King Zoe M, Henshel Diane S, Flora Liberty, Cains Mariana G, Hoffman Blaine, Sample Char
School of Public and Environmental Affairs, Indiana University Bloomington, Bloomington, IN, United States.
Army Research Laboratory, Aberdeen Proving Ground, Aberdeen, MD, United States.
Front Psychol. 2018 Feb 5;9:39. doi: 10.3389/fpsyg.2018.00039. eCollection 2018.
Cyber attacks have been increasingly detrimental to networks, systems, and users, and are increasing in number and severity globally. To better predict system vulnerabilities, cybersecurity researchers are developing new and more holistic approaches to characterizing cybersecurity system risk. The process must include characterizing the human factors that contribute to cyber security vulnerabilities and risk. Rationality, expertise, and maliciousness are key human characteristics influencing cyber risk within this context, yet maliciousness is poorly characterized in the literature. There is a clear absence of literature pertaining to human factor maliciousness as it relates to cybersecurity and only limited literature relating to aspects of maliciousness in other disciplinary literatures, such as psychology, sociology, and law. In an attempt to characterize human factors as a contribution to cybersecurity risk, the Cybersecurity Collaborative Research Alliance (CSec-CRA) has developed a Human Factors risk framework. This framework identifies the characteristics of an attacker, user, or defender, all of whom may be adding to or mitigating against cyber risk. The maliciousness literature and the proposed maliciousness assessment metrics are discussed within the context of the Human Factors Framework and Ontology. Maliciousness is defined as the intent to harm. Most maliciousness cyber research to date has focused on detecting malicious software but fails to analyze an individual's intent to do harm to others by deploying malware or performing malicious attacks. Recent efforts to identify malicious human behavior as it relates to cybersecurity, include analyzing motives driving insider threats as well as user profiling analyses. However, cyber-related maliciousness is neither well-studied nor is it well understood because individuals are not forced to expose their true selves to others while performing malicious attacks. Given the difficulty of interviewing malicious-behaving individuals and the potential untrustworthy nature of their responses, we aim to explore the maliciousness as a human factor through the observable behaviors and attributes of an individual from their actions and interactions with society and networks, but to do so we will need to develop a set of analyzable metrics. The purpose of this paper is twofold: (1) to review human maliciousness-related literature in diverse disciplines (sociology, economics, law, psychology, philosophy, informatics, terrorism, and cybersecurity); and (2) to identify an initial set of proposed assessment metrics and instruments that might be culled from in a future effort to characterize human maliciousness within the cyber realm. The future goal is to integrate these assessment metrics into holistic cybersecurity risk analyses to determine the risk an individual poses to themselves as well as other networks, systems, and/or users.
网络攻击对网络、系统和用户的危害日益增大,且在全球范围内数量不断增加,严重程度不断加剧。为了更好地预测系统漏洞,网络安全研究人员正在开发新的、更全面的方法来描述网络安全系统风险。这个过程必须包括描述导致网络安全漏洞和风险的人为因素。在这种情况下,理性、专业知识和恶意是影响网络风险的关键人类特征,但恶意在文献中的描述却很欠缺。明显缺乏与网络安全相关的人为因素恶意性的文献,而在其他学科文献(如心理学、社会学和法律)中,与恶意性相关方面的文献也很有限。为了将人为因素描述为对网络安全风险的一种影响,网络安全合作研究联盟(CSec - CRA)开发了一个人为因素风险框架。这个框架确定了攻击者、用户或防御者的特征,他们都可能增加或减轻网络风险。本文将在人为因素框架和本体的背景下讨论恶意性文献以及提出的恶意性评估指标。恶意被定义为伤害的意图。迄今为止,大多数关于恶意性的网络研究都集中在检测恶意软件上,但未能分析个人通过部署恶意软件或进行恶意攻击来伤害他人的意图。最近识别与网络安全相关的恶意人类行为的努力,包括分析驱动内部威胁的动机以及用户画像分析。然而,与网络相关的恶意性既没有得到充分研究,也没有被很好地理解,因为个人在进行恶意攻击时不会被迫向他人暴露自己的真实面目。鉴于采访有恶意行为的个人存在困难以及他们的回答可能不可信的性质,我们旨在通过个人与社会和网络的行动及互动中可观察到的行为和属性来探索作为人为因素的恶意性,但要做到这一点,我们需要开发一套可分析的指标。本文的目的有两个:(1)回顾不同学科(社会学、经济学、法律、心理学、哲学、信息学、恐怖主义和网络安全)中与人类恶意性相关的文献;(2)确定一组初步提出的评估指标和工具,这些指标和工具可能会在未来描述网络领域人类恶意性的工作中被挑选出来。未来的目标是将这些评估指标整合到整体网络安全风险分析中,以确定个人对自己以及其他网络、系统和/或用户所构成的风险。
