1st Edition
Evidence-Based Cybersecurity Foundations, Research, and Practice
The prevalence of cyber-dependent crimes and illegal activities that can only be performed using a computer, computer networks, or other forms of information communication technology has significantly increased during the last two decades in the USA and worldwide. As a result, cybersecurity scholars and practitioners have developed various tools and policies to reduce individuals' and organizations' risk of experiencing cyber-dependent crimes. However, although cybersecurity research and tools production efforts have increased substantially, very little attention has been devoted to identifying potential comprehensive interventions that consider both human and technical aspects of the local ecology within which these crimes emerge and persist. Moreover, it appears that rigorous scientific assessments of these technologies and policies "in the wild" have been dismissed in the process of encouraging innovation and marketing. Consequently, governmental organizations, public, and private companies allocate a considerable portion of their operations budgets to protecting their computer and internet infrastructures without understanding the effectiveness of various tools and policies in reducing the myriad of risks they face. Unfortunately, this practice may complicate organizational workflows and increase costs for government entities, businesses, and consumers.
The success of the evidence-based approach in improving performance in a wide range of professions (for example, medicine, policing, and education) leads us to believe that an evidence-based cybersecurity approach is critical for improving cybersecurity efforts. This book seeks to explain the foundation of the evidence-based cybersecurity approach, review its relevance in the context of existing security tools and policies, and provide concrete examples of how adopting this approach could improve cybersecurity operations and guide policymakers' decision-making process. The evidence-based cybersecurity approach explained aims to support security professionals', policymakers', and individual computer users' decision-making regarding the deployment of security policies and tools by calling for rigorous scientific investigations of the effectiveness of these policies and mechanisms in achieving their goals to protect critical assets. This book illustrates how this approach provides an ideal framework for conceptualizing an interdisciplinary problem like cybersecurity because it stresses moving beyond decision-makers' political, financial, social, and personal experience backgrounds when adopting cybersecurity tools and policies. This approach is also a model in which policy decisions are made based on scientific research findings.
Foreword xv
About the authors xvii
Acknowledgment xix
1 The case for an evidence-based approach to cybersecurity 1
The evidence-based approach 3
Evidence-based medicine 4
Evidence-based policing 5
Evidence-based learning 6
The case for evidence-based cybersecurity 7
References 9
2 Computers, computer networks, the Internet,
and cybersecurity 11
Introduction: computers and computer networks 11
The open system interconnection (OSI) model
and the communication process 13
The importance of cybersecurity 14
The cybersecurity ecosystem 16
Cybersecurity doctrines, practices, and policies 18
Current practices, tools, and policies to secure cyber infrastructures 23
References 25
3 Human behavior in cyberspace 29
Introduction: cybercrime and cyberspace 29
Four key actors within the cybercrime ecosystem 31
The offenders 31
The enablers 32
The victims 33
The guardians 33
Human behaviors as a central element of cybercrime 34
The human factor in the literature on cybercrime 36
A look inside the organization 37
Conclusion 39
References 39
4 Criminological, sociological, psychological, ethical, and
biological models relevant to cybercrime and cybercriminals 43
Introduction 43
Criminological and sociological models relevant to cybercrime 43
The routine activity approach and the problem analysis triangle 44
Environmental criminology 45
Situational crime prevention 47
Anthropological criminology and ethnographic studies 48
Biosocial criminology 50
Psychology and cyberpsychology in the management of cybercrime 51
Cyberpsychology 52
Philosophical and ethical models 54
Hard determinism and crime 54
Compatibilism and crime 55
References 57
5 Science and cybersecurity 63
Introduction 63
The importance of quantitative, qualitative, and mixed research 64
Quantitative, qualitative, or mixed methods? 65
Science, theories, and facts 65
Science in cybersecurity 68
Case reports 70
The problems with surveys, benchmarks, and
validation testing in cybersecurity 71
Surveys 71
Benchmarks 72
Validation testing 72
Research designs in cybersecurity 73
Fundamental observational and controlled research 73
Case-control 74
Simulations 75
Longitudinal research 75
The difference-in-differences research method 76
Time-series design 78
Field research 79
Conclusion 79
References 80
6 Network security and intrusion detection systems 85
Introduction 85
Network security and intrusion detection systems
in cybersecurity 86
Intrusion detection system categories 87
Endpoint detection systems (EDSs) 89
Security information and event management (SIEM) systems 90
Data loss prevention (DLP) 91
Challenges in evaluating security tools 92
Surveys and think tanks reports 93
Intrusion-detection assessment metrics 94
The way forward in protecting the network from intrusions 95
Data science: data analytics, machine learning,
and artificial intelligence 95
From a rule-based approach to data analytics 96
Machine learning and artificial intelligence 97
The use of honeypots in intrusion detection and network security 98
An evidence-based approach 101
Conclusion 101
Note 102
References 102
7 The Internet of Things (IoT), data security, and website
security 109
Introduction 109
The IoT 110
What risks are associated with the IoT? 111
Online attacks against IoT 114
IoT architecture and protocol stack 115
IoT risk frameworks 116
IoT security tools and defense techniques for data security 117
Network intrusion detection systems (NIDSs)
in an IoT environment 119
Metrics to measure effectiveness 120
Examples of IoT security empirical research designs 120
Website security 121
Web defacement 122
An example of evidence-based research design 124
Threat hunting: a proactive approach to mitigating
risks to IoT, data security, and website security 125
Conclusion 126
References 127
8 Data privacy, training, and awareness and cybersecurity
frameworks 133
Introduction 133
Data privacy 133
Digital risks 134
Data breaches 135
Cybersecurity governance 135
Information security control frameworks 137
ISO 27001 and 27002 137
NIST 138
Laws, regulations, and industry standards 139
The General Data Protection Regulation (GDPR) 139
PCI DSS – payment card industry 139
HIPAA – health-related information 140
New York Department of Financial Services
(NYDFS) cybersecurity regulations 140
Cybersecurity training and awareness 141
Games and gamification 142
Assessment tools 144
The Federal Financial Institution Examination
Council (FFIEC) cybersecurity assessment tool 144
Research methods to evaluate cybersecurity
awareness tools 145
Additional practical tools 145
Targeted audit and penetration testing 145
Surveys and executive workshops 146
Risk assessment 146
Impact and probability levels to assess risks 147
Relevant conceptual and research designs 148
Other examples of related work 150
Conclusion 151
Notes 152
References 152
9 Risk and threat intelligence: The effectiveness of online
threat intelligence in guiding financial institutions’ incident
response to online banking account takeovers 159
Introduction 159
Background 160
Bank ATO and financial institutions response 160
Situational crime prevention 161
Denying benefits as a proactive incident response
to ATO incidents 162
Threat intelligence and responding to ATO incidents 166
The current study 167
Data and methods 168
Results 169
How prevalent is information on breached bank
accounts on text message applications? 169
How much of the information posted on the dark
web or online encrypted applications is valid? 170
How much of this intelligence is actionable and could be
used to support financial institutions’ incident response? 172
How much money could an effective intelligence-based
incident response to ATO save for the victim? 172
Discussion 174
Limitations 176
Conclusion 176
Notes 177
References 177
10 The future of evidence-based cybersecurity 181
Introduction 181
The advancement of technology and the intertwining
of our digital and physical lives 182
Future cybersecurity threats to consider 182
Common specific threats to consider in the future 184
Email security and social engineering 184
Ransomware attacks 184
Single-factor authentication 185
Future sophisticated threats 187
Quantum computing 187
Blockchain threats 188
Machine learning and artificial intelligence 189
Deepfakes 191
State-level hackers and nation-state attacks 191
List of suggestions and recommendations 193
Rethink investment in cybersecurity 193
Law enforcement 194
Academics 194
Governments and private organizations 195
Education 195
Multidisciplinary cybersecurity teams 195
Threat hunting tools and techniques 196
Learning from mistakes 197
Homomorphic encryption and privacy 198
The Zero Trust approach 199
Public and private partnerships 200
An evidence-based cybersecurity approach to developing
new and innovative detection and mitigation approaches 201
Conclusion 203
References 203
Index 209
Biography
Dr. Pierre-Luc Pomerleau is a Partner at VIDOCQ. His role consists of assisting VIDOCQ’S clients in growing their business and innovating while managing their risks and protecting their assets. He does so by bringing years of experience and deep expertise in cybercrime, investigation, fraud prevention, anti-money laundering, physical security, business administration, technology, and risk management. Before joining VIDOCQ, he was Vice President at National Bank of Canada, managing the Financial Crime and Corporate Security division, including data analytics and innovation.
Dr. Pomerleau holds a Ph.D. in Business Administration with a specialization in Homeland Security from Northcentral University (USA), an MBA from the University of Sherbrooke (Canada), and a bachelor's degree in criminology from the University of Montreal (Canada). He holds various security and financial crime professional certifications such as the CPP, PSP, PCI, CFE, CAMS, CCCI & CFCI certifications. In addition to his role with VIDOCQ, Dr. Pomerleau is currently an adjunct in cybersecurity at Polytechnique Montreal. From 2020 to 2021, he was a postdoctoral researcher and a research associate in cybercrime at Georgia State University (USA). In 2020, he published his book Countering Cyber Threats to Financial Institutions; A Private and Public Partnership Approach to Critical Infrastructure. From 2015 to 2018, he was the President of the Association of Certified Fraud Examiner Montreal Chapter. In October 2016, he was awarded an honorary diploma by the University of Montreal School of Criminology for his exemplary contribution to the advancement of society.
Dr. David Maimon is an Associate Professor in the Department of Criminal Justice and Criminology at Georgia State University (GSU) and the director of the Evidence-Based Cybersecurity research group (see ebcs.gsu.edu). He received his Ph.D. in Sociology from the Ohio State University in 2009. Prior to joining GSU, Dr. Maimon held academic position in the Department of Criminology and Criminal Justice in the University of Maryland, and the Department of Sociology in the University of Miami. In 2015 he was awarded the "Young Scholar Award" from the "White-Collar Crime Research Consortium of the National White-Collar Crime Center" for his cybercrime research. Throughout his career he has raised more than $3 million to conduct Evidence-Based Cybersecurity research. Since joining GSU, Dr. Maimon has established the Evidence-Based Cybersecurity Research Group, where he and his researchers seek to produce and review multi- and interdisciplinary empirical evidence about the effectiveness of cybersecurity tools and policies. The group and its unique approach to cybersecurity education and research have been acknowledged on popular media platforms (https://edtechmagazine.com/higher/article/2020/09/training-next-generation-cyber-professionals). Moreover, the group's close relationships with cybersecurity professionals in several industries and law enforcement agencies have led to the adoption of the Evidence-Based Cybersecurity approach by several organizations. Dr. Maimon teaches the course "Intro to Evidence-Based Cybersecurity" at the undergraduate level, and "Evidence-Based Cybersecurity" at the graduate level.
"This is a tremendous resource for every security professional and organization whose goal is to improve their cybersecurity posture. The evidence-based cybersecurity approach ties the criticality of understanding human behavior with the technical aspects of cyber-crime. A true data centric treasure trove of valuable knowledge."
- Kausar Kenning, Executive Director, Cyber Security, Morgan Stanley
"Despite its technical nature, the evidence base supporting cybersecurity as a field of practice remains flimsy, at best. Some have even compared cybersecurity to "medieval witchcraft". This timely and essential book provides a much needed and comprehensive overview of the available evidence and of the knowledge gaps that persist, also charting the path ahead for a more scientific approach to the design, implementation, and evaluation of cybersecurity measures."
- Dr. Benoît Dupont, Professor of Criminology, University of Montreal, Canada, and Canada Research Chair in Cybersecurity.
"Dr. Pomerleau does a masterful job of deep diving into the realm of contemporary Cybersecurity. Beyond recounting the historical evolution of Cybersecurity, Pomerleau astutely weaves together a traditional IT risk management system approach with a multi-faceted humanistic approach (with ethical, sociological, psychological, and criminal elements) to present a comprehensive how-to guide for evidence-based Cybersecurity analysis."
- Dr. David L. Lowery, Full Professor of Homeland Security & Public Administration, Northcentral University