Victimology as a Cybersecurity Strategy – Too Much IT and Not Enough Criminology
By Chris Bullock, Managing Member and CEO
As cybersecurity professionals overwhelmed with compliance requirements, regulations, and a multitude of tradecraft frameworks, we sometimes lose focus on what we really are at our roots. We are cybercrime fighters. We move through our day as cybersecurity leaders defending our organization’s employee data, customer data, and trade secrets from cybercriminals. As such, we must focus on our adversaries just as much as we focus on the people, processes, and technology used to defeat them. This is an all-too-often overlooked element of effective cybersecurity and when used correctly, this – along with aligning sound cybersecurity principles with the business goals of our organizations in a risk-based approach – can help an organization achieve cybersecurity efficacy.
Cyber Victimology – Protecting Individuals and Organizations
Aligning cybersecurity practices to criminological and criminal justice principles is frequently overlooked in the cybersecurity industry because we tend to focus too much on IT fundamentals. In actuality, when technology is being used to facilitate a crime or the technology itself is the target of a crime – this is the very definition of cybercrime. While technology and IT principles play an undeniable role in cybersecurity defense, criminological principles should not be overlooked. Integrating criminological and criminal justice principles into a cybersecurity program helps to achieve effective cybercrime protection thereby protecting the assets of an organization as well as the personal and private data of its employees and consumers. Bottom line – when we are talking about cybersecurity, we’re often talking about fighting crime, and one proven technique used in criminology is the science of victimology
In criminology, the term victimology is described as studying victims of crimes, the emotional and psychological effects of the crime, and relationships between perpetrators and victims. Important to note here is that studying the victim provides law enforcement investigators insight into who likely committed the crime, why they committed the crime, and the methods they use. This is no different in cybercrime. In fact, Professor Jaishankar of the International Journal of Cyber Criminology has a wealth of research specifically on this topic as well as other specific cyber criminology topics. Professor Jaishankar discusses phenomenon in cybercrime, which includes the overlap between physical crime and cybercrime and he is a proponent of the new cybercrime theory known as the Space Transition Theory, a theory that proposes that people behave differently in cyberspace than they do in the physical world. Cybercrime is no longer simply hacking and attacking systems it is an attack on people, their organizations, and the people who make up those organizations. In Jaishankar’s book “Cybercrime and Victimization of Women” the Professor clarifies the definition of cybercrime from the perspective of the victim. This book and subsequent articles of the Professors are quite intriguing including cyber victimization of governments and cyber victimization of organizations. So how is this all relevant to a business organization’s cybersecurity practices?
Just as an individual person has victimology-based characteristics, so do organizations. An organization’s business interests, political action campaigns, vigilance level, protection abilities, and cyber risk tolerance are just some of the characteristics that can determine if an organization is more likely to be attacked, by whom, how, and why. This can provide a cybersecurity leader actionable information about how to best protect their organization and its executive leadership from attacks. For example, an organization that performs some type of excavation or resource mining may be a direct target for an eco-terrorist group. A high profile CEO at an organization whose business or political action campaigns do not resonate well with certain hacktivists groups can personally be targeted for both physical attacks as well as cyber-based attacks. Taking the time to establish what an organization’s victimology is can help a CISO and their threat analysis teams parallel the right protections and determine what risk posture the organization should assume. This places the business risk into perspective for the Board of Directors. It adds likelihood and impact, which are details that have influence in the boardroom
Mapping Victimology to Cybersecurity Strategy
Organizations have leadership and each member of that leadership team is a human being with traits of victimology. Along with the leadership, the organization takes on its own unique victimology profile as well. The profile is made up of its core business goals, employee’s cybersecurity awareness, individual vigilance, organizational awareness, organizational risk appetite and overall cybersecurity protection efficacy. This makes organizational cyber victimology much more complex. The key task for CISO’s is to understand the victimological profile of their organization as well as their organization’s leadership. Then the CISO must map these to the specific cybersecurity program elements they build while identifying potential adversaries, the adversary’s tactics, and the subsequent prioritized protections that need to be put into place for the organization’s defense.
This is a key reason CISOs need to consider Cyber VIP Protection for key executive staff – they and their families are often the primary victims of complex cybercrime attacks due to their victimology. They are also sometimes the triggers for attacks against their organizations or vice versa. A few of the key considerations taken into account in cyber executive protection include the following:
- Analysis of the VIP’s technology victimological routines
- The VIP’s cyber and cyber-physical threats
- Profiles of the VIP’s staff and vendor makeup
- The motivations of potential attackers
- The existence or non-existence of vigilance and cyber guardianship protections
- The provocativeness of the VIP as a target
For instance, a CEO of an organization which profits from animal byproducts may attract attention and become a target of organizations such as the Earth Liberation Front or Anonymous, a well-known hacktivist group who established campaigns including Operation Beast, Operation Fun kill, and Operation Whales in the name of animal rights. These groups utilize specific tools, techniques, and procedures (TTP), and organizations should employ the victimology traits of an organization and its executive leadership to identify the weaknesses that these types of adversaries will likely attack. TTP’s such as Spear Phishing, Watering Hole attacks, and Brute Forcing all used by Iranian Advanced Persistent Threat (APT) groups are just one example of TTP’s used by specific hacking groups. This provides a roadmap for an organization’s cybersecurity defense efficacy and key components of what the cybersecurity program should include.
Adapt Your Cybersecurity Program to Your Risk Profile
This leads to a few major considerations for the CISO or executive cybersecurity leadership of an organization:
- A CISO should develop a comprehensive victimology profile of their organization, the organization’s key leadership, and key leadership’s close staff.
- Organizations should deploy effective threat intelligence. An effective threat intelligence service should include criminal intelligence analysis along with technical intelligence. This helps with both preemptive protection mechanisms as well as post-event attribution.
- Don’t exclusively focus on technology and IT frameworks. Also consider criminological elements when building your cybersecurity plan.
- A good solution to solving the major shortage of cybersecurity talents is to leverage criminal justice and criminology majors for roles and not just technologists. They bring this desperately needed and often overlooked element of cybersecurity.
An effective cybersecurity program also includes social science elements such as sociology, criminology, and victimology. These elements are specifically those found in criminology and criminal justice. Combining victimology profiling both organizationally and individually can provide effective information in building an effective cybersecurity plan. CISOs must stop falling into the trap of only centering on IT frameworks or methodologies. Inevitably, security leaders and their teams fight crime and help secure their organizations from threat actors. Embracing a holistic approach that incorporates victimology, includes solid threat intelligence, and cyber executive protection will help ensure your cybersecurity program has achieved maturity and efficacy.