User-Centric Security Threats
This section describes an overview of assets in Domain 6 on User-centric security. Here the term users refers to human users of information technologies in a professional context. We do not include software systems mimicking human users (e.g., bots, autonomous agents) and also, in the classification of security threats and attack samples, we exclude home users engaging in recreational personal usage of information technologies. Rather, we specifically categorize assets according to a typical industrial scenario and, equally, threats as perceived from a company’s perspective. In general, users may have the double role of perpetrator of a threat (e.g., a threat is carried out by human actions) or victims (e.g., individuals are the asset targeted by a threat). Therefore, what should be reasonably included in the user-centric security domain? Individuals as perpetrators or as victims? There is not a clear-cut answer, especially considering that users as perpetrators of security violations are necessarily considered in other domains too, and several semi-automated attack vectors, such as botnets, are operated by humans. Furthermore, humans are responsible for all kinds of cybercrimes, in the end, even social bots used in frauds have been designed by humans and provide illicit benefits to some humans. The same for humans as victims. For most security incidents, the consequences are likely to impact humans. Systems experiencing downtime, malicious applications, compromised IoT networks likely have a negative impact on human activities. Therefore, some more stringent criteria should be adopted.
Threats
In this section, we discuss the threats that can be mapped to the User asset taxonomy previously presented. Before introducing the major characteristics of the threat taxonomy, a note of caution should be presented because the User domain, of all the cybersecurity domains, is the more recent to be considered as a primary domain of concern and, for this reason, and also for the non-technical nature of many related aspects, its scope is still somehow debated or sometimes ambiguously defined. For example, still, a few years ago, the Health Information Trust Alliance stated that “cybersecurity does not address non-malicious human threat actors, such as a well-meaning but misguided employee.”[1] This means that still recently and, at least, for a relevant organization in one of the key industrial sectors, human errors were largely out of the scope of cybersecurity. This would be inconceivable today with respect to current cybersecurity analyses and after the User domain has been elevated at the same level of traditional cybersecurity domains such as Systems, Networks, or Data.
On the other side, it is not uncommon today to encounter articles on online cybersecurity-related magazines and in surveys making claims such as “malicious insiders and human error to be the two top cybersecurity threats”.[2] These claims, together with the utterly misleading logical fallacy of considering users (or the human factor) as threats (as well as the too-often repeated analogy, in technical circles, between users and the weakest link in a chain), grossly overstate and confound threats connected with the User domain, with the aim of shifting the attention of organizations and professionals to the newest hype. Click-baiting editorial styles or commercial interests are likely part of the motivations for such poor information, but a general lack of understanding and experience with studies on human errors and user behavior connected to IT technologies is equally an important factor.
However, these anecdotes should remind of the fact that the boundaries and the threats of the User domain are still to be regarded as, to some extent, subjective and not yet well established. More thoroughly conceived and articulated analyses have appeared in recent years raising the attention to the human factor in cybersecurity. For example, NIST, through the Federal Information System Security Educators’ Association (FISSEA), has concluded that human errors and negligence often play an important role in the chain of events leading to data breaches. Also, security risk management and business operations are often disconnected functions, resulting in a poorly coordinated process management[3]. The Verizon Data Breach Investigation Report (DBIR)[4], a respected annual survey, for the current 2019 edition confirms that the category Miscellaneous Errors, while not among the most relevant for security incidents (i.e., security events not resulting in data breaches, such as Denial of Services), it is instead one of the lost likely patterns for data breaches. Interestingly, other categories that could be partially referred to the User domain, such as Privilege Misuse (e.g., employees using their system and data access privileges outside their job duties) and Cyber-Espionage (e.g., this threat category often adopt deceitful techniques to target specific employees or make use of unfaithful insiders), are relevant. Such results hardly represent a surprise, in fact, their relevance is a fact from years.
Many have debated about the importance of the organization for cybersecurity and, to this regard, the expression Human-centered security has been used. Holz et al.[5] have presented a detailed research agenda aimed at reorganizing industrial processes of cybersecurity around the role of individuals in all their form, as software developers, IT integrators, system administrators, and end-users. Many others, for instance, ENISA[6], Corradini and Nardelli[7], and Safa et. al.[8] have addressed the security threats related to users focusing on the perceived need of more and better training of the workforce. The lack of adequate training programs and curricula for cybersecurity professionals as one of the main reasons for the gap in the available workforce is widely debated worldwide and the subject of several proposals[9][10][11].
Regarding cybercrimes, the User domain is more specifically concerned with identifying who is responsible, which characteristics they exhibit, and their main motivations and pattern of activity. Two large profiles have emerged in recent years: criminal organizations and state-sponsored groups; the former mainly responsible for financially motivated crimes, the latter mainly driven by cyber-espionage and data breaches. Criminal groups exploit vulnerabilities in existing technologies, as well as the features offered by new technologies, engaging in the traditional arms race with law enforcement and companies’ prevention and mitigation solutions. State-sponsored attacks are often framed with reference to cyberwarfare[12][13]. Despite that reference could be reasonable in certain situations and for specific contexts, however, it often confounds the analysis by focusing more specifically on geopolitical and military issues than on more operational and business-related threats[14]. State-sponsored attacks are mostly related to cyber-espionage; thus, they represent a lucrative activity for the perpetrators and, often, a severe competitive loss for the victims[15][16][17]. Therefore, they should probably more conveniently framed with respect to international market competition and the protection of strategic investments.
Finally, we mention two classes of threats that still are not commonly included in cybersecurity threat taxonomies: threats to a company’s market share and threats from amplification effects on media. Analyses of the economic and financial consequences of a security breach have been studied from long[18][19][20][21]. However, it is still an issue that has not entered the mainstream in cybersecurity and requires more and better-detailed analyses. In some cases, the actual negative effects, especially long term effects, have been questioned, on the basis of the complex and non-linear cause-effect relationships governing stock prices[22][23][24].
The amplification effect of media, traditional or online, with respect to risks and threats is a well-known effect that is still largely ignored in cybersecurity threat taxonomies. On the opposite, it is important to consider, at least as one of the new threat sources to put on a watch list. Episodes where the social amplification of risks, driven by the media, have had relevant effects are discussed in the literature[25][26][27][28].
In summary, a threat to User assets can be considered as “any circumstance or event that produces adverse effects primarily on individuals as part of an organization or as stakeholders. The threat should be carried out through digital means, either voluntarily (attack/cybercrime) or involuntarily (human error)”. The threat taxonomy is composed of the following categories:
- TG6.1 – Human errors: This group includes all threats causing unintentional information leakage or sharing due to human errors.
- TG6.2 – Privacy breaches: This group includes all threats causing privacy breaches.
- TG6.3 – Cybercrime: This group includes all threats due to data/model poisoning and aiming to picture a scenario that not adhere to reality.
- TG6.4 – Media amplification effects: This group includes threats coming from nefarious activities. It requires active attacks targeting the infrastructure of the victim, including the installation or use of malicious tools and software.
- TG6.5 – Organisational threats: This group includes threats to the organizational sphere.
Threat Group TG6.1: Human errors
Threat T6.1.1: Mishandling of physical assets
Physical assets like laptops and disposable data storage are often lost or stolen. In most cases, this event has moderate effects, if any, but it happened that in few circumstances it resulted in severe consequences. This is a typical threat caused by human errors.
Assets: All assets.
Threat T6.1.2: Misconfiguration of systems
System misconfiguration is probably the most typical example of human error. All types of systems are systematically misconfigured, often resulting in small failures, sometimes representing one of the major causes of cyber risks, as witnessed by all security surveys.
Assets: All assets.
Threat T6.1.3: Loss of CIA on data assets
This threat generally refers to data breaches and data leaks, so it mostly refers to the Data Domain. However, it often has an undoubtedly human component that makes it worth to be included in the User domain, too. Access privileges are often misused, credentials are managed improperly, and trust is given to someone impersonating someone else or exploiting employees’ good faith.
Assets: All assets.
Threat T6.1.4: Legal, reputational, and financial cost
A security incident may have effects that go well beyond the technical domain and production processes. Intangible goods, such as the brand reputation, the financial solidity of the company, and the trustworthiness of the management could suffer some consequences that might be addressed outside the technical competences and mostly by the financial direction, marketing, and the highest company management levels.
Assets: All assets.
Threat Group TG6.2: Privacy breaches
Threat T6.2.1: Profiling and discriminatory practices
In recent years, the US Federal Trade Commission FTC) has actively monitored data brokers’ practices and its reports have shed a light on such a crucial while the elusive industrial segment of the digital society with enormous implications on online privacy. The conclusion of the FTC is disheartened: “In the nearly two decades since the Commission first began to examine data brokers, little progress has been made to improve transparency and choice”. In Europe, GDPR has introduced severe limitations and fines for commercial profiling, however, it does not seem to have stopped the practice of profiling web users for advertising purposes. Other discriminatory practices have been conjectured for Internet giants like Google[29] and Facebook.[30]
Assets: “External”.
Threat T6.2.2: Illegal acquisition of information
Illegal acquisition of data may happen as a consequence of hacking, of malware exfiltrating information, or of data breaches. This is also an important threat, and considers incidents resulting in a compromise or loss of data. This threat represents the typical domain of privacy. Users could be both targets and actors for this threat, depending on their role. The issue has been debated and analyzed extensively and has evident cross-domain aspects. Several comprehensive reports and surveys are available[31][32], as well as specific professional skills and profiles.
Assets: All assets.
Threat Group TG6.3: Cybercrime
Threat T6.3.1: Organized criminal groups’ activity
As mentioned before, the threat from organized criminal groups has been clearly recognized in analyses produced in recent years as those mostly related to financial gain. The use of malware, botnet, ransomware, and hacking is often related to criminal organizations, which are moving online for their illegal activity. Dark web markets selling illegal goods, private encrypted online chat, and other online forums are new ways for organized criminal groups to extend their business.
Assets: “Internal”, “Intangible”.
Threat T6.3.2: State-sponsored organizations’ activity
Similar to the previous threat, we have already presented the threat connected to state-sponsored organizations like the one most related to cyber-espionage. Market competition in key sectors of the economy, such as advanced technology, energy, and innovative manufacturing techniques, has always suffered from industrial espionage. The diffusion of online services and networked systems as enormously increased the possibilities for those willing to access proprietary data.
Assets: All assets.
Threat T6.3.3: Malicious employees or partners’ activity
Threats from insiders have been extensively debated in the last two decades, at least, with alternate emphasis. In some years, the threat from malicious employees reached the hype on the specialized press, with someone even claiming that it had exceeded the dangers from outside an organization. More pragmatic studies and surveys, such as Verizon DIBIR, have instead confirmed that despite some fluctuation in the reported cases, the proportion between breaches originated from the inside and those from the outside remained close to the classical 20-80 proportion. Therefore, it never happened a sort of explosion of internal attacks. What is instead true is that inside attackers are likely to exploit better information and higher privileges, increasing the odds of severe consequences.
Assets: “Internal”.
Threat Group TG6.4: Media amplification effects
Threat T6.4.1: Misinformation/disinformation campaigns
This threat group is the less common in cybersecurity threat taxonomies and wants to consider the relevance that media (social and online media, in particular) have in spreading information and amplifying the effect of news in the public opinion, which does not just include laymen, but professionals, business partners, potential customers and investors, and the authorities, too.
Assets: All assets.
Threat T6.4.2: Smear campaigns/market manipulation
Similar to the previous threat, in this case, we account for the possibility that a smear campaign is directed towards a company or some representative figures with the aim of manipulating the market, for instance, the stock price or a market opportunity.
Assets: All assets.
Threat T6.4.3: Social responsibility/ethics-related incidents
Ethics has been under the spotlight in the last few years, mostly for questionable activities of companies of the so-called “shared economy” and the potential consequences of AI-driven decision technologies. This represents a new cybersecurity threat for organizations, which might be attacked by crafting an incident based on ethical problems. Combined with previous threats regarding online media, ethics-related issues represent a new form of social responsibility for companies, that should be carefully considered because a negative press or public opinion campaign might have severe consequences on the business.
Assets: All assets.
Threat Group TG6.5: Organizational threats
Threat T6.5.1: Skill shortage/undefined cybersecurity curricula
We have previously introduced and discussed this threat. Skill shortage in cybersecurity is a problem regularly debated in cybersecurity conferences and professional events because it regards the majority of organizations. New initiatives to standardize academic curricula exist, together with a trend towards the professionalization of the role of cybersecurity experts [10][33]. However, it is still not clear and certainly far from a large agreement what should be the core skills of a cybersecurity expert and how to have a larger and better-prepared workforce.
Assets: “Internal”.
Threat T6.5.2: Business misalignment/shift of priorities
This represents the typical domain of eGovernment, where one of the main goals is to keep a constant alignment between IT and business goals and between IT processes and the corporate strategy. Similarly, governance of corporate cybersecurity is needed and should be more mature than the present situation.
Assets: “Internal” and “External”.
Emerging Threats in 2021
The following is the list of Network-centric security threats that emerged in 2021.
Threat T6.5.3: Pivoting
Attackers use a pivoting approach when they leverage the capabilities of a compromised user to attack other users or an organization. The attack may be accomplished without the “pivot” users’ knowledge (i.e., by using involuntarily leaked access information) or by extortion (i.e., through blackmailing). In both cases, the compromised users are a threat with, potentially, comparable capabilities to a malicious insider.
[1] WhiteHouse,The Cost of Malicious Cyber Activity to the U.S. Economy,2018, Available: https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf
[2] Human Factor is a Persistent Cybersecurity Threat, Survey Says. Security Magazine, August 2019. https://www.securitymagazine.com/articles/90734-human-factor-is-a-persistent-cybersecurity-threat-survey-says
[3] Cybersecurity – the Human Factor: Prioritizing People Solutions to improve the cyber resiliency of the Federal workforce. FISSEA. 2017. https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf
[4] Data Breach Investigations Report 2019, https://enterprise.verizon.com/resources/reports/dbir/
[5] T Holz, N Pohlmann, E Bodden, M Smith, and J Hoffmann. Human-centered systems security: It-sicherheit von menschen für menschen,2016
[6] ENISA, Cyber Security Culture in organisations. February 2018.https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations
[7] Isabella Corradini and Enrico Nardelli. Building organizational risk culture in cyber security: the role of human factors. InInternationalConference on Applied Human Factors and Ergonomics, pages 193–202. Springer, 2018.
[8] Nader Sohrabi Safa, Rossouw Von Solms, and Lynn Futcher. Human aspects of information security in organisations.Computer Fraud &Security, 2016(2):15–18, 201
[9] Alex Vieane, Gregory Funke, Robert Gutzwiller, Vincent Mancuso, Ben Sawyer, and Christopher Wickens. Addressing human factorsgaps in cyber defense. InProceedings of the Human Factors and Ergonomics Society Annual Meeting, volume 60, pages 770–773. SAGEPublications Sage CA: Los Angeles, CA, 2016.
[10] Awais Rashid, George Danezis, Howard Chivers, Emil Lupu, Andrew Martin, Makayla Lewis, and Claudia Peersman. Scoping the cybersecurity body of knowledge.IEEE Security & Privacy, 16(3):96–102, 2018.
[11] Hussain Aldawood and Geoffrey Skinner. Challenges of implementing training and awareness programs targeting cyber security socialengineering. In2019 Cybersecurity and Cyberforensics Conference (CCC), pages 111–117. IEEE, 2019.
[12] Rex Hughes. Nato and cyber defence.Atlantisch Perspectief, 33, 2009.
[13] Martin Courtney. States of cyber-warfare.Engineering & Technology, 12(3):22–25, 2017
[14] Christopher S Yoo. Cyber espionage or cyberwar?: International law, domestic law, and self-protective measures.Cyberwar: Law andEthics for Virtual Conflicts (Jens David Ohlin, Kevin Govern, Claire Finkelstein, eds., 2015), pages 15–3, 2015.
[15] Catherine Everett. The lucrative world of cyber-espionage.Computer Fraud & Security, 2009(7):5–7, 2009.
[16] Bryan Watkins. The impact of cyber attacks on the private sector.Briefing Paper, Association for International Affair, 12, 2014.
[17] Martin S Bressler and Linda Bressler. Protecting your company’s intellectual property assets from cyber-espionage.Journal of Legal,Ethical and Regulatory Issues, 18(1):21, 2015.
[18] Ashish Garg, Jeffrey Curtis, and Hilary Halper. Quantifying the financial impact of it security breaches.Information Management &Computer Security, 2003.
[19] Esther Gal-Or and Anindya Ghose. The economic consequences of sharing security information. InEconomics of information security,pages 95–104. Springer, 200
[20] Sangmi Chai, Minkyun Kim, and H Raghav Rao. Firms’ information security investment decisions: Stock market evidence of investors’behavior.Decision Support Systems, 50(4):651–661, 2011
[21] Lawrence A Gordon, Martin P Loeb, and Lei Zhou. The impact of information security breaches: Has there been a downward shift incosts?Journal of Computer Security, 19(1):33–56, 2011.
[22] Vernon Richardson, Marcia Weidenmier Watson, and Rodney E Smith. Much ado about nothing: The (lack of ) economic impact of dataprivacy breaches.Journal of Information Systems, 2019.
[23] Zhijian He, Tracie Frost, and Robert Pinsker. The impact of reported cybersecurity breaches on firm innovation.Journal of InformationSystems, 2019.
[24] Pierangelo Rosati, Mark Cummins, Peter Deeney, Fabian Gogolin, Lisa van der Werff, and Theo Lynn. The effect of data breachannouncements beyond the stock price: Empirical evidence on market activity.International Review of Financial Analysis, 49:146–154,2017.
[25] Clifford W Scherer and Hichang Cho. A social network contagion theory of risk perception.Risk Analysis: An International Journal,23(2):261–267, 2003.
[26] Vian Bakir. Media and risk: old and new research directions.Journal of risk research, 13(1):5–18, 2010
[27] K Jae Chung. Social amplification of risk in the internet environment.Risk Analysis: An International Journal, 31(12):1883–1896, 2011.
[28] Wajeb Gharibi and Maha Shaabi. Cyber threats in social networking websites.arXiv preprint arXiv:1202.2420, 2012.
[29] David Shepardson and Bryan Pietsch, U.S. states launch antitrust probe of Google, advertising in focus. Reuters, September 2019. https://www.reuters.com/article/us-tech-antitrust-probe/u-s-states-launch-antitrust-probe-of-google-advertising-in-focus-idUSKCN1VU107
[30] Katie Paul and Akanksha Rana, U.S. charges Facebook with racial discrimination in targeted housing ads. Reuters, March 2019. https://www.reuters.com/article/us-facebook-advertisers/hud-charges-facebook-with-housing-discrimination-in-targeted-ads-on-its-platform-idUSKCN1R91E8
[31] Eran Toch, Claudio Bettini, Erez Shmueli, Laura Radaelli, Andrea Lanzi, Daniele Riboni, and Bruno Lepri. The privacy implications ofcyber security systems: A technological survey.ACM Computing Surveys (CSUR), 51(2):1–27, 2018.
[32] Haina Ye, Xinzhou Cheng, Mingqiang Yuan, Lexi Xu, Jie Gao, and Chen Cheng. A survey of security and privacy in big data. In201616th international symposium on communications and information technologies (iscit), pages 268–272. IEEE, 2016.
[33] CyBok, The Cyber Security Body Of Knowledge. Version 1.0, October 2019. https://www.cybok.org/
Università degli Studi di Milano
Via Celoria 18, 20133 Milano MI - Italy
+39 02 503 16333 - sesarlab@unimi.it