofservice.
Anattackbecomesadis-tributeddenialofservice(DDoS),whenitcomesfrommultiplecomputers(orvectors)insteadofjustone.
ThisisthemostcommonformofDoSattackonwebsites.
DHSDepartmentofHomelandSecurity,USgovernment.
DiagnosticAdistinctivesymptomorcharacteristic.
Concernedwiththediagnosisof,forexample,anillnessorstateofanassetorotherproblems.
DigitalForensicsAbranchofforensicscienceencompassingtherecoveryandinvestigationofmaterialfoundindigitaldevices,ofteninrelationtocomputercrime.
DMZDemilitarizedzoneonacomputernetwork.
DNSDomainnameserversaretheInternet'sequivalentofaphonebook.
TheymaintainadirectoryofdomainnamesandtranslatethemtoInternetprotocol(IP)addresses.
DoDUSDepartmentofDefense.
DoSingDenialofservice.
Theperpetratorseekstomakeamachineornetworkresourceunavailabletoitsintendedusersbytemporarilyorindefinitelydisruptingtheser-vicesofahostconnectedtotheInternet.
DoSattackscanrangeindurationandmaytargetmorethanonesiteorsystematatime.
DoSeventsoftenoccurwhenaser-vice'sunderlyingsystemsareoverloadedwithhighvol-umeofrequestcalls.
Abbreviations,AcronymsandGlossaryxxxvDPADifferentialPowerAnalysis.
ECHREuropeanConventiononHumanRights.
ECJEuropeanCourtofJustice.
EEATheEuropeanEconomicAreaallowsforthefreemove-mentofpersons,goods,services,andcapitalwithintheEuropeanSingleMarket,includingthefreedomtochooseresidenceinanycountrywithinthisarea.
TheEEAincludesEUcountriesandIceland,Liechtenstein,andNorway.
SwitzerlandisneitheranEUnorEEAmemberbutispartofthesinglemarket.
EmailSpoofingCreationofemailmessageswithaforgedsenderaddress.
ENISAEuropeanUnionAgencyforNetworkandInformationSecurity.
EthicalHackerAcomputerandnetworkingexpertwhosystematicallyattemptstopenetrateacomputersystemornetworkonbehalfofitsownerstofindsecurityvulnerabilitiesthatamalicioushackercouldpotentiallyexploit.
Alsoknownasawhite-hathacker.
Exploit"Tousesomethingtoone'sownadvantage"isapieceofsoftware,achunkofdata,orasequenceofcommandsthattakesadvantageofabugorvulnerabilitytocauseunintendedorunanticipatedbehaviortooccurincom-putersoftware,hardware,orotherelectronicequip-ment(usuallycomputerized).
Suchbehaviorfrequentlyincludes,forexample,gainingcontrolofacomputersystem,allowingprivilegeescalation,oradenial-of-ser-vice(DoSorrelatedDDoS)attack.
FAANGFacebook,Apple,Amazon,Netflix,Alphabet'sGoogle,theUSA'sleadingInternetcompanies.
FISMAFederalInformationSecurityManagementAct(2002).
FixApatchorothertypeofsolutiontoaknownordiscov-eredvulnerabilityorexploit.
FSBRussianFederalSecurityService(formerlytheKGB).
FTCFederalTradeCommission.
GamificationAmechanismtoreinforcecommunicationandbehaviorbyusingincentivizedgames.
GDPREUGeneralDataProtectionRegulationLawfortheEuropeanUnionandEuropeanEconomicArea(EEA).
GLBAGramm–Leach–BlileyAct(1999).
HackerAnyonewithtechnicalskills,butitoftenreferstoaper-sonwhouseshisorherabilitiestogainunauthorizedaccesstosystems,networks,ordatatocommitcrimes.
xxxviAbbreviations,AcronymsandGlossaryHIPAAHealthInsurancePortabilityandAccountabilityAct(1996).
HIPSAhost-basedintrusionpreventionsystemisasystemoraprogramemployedtoprotectcriticalcomputersys-temscontainingcrucialdataagainstvirusesandotherInternetmalware.
Startingfromthenetworklayerallthewayuptotheapplicationlayer,HIPSprotectsfromknownandunknownmaliciousattacks[1].
HoneypotAcomputersecuritymechanismsettodetect,deflect,or,insomemanner,counteractattemptsatunauthor-izeduseofinformationsystems.
Generally,ahoneypotconsistsofdata(forexample,inanetworksite)thatappearstobealegitimatepartofthesite(butisactu-allyisolatedandmonitored)andseemstocontaininfor-mationoraresourceofvaluetoattackers,whoarethenblocked.
Colloquiallyknownas"baiting"asuspect,itresemblesapolicestingoperation(ColeandNorthcutt2018).
HPHoneypot.
HSAHomelandSecurityAct(2002).
IDSIntrusionDetectionSystem.
IHRLInternationalHumanRightsLaw.
InterpolTheInternationalCriminalPoliceOrganization,morecommonlyknownasInterpol,istheinterna-tionalorganizationthatfacilitatesinternationalpoliceco–operation.
IoCIndicatorsofcompromisethreatintelligence.
IOSCOInternationalOrganizationofSecuritiesCommission.
IoTBotnet(InternetofThingsbotnet)isagroupofhackedcom-puters,smartappliances,andInternet-connecteddevicesthathavebeenco-optedforillicitpurposes.
IPIntellectualproperty.
Acategoryofpropertythatincludesintangiblecreationsofthehumanintellect,andprimarilyencompassescopyrights,patents,andtrade-marks(Sullivan2016).
IPInternetprotocol.
Theprincipalcommunicationsproto-colintheInternetprotocolsuiteforrelayingdatagramsacrossnetworkboundaries.
ItsroutingfunctionenablesInternetworking,andessentiallyestablishestheInternet.
ThefirstmainversionwasIPv4,a32-bitnumericdec-imaladdresssystem.
Thiswasreplacedbythelatestver-sion,IPv6,a128-bithexadecimaladdresssystemwithmanynewfeatures.
Abbreviations,AcronymsandGlossaryxxxviiIPSIntrusionPreventionSystem.
ISACAInformationSystemsAuditandControlAssociation.
(ISC)2InternationalInformationSystemSecurityCertification.
ISPInternetServiceProvider.
ISSEPInformationSystemsSecurityEngineeringProfessional.
ITInformationTechnology.
KillChainAconceptdevelopedbyLockheedMartinin2011tocategorizedifferentphasesofacyberattacktheydescribeasadversarycampaignsandintrusionkillchains.
LulzSecAblack-hatcomputerhackinggroupthatclaimedresponsibilityforseveralhigh-profileattacks,includingthecompromiseofuseraccountsfromSonyPicturesin2011.
M2MMachine-to-Machine.
MalwareAmalicioussoftwareisanyprogramorfilethatisharm-fultoacomputeruser.
Malwareincludescomputerviruses,worms,TrojanHorses,andspyware.
MasqueradeTheattackerpretendstobeanauthorizeduserofasys-temtogainaccesstoitortoobtaingreaterprivilegesthantheyareauthorizedfor.
MFAMultifactorAuthentication.
MITMassachusettsInstituteofTechnology.
MLPSChinesegovernment'sMultilevelProtectionSchemecontainedintheCSL.
MLPSclassifiesinformationsystemsphysicallylocatedinChinaaccordingtotheirrelativeimpactonnationalsecurity,socialorder,andeconomicinterestsshouldthesystembedamagedorattacked.
MPSChina'sMinistryofPublicSecurity.
MulVALAnend-to-endframeworkandreasoningsystemthatconductsmultihost,multistagevulnerabilityanalysisonanetwork.
NACNetworkAccessControl.
NAOUKgovernment'sNationalAuditOffice.
NCSCNationalCyberSecurityCentre,UK.
NECSINewEnglandComplexSystemsInstitute.
NISTNationalInstituteofStandardsandTechnology,USA.
NSANationalSecurityAgency,USgovernment.
OEMOriginalEquipmentManufacturer.
OperationAnti-SecurityAlsoreferredtoasOperationAntiSecor#AntiSec.
AseriesofhackingattacksperformedbymembersofthehackinggroupsLulzSecandBlackSec,Anonymous,andothers.
xxxviiiAbbreviations,AcronymsandGlossaryOVALOpenVulnerabilityandAssessmentLanguageisaninternationalinformationsecuritycommunitystandardtopromoteopenandpubliclyavailablesecuritycontent,andtostandardizethetransferofthisinformationacrosstheentirespectrumofsecuritytoolsandservices.
OVALincludesalanguageusedtoencodesystemdetails,andanassortmentofcontentrepositoriesheldthroughoutthecommunity.
OWASPOpenWebApplicationSecurityProject—anot-for-profitcharitablefoundationestablishedintheUSAin2004.
PatchAsetofchangestoacomputerprogramoritssupport-ingdatadesignedtoupdate,fix,orimproveit.
Thisincludesfixingsecurityvulnerabilitiesandotherbugs.
Usuallyreferredtoasbugfixesorbugfixes,theyimproveusabilityorperformance.
PenTestApenetrationtestofacompanytypicallycarriedoutbysecurityprofessionalorbyhackersseekingtofindvulnerabilities.
PhishingAnattempttoobtainsensitiveinformationsuchasuser-names,passwords,andcreditcarddetails(andmoney),oftenformaliciousreasons,bydisguisingasatrustwor-thyentityinanelectroniccommunication.
PIRPassiveInfraredSensor.
PKIPublic-KeyInfrastructure.
PolymorphicCodeAcomputervirusisatypeofmalicioussoftwarethat,whenexecuted,replicatesitselfbymodifyingothercom-puterprogramsandinsertingitsowncode.
Whenthisreplicationsucceeds,theaffectedareasarethensaidtobe"infected"withacomputervirus.
POTSAlsoknownasHoneypot.
PoUWProofofUsefulWork.
PPPrivacyPolicies.
PrognosticRelatingtoorservingtopredictthelikelycourseof,forexample,amedicalcondition.
PUAAprogramthatcontainsadware,installstoolbars,orhasotherunclearobjectivesthatausermayperceiveaspotentiallyunwanted.
ReachabilityTheabilityofanattackertoreachalocationinanattackgraph,apointinanetwork.
REBTRational-EmotiveBehaviorTherapy.
RiskPerceptionRiskperceptionisthesubjectivejudgmentpeoplemakeabouttheseverityandprobabilityofariskandmayAbbreviations,AcronymsandGlossaryxxxixvaryfrompersontoperson.
Anyhumanendeavorcar-riessomerisk,butsomearemuchriskierthanothers(HanssonandZalta2014).
RiskThepotentialtogainorlosesomethingofvalue.
Values(suchasphysicalhealth,socialstatus,emotionalwell-be-ing,orfinancialwealth)canbegainedorlostwhentakingariskresultingfromagivenactionorinaction,foreseenorunforeseen(plannedornotplanned).
Riskcanalsobedefinedastheintentionalinteractionwithuncertainty(Preston2015).
Uncertaintyisapotential,unpredictable,anduncontrollableoutcome;itisacon-sequenceofactiontakendespiteuncertainty.
SECSecuritiesandExchangeCommission.
SEMSecurityEventManagement.
SETISearchforExtraterrestrialIntelligence.
SIEMSecurityinformationandeventmanagementisanapproachtosecuritymanagementthatcombinesSIM(securityinformationmanagement)andSEM(securityeventmanagement)functionsintoonesecuritymanage-mentsystem.
SIMSecurityInformationManagement.
SocialEngineeringReferstothepsychologicalmanipulationofpeopleintoperformingactionsordivulgingconfidentialinforma-tion.
Atypeofconfidencetrickforinformationgather-ing,fraud,orsystemaccess,itdiffersfromatraditional"con"inthatitisoftenoneofmanystepsinamorecomplexfraudscheme.
Itisalsobroadlydescribedasanactofpsychologicalmanipulationofanotherhumanbeing(Anderson2008).
SoftwareBugAsoftwarebugisanerror,flaw,failureorfaultinacomputerprogramorsystemthatcausesittoproduceanincorrectorunexpectedresult,ortobehaveinunin-tendedways.
SpywareSoftwarethataimstogatherinformationaboutaper-sonororganizationsometimeswithouttheirknowledge.
Itmaysendsuchinformationtoanotherentitywith-outtheconsumer'sconsent,assertcontroloveradevicewithouttheconsumer'sknowledge,orsendsuchinfor-mationtoanotherentitywiththeconsumer'sconsent,throughcookies.
xlAbbreviations,AcronymsandGlossarySQLiSQLinjectionisoneofthemanywebattackmecha-nismsusedbyhackerstostealdata.
Itisperhapsoneofthemostcommonapplicationlayerattacks.
SSOSinglesign-onisapropertyofaccesscontrolofmulti-plerelated,yetindependent,softwaresystems.
Withthisproperty,auserlogsinwithasingleIDandpasswordtogainaccesstoaconnectedsystemand/oraccomplishesthisusingtheLightweightDirectoryAccessProtocol(LDAP)aswellasstoredLDAPdatabaseson(directory)servers.
Asimpleversionofsinglesign-oncanbeachievedoverIPnetworksusingcookiesbutonlyifthesitesshareacommonDNSparentdomain.
STIXStructuredThreatInformationeXpression.
STIXisalanguagedevelopedforcyberthreatintelligencesharing.
TAXIIAtransportmechanismforsharingcyberthreatintelligence.
ThreatActor"TheAttacker"—aperson,group,organization,orgov-ernmentthatcarriesoutcyberattacks.
ThreatSurfaceAlsoknownasAttackSurface.
Theattacksurfaceofasoftwareenvironmentisthesumofthedifferentpoints(the"attackvectors")whereanunauthorizeduser(the"Attacker")cantrytoenterdatatoorextractdatafromanenvironment.
Keepingtheattacksurfaceassmallaspossibleisabasicsecuritymeasure(ManadhataandWing2008).
ThreatTargetAthreattargetisanythingofvaluetotheThreatActor.
ItcouldbeaPC,mobile,vehicle,youronlinebankaccount…oryou(stealingyouridentity),intellectualproperty(IP)influence,ideology(adaptedfromWithers2011).
ThreatVectorAlsoknownasattackvectororinformationsecuritythreatvector.
Athreatvectordescribesamethodofcyberattackthatisapathortoolusedbyathreatactortoattackthetarget(Withers2011).
Theyaretheroutesthatmaliciousattacksmaytaketopassyourdefensesandinfectandcarryouttheattackonyournetwork,person,organization,orsovereignty.
ToSTermsofService.
TrackingCookiesTrackingcookies,andespeciallythird-partytrackingcookies,arecommonlyusedaswaystocompilelong–termrecordsofindividuals'browsinghistories,apotentialprivacyconcernthatpromptedEuropean(EUcookies2013)andUSlawmakerstoactin2011.
EuropeanlawAbbreviations,AcronymsandGlossaryxlirequiresthatallwebsitestargetingEuropeanUnionmem-berstatesgain"informedconsent"fromusersbeforestoringnon-essentialcookiesontheirdevice.
GoogleProjectZeroresearcherJannHorndescribesthewayscookiescanbereadbyintermediaries,suchasWi–Fihotspotproviders.
Herecommendsusingthebrowserinincognitomodeinsuchcircumstances(Horn,accessed2018).
TrojanAvirus.
Trojansarealsoknowntocreateabackdooronacomputerthatgivesmalicioususersaccesstoyoursystem,possiblyallowingconfidentialorpersonalinfor-mationtobecompromised.
Unlikeothervirusesandworms,Trojansdonotreproducebyinfectingotherfiles,nordotheyself-replicate.
UAIUncertaintyAvoidanceIndex.
UDHRUniversalDeclarationofHumanRights,UnitedNationsGeneralAssembly,Resolution217.
UEBAUserandEntityBehaviorAnalytics.
US-CERTUnitedStatesComputerEmergencyReadinessTeam.
Acybersecurityattackalertsservice.
VirusApieceofsoftwarecodewhichcancopyitselfandtypi-callyhasadetrimentaleffect,suchascorruptingthesys-temordestroyingdata.
VMAvirtualmachineisacomputerfile,typicallycalledanimage,thatbehaveslikeanactualcomputer.
Multiplevirtualmachinescanrunsimultaneouslyonthesamephysicalcomputer.
Forservers,themultipleoperatingsystemsrunsidebyside,managedbyapieceofsoftwarecalledahypervisor,whiledesktopcomputerstypicallyemployoneoperatingsystemtoruntheotheroperat-ingsystemswithinitsprogramwindows.
Eachvirtualmachineprovidesitsownvirtualhardware,includingCPUs,memory,harddrives,networkinterfaces,andotherdevices.
Thevirtualhardwareisthenmappedtotherealhardwareonthephysicalmachine,whichmin-imizescostsbyreducingtheneedforphysicalhardwaresystems(andtheirassociatedmaintenancecosts),aswellasreducingpowerandcoolingdemand.
VPNVirtualPrivateNetwork.
VulnerabilityAflawinasystemthatcanleaveitopentoattack.
Avulnerabilitymayalsorefertoanytypeofweaknessinacomputersystemitself,inasetofprocedures,orinany-thingthatleavesinformationsecurityexposedtoathreat.
xliiAbbreviations,AcronymsandGlossaryWEFWorldEconomicForum.
WormAstandalonemalwarecomputerprogramthatreplicatesitselfandspreadstoothercomputers.
XSRFCross-sitescriptingforgery(seealsoCSRF).
Zero-dayAttackAzero-dayexploitisacyberattackthatoccursonthesamedayaweaknessisdiscoveredinsoftware.
Atthatpoint,itisexploitedbeforeafixbecomesavailablefromitscreator.
Zero-dayAzero-dayvulnerabilityisavulnerability,unknowntoorundiscoveredbythosewhowouldbeinterestedinmitigatingthevulnerability(includingthevendorofthetargetsoftware).
Untilthevulnerabilityismitigated,hackerscanexploitittotamperwithcomputerpro-grams,data,systemsandnetworks.
Zero-trustZero-trustisasecuritymodelbasedontheprincipleofmaintainingstrictaccesscontrolsandnottrustingany-onebydefault("nevertrust,alwaysverify"principle).
ZKPZero-KnowledgeProof.
References1.
Host-BasedIntrusionPreventionSystem(HIPS),Technopediahttps://www.
techopedia.
com/definition/…/host-based-intrusion-prevention-system-hips.
2.
WhatisaZero-DayVulnerability,pctoolsbySymantechttps://web.
archive.
org/web/20170704035927/,http://www.
pctools.
com/security-news/zero-day-vulnerability/.
xliiiListofFiguresFig.
2.
1Briefchronologyofcyberthreats19Fig.
3.
1Adversarymotivationfromhackerdirectspeech33Fig.
3.
2Taxonomyofadversaries35Fig.
3.
3Cyberattackecosystem47Fig.
3.
4Businessmodelspectrumofcybercrimes49Fig.
3.
5CybercriminalecosystemandunderlyingbusinessmodelsforAlbertGonzalezcase49Fig.
3.
6Prisontimebyageofacybercriminal51Fig.
4.
1Psycho-technologicalmatrixofcybersecuritythreats58Fig.
4.
2PercentageofUKusersawareandunawareaboutamenuofFacebookandTwitterpermissions63Fig.
4.
3WeeklyamountofmoneyinBritishPoundswhichUKusersarewillingtoaccepttoselltheirdata(WTA)andwillingtopaytoprotecttheirdata(WTP)65Fig.
4.
4SummaryoftheGeneralDataProtectionRegulation67Fig.
5.
1CISframeworkexplained78Fig.
6.
1Valuables-basedforward-lookingcost–benefitanalysisprocedure102Fig.
6.
2Cybersecurityinvestmentprioritizationchart103Fig.
7.
1Informationsharing:businessesversusadversaries107Fig.
9.
1Architectureofanidealizedsystem126Fig.
9.
2Costsandbenefitsforanadversary133Fig.
9.
3ActivecyberdefensemodelaccordingtoDecisionFieldTheory134Fig.
10.
1Cybersecurity,culture,andriskattitudes139Fig.
11.
1Cybersecuritybusinesscanvasriskassessmenttool147Fig.
11.
2Cybersecurityrisknavigationmatrix148Fig.
14.
1Goodluck!
200xlvListofTablesTable2.
1Periodictableofcybersecuritythreats16Table5.
1MostwidelyusedcybersecurityframeworksintheUSA77Table7.
1BehavioralsegmentsofpopulationaccordingtoCybeDoSpeRTintheUSAandtheUKaselicitedbyKharlamovetal.
(2018a)111