When you compare information security to other professional fields, it's a relatively new player on the block by contrast. However, over its relative short lifespan information security has evolved at a comparatively rapid rate and shows no signs of slowing down. This should hardly be surprising, given the ever-changing threat matrix and the newly emerging risks to commercial, government and military digital assets. While most of the history of this field has focused almost exclusively on technological solutions to cyber defense, in recent times we have begun to see an emphasis placed on the human element in strategies such as threat intelligence.
This new emerging focus on the human component to information security should come as no surprise. If you follow the kill chain all the way upstream, at some point you are going to encounter a human with motivations and objectives that are associated with creating specific malware or initiating a particular cyberattack. However, as a social psychologist who has been in the cybersecurity field for many years, the difficulty and resistance met in convincing computer scientists, engineers and other professionals of the value of understanding the human component of cybersecurity has often been surprising. During my very early years in the field, I would be addressing these skeptical crowds at various venues in Washington. I quickly learned that I needed to develop and tell a story that demonstrated the value of understanding attacker motivations or the lessons learned would fall on deaf ears.
Understanding the motivations of threat actors can assist in assessing the level of threat that a specific group poses for a specific target. Conversely, when attempting to assign attribution for a specific attack, known motivations of specific groups can assist in eliminating unlikely suspects and highlighting more likely ones. More importantly, developing a more comprehensive understanding of the relationship between people and digital technical is crucial to constructing strategic new ways to look at the cyber threat environment.
Developing taxonomies of motivations for online malicious actors such as MEECES (Money, Ego, Entertainment, Cause, Entrance to social group and Status) can be useful in many ways. On a tactical level, taxonomies like this can help you sort threat groups into useful categories. These taxonomies are even more useful in developing strategic perspectives of both the current and potential future threat environments. For example, they can suggest potential motivations for future cyberterror attacks that do not fall into the traditional ideological or political foundations that typically motivate terror attacks in general. This is of particular importance in the digital world, where the straightforward translation of phenomenon from the “real” world into the virtual one doesn't always work so well. Taking this kind of strategic approach to incorporating human behavior into the cyberthreat environment allows you to develop future threat scenarios that might otherwise have been overlooked. This kind of thinking can be critically important, especially in areas of cyber defense and national security.
Another area where incorporating the human element in the cyber threat environment is useful is in developing a better understanding of the relationship between non-nation state actors and nation-states. Recent years have seen a rapidly growing importance in understanding mechanisms and lifecycle of the relationship among these entities. Jason Healy from the Atlantic Council has suggested a 10-category spectrum that describes the nature of cooperation between non-nation-state actors and nation-states for a specific attack that goes from state-integrated to state prohibited. I have suggested that there are four fundamental stages to the relationship between non-nation-state actors and nation-state actors when dealing with malicious online actions. The first stage is the saliency stage where non-nation-state actors become salient to nation-states through various means.
The second stage of the relationship lifecycle is the formative stage where the nation-state employs specific motivations such as patriotism, nationalism, false flag or coercion to obtain cooperation from non-nation-state actors in committing attacks or developing malware. The third stage is the maintenance stage where the nation-state continues to coax cooperation from non-nation state actors through immunity from prosecution for participation in activities encouraged by the nation state or through looking the other way at other unrelated illegal activities engaged in by the group or continued coercion. The fourth and final stage of the relationship involves the termination of the relationship – typically initiated by the nation-state. This may be due to the public unveiling of the covert nature of the relationship, replacement of the group by a more skilled group of non-nation-state actors or often the scapegoating and prosecution of the non-nation-state actors by the nation state itself.
One interesting outcome in this final stage of the relationship is when the non-nation-state actors initiate the termination of the relationship. The group may have amassed sufficient financial and digital resources to no longer need the relationship or the non-nation-state group may have developed sufficient technical skills to be able to pose a credible threat to their former nation state partners. In this case, we might see the formation of a domestic cyberterrorism group willing to target its former relationship partner and other attractive nationstate targets.
These are just a few of the ways in which it would seem that building a better, more comprehensive understanding between people and digital technology may provide benefits to professionals in the information security field as well as policymakers and strategic analysts in government and elsewhere. There is clearly much more to be learned about how the human element plays a key role in cybersecurity and hopefully the recent emphasis on incorporating more of this element into cyber defense will provide even more benefits.
Max Kilger is director, Masters in Data Analytics Program, Department of Information Systems and Cyber Security and the Department of Marketing at the University of Texas at San Antonio.