Don’t Forget Victimology as a Cybersecurity StrategyTechnology and IT principles play an undeniable role in cybersecurity defense, but criminological security principles should not be overlooked. By: Chris Bullock
As cybersecurity professionals overwhelmed with compliance requirements, regulations, and a multitude of tradecraft frameworks, we sometimes lose focus on what we really are at our roots. We are cybercrime fighters. We move through our day as cybersecurity leaders defending our organization's employee data, customer data, and trade secrets from cybercriminals. As such, we must focus on our adversaries just as much as we focus on the people, processes, and technology used to defeat them. This is an all-too-often overlooked element of effective cybersecurity and when used correctly, this – along with aligning sound cybersecurity principles with the business goals of our organizations in a risk-based approach – can help an organization achieve cybersecurity efficacy.
Aligning cybersecurity practices to criminological and criminal justice principles is frequently overlooked in the cybersecurity industry because we tend to focus on IT fundamentals. In actuality, when technology is being used to facilitate a crime or the technology itself is the target of a crime – this is the very definition of cybercrime. Integrating criminological and criminal justice principles into a cybersecurity program helps to achieve effective cybercrime protection thereby protecting the assets of an organization as well as the personal and private data of its employees and consumers. Bottom line – when we are talking about cybersecurity, we're often talking about fighting crime, and one proven technique used in criminology is the science of victimology.
Cyber Victimology – Protecting Individuals and Organizations
In criminology, the term victimology is described as studying victims of crimes, the emotional and psychological effects of the crime, and relationships between perpetrators and victims. Important to note here is that studying the victim provides law enforcement investigators insight into who likely committed the crime, why they committed the crime, and the methods they use. This is no different in cybercrime. In fact, Professor Jaishankar of the International Journal of Cyber Criminology has a wealth of research specifically on this topic as well as other specific cyber criminology topics. Professor Jaishankar discusses phenomenon in cybercrime, which includes the overlap between physical crime and online crime. He is a proponent of the new cybercrime theory known as the Space Transition Theory, a theory that proposes that people behave differently in cyberspace than they do in the physical world. Cybercrime is no longer simply hacking and attacking systems – it is an attack on people, their organizations, and the people who make up those organizations. In Jaishankar's book Cybercrime and Victimization of Women, the professor clarifies the definition of cybercrime from the perspective of the victim. So how is this perspective relevant to a business organization's cybersecurity practice?
Just as an individual person has victimology-based characteristics, so do organizations. An organization's business interests, political action campaigns, vigilance level, protection abilities, and cyber risk tolerance are just some of the characteristics that can determine if an organization is more likely to be attacked, by whom, how, and why. This can provide a cybersecurity leader actionable information about how to best protect their organization and its executive leadership from attacks. For example, an organization that performs some type of excavation or resource mining may be a direct target for an eco-terrorist group. A high profile CEO at an organization whose business or political action campaigns do not resonate well with certain hacktivist groups can personally be targeted for both physical attacks as well as cyber-based attacks. Taking the time to establish what an organization's victimology is can help a CISO and their team parallel the right protections and determine what risk posture the organization should assume. This places the business risk into perspective for the Board of Directors. It adds likelihood and impact, which are details that have influence in the boardroom.
Mapping Victimology to Cybersecurity Strategy
Organizations have leadership and each member of that leadership team is a human being with traits of victimology. Along with the leadership, the organization takes on its own unique victimology profile as well. This profile is made up of its core business goals, employee cybersecurity awareness, individual vigilance, organizational awareness, organizational risk appetite and overall cybersecurity protection efficacy. These characteristics make organizational cyber victimology much more complex. The key task for CISOs is to understand the victimological profile of both their organization and their organization's leadership. Then the CISO must map these to the specific cybersecurity program they build while identifying potential adversaries, commonly used tactics, and the subsequent prioritized protections that need to be put into place for the organization's defense.
This is a key reason CISOs need to consider cyber executive protection for key executive staff – they and their families are often the primary victims of complex cybercrime attacks due to their victimology. They can also become triggers for attacks against their organizations or vice versa. A few of the key considerations taken into account in cyber executive protection include the following:
- Analysis of the principal's cyber habits
- The principal's cyber and cyber-physical vulnerability
- Profiles of the principal's inner circle
- The risk of attack
For instance, a CEO of an organization which profits from animal byproducts may attract attention and become a target of organizations such as the Earth Liberation Front or Anonymous, well-known hacktivist groups that established cyber-attack campaigns in the name of animal rights. These groups utilize specific behavioral tactics, techniques, and procedures (TTP), and organizations should employ the victimology traits of an organization and its executive leadership to identify the weaknesses that these types of adversaries will likely attack. TTP's such as spear phishing, watering hole attacks, and brute forcing all used by advanced persistent threat (APT) groups are just one example of TTP's used by specific hacking groups. This provides a roadmap for an organization's cybersecurity defense efficacy and key components of what the cybersecurity program should include.
Adapt Your Cybersecurity Program to Your Risk Profile
This leads to a few major considerations for the CISO or executive cybersecurity leadership of an organization:
- A CISO should develop a comprehensive victimology profile of their organization, the organization's key leadership, and key leadership's close staff.
- Organizations should deploy effective threat intelligence. An effective threat intelligence service should include criminal intelligence analysis along with technical intelligence. This helps with both preemptive protection mechanisms as well as post-event attribution.
- Don't exclusively focus on technology and IT frameworks – also consider criminological elements when building your cybersecurity plan.
- A good solution to solving the major shortage of cybersecurity talents is to leverage criminal justice and criminology majors for roles and not just technologists. They bring this essential (and often overlooked) element of cybersecurity.
An effective cybersecurity program also includes social science elements such as sociology, criminology, and victimology. These elements are specifically those found in criminology and criminal justice. Combining victimology profiling both organizationally and individually can provide effective information in building an effective cybersecurity plan. CISOs must stop falling into the trap of only centering on IT frameworks or methodologies. Inevitably, security leaders and their teams fight crime and help secure their organizations from threat actors. Embracing a holistic approach that incorporates victimology, includes solid threat intelligence, and cyber executive protection will help ensure your cybersecurity program has achieved maturity and efficacy.