Identifying and Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape

HM Cabinet Office and Detica reported in 2011 that the annual cost to the UK economy from cybercrime was £27 billion. Regardless of the accuracy of this estimate the British Crime Survey and Eurostat ICT survey evidence that cybercrime is now the typical volume property crime in the UK, impacting more of the public than traditional acquisitive crimes such as burglary and car theft. Because of its global nature similar estimates of the prevalence and losses of cybercrime are found in most other countries. However, whilst most politicians, police, and business leaders agree that cybercrimes are one of the greatest crime challenges of modern times, few seem to fully understand what causes them and how to best predict their occurrence and limit their impact upon the UK economy and society.

This project aims to address these uncertainties using methods and concepts from a range of disciplines including criminology, psychology, economics, mathematics and computer science. The key objectives of the project are to identify, understand and predict:

1. The behaviour of malware and human cyber perpetrators within and outside of Cloud environments;
2. Business risk assessment practices, threat awareness levels, and adaptive behaviours as related to cybercrime;
3. The response of criminal justice agencies to cybercrime and business trust in the regulatory system;
4. Business and criminal justice cyber security practices (e.g. information sharing) in relation to issues of privacy, accountability and civil liberties.

The project will develop a computational tool that will assist in the prediction of business related cyber attacks. For the first time both technical (e.g. malware behaviour, network vulnerabilities etc.) and human/organisational (level of cooperation, perception of risk, threat assessment, costs, criminal justice response etc.) measures will be combined in this predictive process. It is envisaged that this tool will assist both policy makers and practitioners in the field of cyber security and crime. It will identify which businesses (by sector, size, level of cooperation etc.) are most vulnerable to attack allowing policy, codes of practice and advice to be tailored and targeted. The tool also has the potential to provide digital and human/organisational forms of evidence and other information relevant to investigation and prosecution proceedings. In order to disseminate the tool and results from the research we will incorporate an action research element where we will develop a forum (two workshops in years 2&3) where initial or draft (but verified) findings are released in stages, through briefing papers to businesses of varying sectors and sizes (particularly SMEs). We will also disseminate results via peer-reviewed journal articles and conferences. Throughout the project via the advisory group we will link into other key commercial initiatives (e.g. Saturn project at BT Labs) and statutory and third sector organisations such as ENISA, the Honeynet Project, Home Office; Cabinet Office Identity Assurance Programme; Office for National Statistics; National Fraud Authority; Serious Fraud Office; Trading Standards; Serious Organised Crime Agency/National Crime Agency; Association of Chief Police Officers; Met Police Central eCrime Unit; NPIA/Police College; EADS; Get Safe Online, Liberty and Wise Kids.

Governments, critical national infrastructure, and enterprise organisations all suffer from various security breaches and information leakage. A key challenge has always been to determine who is doing it. Detica/Cabinet Office estimated that cybercrime cost £27 billion to UK society and economy, and though this has been strongly critiqued (University of Cambridge, 2012), all parties agree that there is consequently a significant benefit to being able to link such activities to perpetrators. This project will help organisations in identifying threats such as insider abuse of systems, malicious software activity, industrial espionage and fraud. The following stakeholder groups will benefit from the findings of this research:: (i) academics through advancements in knowledge that directly results from the research; (ii) practitioners (police, private security agencies but also lawyers and court officials) through advancements in practitioner knowledge that result from the research; (iii) Criminal Justice Policy makers, through advancements in academic and practical knowledge that result from the research; (iv) public (including organisations), through carefully explained advancements in knowledge that result from the research. The findings will be of interest to those specifically interested in how the cybercrime problem is constructed by the UK Information Assurance (UKIA) community and beyond, and in those interested in robust measures of cybercrime costs and relative importance of key cyber security factors. Most obviously such users would include police, government departments, private sector regulators, and regulatory groups. Voluntary sector organisations involved in educating the public and business will also benefit from these findings.

The key deliverable of the consortium is a computational tool that will assist in the prediction of business related cyber attacks. For the first time both technical (e.g. malware behaviour, network vulnerabilities etc.) and human/organisational (level of cooperation, perception of risk, threat assessment, costs, criminal justice response etc.) measures will be combined in this predictive process. It is envisaged that this tool will assist both policy makers and practitioners in the field of cyber security and crime. It will identify which businesses (by sector, size, level of cooperation etc.) are most vulnerable to attack allowing policy, codes of practice and advice to be tailored and targeted. The tool also has the potential to provide digital and human/organisational forms of evidence and other information relevant to investigation and prosecution proceedings.

Some of the data sets acquired during this project will also be made available to selected user communities. These will contain pre-processed (or where necessary, anonymized) data describing attack vectors, attack patterns on distributed systems, as well as attack demographics. As a main point, the data sources will present real-time visualisation feeds of the current attack vectors tailored to the targeted users' systems in the light of attacks on related/similar systems. With access to the data sources we offer, targeted users will be better prepared to deal with security threats and complement signature-based detection of malicious software in their systems.

These deliverables and research outcomes will contribute to knowledge of how the cybercrime problem is constructed, how the associated risks are assessed and what cybercrime costs. This knowledge will be of use to policy makers, regulators, educators and the business community. Improved knowledge is crucial for understanding the regulation of cybercrimes, especially how the law is being applied. This knowledge will help to bridge the gap between public demands for security and what government, and especially, the police can provide.