eBook - ePub
Evidence-Based Cybersecurity
Foundations, Research, and Practice
Pierre-Luc Pomerleau, David Maimon
This is a test
- 230 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Evidence-Based Cybersecurity
Foundations, Research, and Practice
Pierre-Luc Pomerleau, David Maimon
Book details
Book preview
Table of contents
Citations
About This Book
The prevalence of cyber-dependent crimes and illegal activities that can only be performed using a computer, computer networks, or other forms of information communication technology has significantly increased during the last two decades in the USA and worldwide. As a result, cybersecurity scholars and practitioners have developed various tools and policies to reduce individuals' and organizations' risk of experiencing cyber-dependent crimes. However, although cybersecurity research and tools production efforts have increased substantially, very little attention has been devoted to identifying potential comprehensive interventions that consider both human and technical aspects of the local ecology within which these crimes emerge and persist. Moreover, it appears that rigorous scientific assessments of these technologies and policies "in the wild" have been dismissed in the process of encouraging innovation and marketing. Consequently, governmental organizations, public, and private companies allocate a considerable portion of their operations budgets to protecting their computer and internet infrastructures without understanding the effectiveness of various tools and policies in reducing the myriad of risks they face. Unfortunately, this practice may complicate organizational workflows and increase costs for government entities, businesses, and consumers.
The success of the evidence-based approach in improving performance in a wide range of professions (for example, medicine, policing, and education) leads us to believe that an evidence-based cybersecurity approach is critical for improving cybersecurity efforts. This book seeks to explain the foundation of the evidence-based cybersecurity approach, review its relevance in the context of existing security tools and policies, and provide concrete examples of how adopting this approach could improve cybersecurity operations and guide policymakers' decision-making process. The evidence-based cybersecurity approach explained aims to support security professionals', policymakers', and individual computer users' decision-making regarding the deployment of security policies and tools by calling for rigorous scientific investigations of the effectiveness of these policies and mechanisms in achieving their goals to protect critical assets. This book illustrates how this approach provides an ideal framework for conceptualizing an interdisciplinary problem like cybersecurity because it stresses moving beyond decision-makers' political, financial, social, and personal experience backgrounds when adopting cybersecurity tools and policies. This approach is also a model in which policy decisions are made based on scientific research findings.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Evidence-Based Cybersecurity an online PDF/ePUB?
Yes, you can access Evidence-Based Cybersecurity by Pierre-Luc Pomerleau, David Maimon in PDF and/or ePUB format, as well as other popular books in Informatique & Cybersécurité. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1The case for an evidence-based approach to cybersecurity
DOI: 10.1201/9781003201519-1
Cyber-dependent crimes, such as hacking or distributing malicious software, are crimes that could not exist without computer technology and the Internet (McGuire & Dowling, 2013). Although the actual frequency of these crimes against individuals and organizations is still unknown, it is obvious that they are costly and disruptive to their victims and our larger society. Take for example the cyberattack on Colonial Pipeline on 29 April 2021. According to media reports, a group of hackers known as ‘DarkSide’ infiltrated the networks of Colonial Pipeline by exploiting a virtual private network account that was no longer in use at the time of the attack. A little over a week after the initial infiltration, a ransom note appeared on the company’s computers, demanding a cryptocurrency payment. The hackers had stolen nearly 100 gigabytes of data from Colonial Pipeline computers and threatened to leak it if the ransom wasn’t paid.
The employee who discovered the note notified an operations supervisor, who immediately began the process of shutting down the pipeline. Colonial Pipeline paid the hackers a US$4.4 million ransom shortly after the hack. However, they did not reopen their pipeline until their in-house security experts and a team of cybersecurity consultants were able to conclusively determine that the attack had been contained. This resulted in a sudden fuel shortage across the eastern half of the United States (Englund & Nakashima, 2021). This attack is only one of many ransomware attacks in the past few years: according to the Identity Theft Resource Center (2021), 18% of the 878 cyberattacks reported in 2020 were ransomware attacks. Reports from all around the globe document governmental and private organizations being held hostage by ransomware, and many agree to pay the ransom solely to avoid the cost of extended downtime of the organizations. The average ransom costs alone increased from US$115,123 in 2019 to US$312,493 in 2020 (Unit 42, 2021).
Other forms of cybercrime are equally disruptive. Verizon (2021) documented a total of 5,258 confirmed data breaches occurring in 16 different industries and four world regions, just in 2021. Many of these breaches resulted in damages to both the hacked companies and their customers. For example, the luxury department store chain Neiman Marcus disclosed in September 2021 that the personal information of 4.6 million of its customers was compromised during a 2020 data breach of the company’s servers. Some of the compromised information included customer names, addresses, contact information, usernames, and passwords for Neiman Marcus online accounts, and credit card numbers and expiration dates (Sharma, 2021). Hacked customer databases are often uploaded onto darknet platforms for online offenders to use in their ever-ongoing online fraud operations.
Meanwhile, Distributed Denial of Service (DDoS) attacks, spamming, and malware campaigns are constantly growing in both intensity and volume. Voice over IP (VoIP) providers are common victims of DDoS attacks. One major attack, on VoIP.ms, started on 16 September 2021, targeting their domain name system (DNS) name servers and other infrastructure to disrupt telephony services. This resulted in customers being unable to make or receive calls (McKeever, 2021).
In this climate of ever-evolving transnational crime, numerous cybersecurity companies offer a wide range of services to reduce individuals’ and organizations’ cybercrime risk. Starting with application and endpoint security solutions, going through network security tools, and ending in risk assessment and threat intelligence products, these cybersecurity companies promise to strengthen their customers’ cybersecurity infrastructure and reduce the probability of cybercrime victimization. A recent cost assessment by Proven Data reveals how pricy these services may get. For example, firewall protection (including product cost, installation fees, and monthly/yearly subscription) is expected to cost between US$1,500 and US$15,000, depending on the size of the client network and the client’s security needs.
For other services, most businesses pay US$3–$6 per user per month for quality email protection, between US$3 and $5 per user per month for basic antivirus on their workstations, and another US$5–$8 per server per month. The average cost for endpoint detection response ranges between US$5 and $8 per user per month and US$9–$18 per server per month, and the cost for two-factor authentication can be US$0–$10 per user per month. Finally, the cost for a vulnerability assessment ranges between US$1,500 and $6,000 for a network with 1–3 servers and between US$5,000 and $10,000 for a network with 5–8 servers, while the pricing for network monitoring can range between $100 and $500 per month for a small-sized network and US$500–$2,000 per month for a medium-sized network (Proven Data, 2021). Unfortunately, our knowledge regarding the effectiveness of these services and tools is limited. Therefore, it is impossible to tell how successful they are in preventing and mitigating cyberattacks. These circumstances led Anderson and Moore (2006) to describe cybersecurity as a ‘market for lemons.’
Akerlof (1970) coined the term ‘market for lemons’ to describe a market failure in which the quality of goods traded in a market is devalued in the presence of information asymmetry between buyers and sellers. In his classic example, Akerlof described a situation in which potential buyers of a used car have less information about the car than the seller does, simply because the seller knows the history of the car they are offering for sale. Under such market conditions, the buyer agrees to pay a fixed price that averages the price of a defective car (‘lemon’) and a good car (‘peach’) car. According to Akerlof, the quality of the cars traded in this market can degrade, leaving only lemons in the market. Sellers know whether the car they’re selling is a peach or a lemon, but selling the peaches at a lower rate (due to the lemon prices bringing the average down) would cause them to lose money. Thus, they will withdraw the peaches from the market. This reduces the average willingness-to-pay of buyers even further, drives prices down, and may even result in the collapse of the market.
A similar information asymmetry exists in the cybersecurity market, where cybersecurity consumers have less information about security products and services than cybersecurity vendors do. In fact, some vendors don’t even have enough information to defend the security products they sell. In this kind of market, consumers are not willing to pay high prices for cybersecurity products, so instead they ‘gamble’ on the security of their organizations with the deployment of cheaper products. If vendors of high-quality cybersecurity products cannot meet production costs for an average market size, they may exit the cybersecurity market altogether, leaving behind a market dominated by low-quality cybersecurity products.
One of the solutions for a market for lemons is changing the information asymmetry between consumers and vendors. For example, using Akerlof’s (1970) example of a used-car market, buyers can become more informed about the quality of the used car they are considering by hiring a mechanic who can inspect the car on their behalf. Such inspections will reduce the information asymmetry but may be costly in their own right. A similar change in the information asymmetry regarding the effectiveness of cybersecurity products and tools is desirable within the cybersecurity ecosystem. To drive this change, we propose using the evidence-based approach to guide practitioners’ and scholars’ efforts to generate empirical evidence around cybersecurity tools and policies. This book aims to explain the basic tenets of the evidence-based approach in cybersecurity and demonstrate its relevance for guiding consumers’ decisions before, during, and after they implement security technologies.
THE EVIDENCE-BASED APPROACH
The evidence-based approach establishes best practices and effective policymaking by moving beyond decision-makers’ political, financial, or social background, as well as their personal experience, when deciding which professional practices and policies to implement. Instead, this approach adopts tools and policies based on scientific findings. Scientific evidence should support the ongoing, methodical quest to differentiate between unsystematic ‘experiences’ or ‘common sense’ and systematic facts observed by testing research hypotheses using rigorous research designs.
Accordingly, rigorous scientific research designs including field experiments, longitudinal surveys, and observations should be deployed to generate evidence that could identify best practices and policies. In addition to strengthening the research process, a crucial component of the evidence-based approach is translating research findings into a format that is accessible and easy to digest for professionals in the field. The overarching goal of this approach is to give practitioners easy access to relevant scientific research, which in turn they can use to address problems and issues in their respective personal and organizational contexts.
The usefulness of the evidence-based approach has been demonstrated in a variety of fields and through numerous evaluative programs. Below, we discuss three poignant cases in which the implementation of evidence-based practices – in the fields of medicine, policing, and education – resulted in significant improvements in the human condition.
EVIDENCE-BASED MEDICINE
Polio was once one of the most feared diseases in the US. Also known as poliovirus or PV, polio is a disease resulting from lower motor neuron damage, characterized by flaccid paralysis (Baicus, 2012). Polio outbreaks became frequent and severe, especially in the US and Europe, at the beginning of the 20th century. By the late 1940s, the Centers for Disease Control and Prevention reported that polio was disabling an average of 35,000 people a year in the US alone (CDC, 2021). Most of the victims of this disease were children. Many parents were terrified for their children’s health and kept them isolated in fear that they would catch the disease.
A charitable organization founded in the late 1930s, the National Foundation for Infantile Paralysis (NFIP), took it upon itself to fund research in aim to eradicate polio. Over a period of 20 years, the NFIP launched a massive information campaign and funded several attempts to develop a polio vaccine. However, it wasn’t until 1953 that Jonas Salk and his team revealed findings from a series of lab experiments they had performed – first with monkeys and later with a small group of children – that s...