Article Review 2: An Empirical Study of Ransomware Attacks
In the article An Empirical Study of Ransomware Attacks on Organizations: an assessment of severity and salient factors affecting vulnerability relates to the social science principle of empiricism. I would also add ethical neutrality to the list of social science principals used in this article considering it was not just in the U.S. but the U.K. and other countries from 50 different organizations.
The hypotheses analyzed of the organization’s characteristics were the size and sector of the organization. Secondly, does the organization’s security posture have any influence and type of crypto propagation class. Lastly, the attack type and target which is broken down into opportunistic and targeted incidents or human and machine that influence impact severity of ransomware.
The types of research methods they used varied among organizations but the method most used was questionnaires and interviews. Using mixed methods with a qualitative and quantitative phase with the first phase finding a way to measure these incidents severity and the second phase to be able to statistically test their hypotheses.
The qualitative data analysis was done by interviewing the ransomware attack victims and describing how it impacted their businesses with five main categories of outcomes which are business continuity disruption, recovery times, affected devices, and encrypted information critical to business and information loss. The quantitative analysis sample included 50 organizations of different sizes and sectors of which some were of the private or public sectors.
The concepts related to class would be social science research methods using surveys and multimethod research, victimization with behavior patterns that made individuals targets, psychological theories, and human factors.
Ransomware has affected various organizations and doesn’t discriminate between targets but mostly aims at the private sector while the public sector had seemingly better security posture but wasn’t left out in terms of attack targets and organizations with weaker security postures had more severe impacts than companies with stronger security posture.
This article contributes to the cybersecurity awareness and education gap that a lot of businesses and organizations have. This article also highlighted the cost and time of recovery after a ransomware attack which severely impacts not only the financial part of businesses but reputation as well.
Article Review 1: Cyberbullying
In the article Cyberbullying and Cyberbullicide Ideation Among Jordanian College Students, written by Diab Al-Badayneh, Maher Khelifa, and Anis Ben Brik, investigates the impact of cyberbullying on youth and cyberbullicide. This article relates to determinism, parsimony, and objectivity. Determinism relates to this article by the preceding events taken place before a victim commits suicide and the numerous advantages or opportunities a cyberbully or perpetrator has to harm their victims leading them to believe they are safe from punishment or consequence. Parsimony is used in this article to explain the mental and physical ways bullying affects youth and the growing attention cyberbullying is gaining in legal, health, and education departments and how they are handling the situation. Objectivity, this looks at both sides of cyberbullying as to why cyberbullies choose to use the internet or social media as opposed to face to face and the response of the victims.
The hypotheses or research questions are, is cyberbullicide the result of cyberbullying? The answer is yes, with a portion of males and females accounting for 30% of cyberbullicide ideation after being harassed or cyberbullied which even larger percentages of victims felt hopeless or depressed and felt the willingness to die.
Research methods used were sampling, data collection, measurement scales, general bullying scale, and cyberbullying subscales, violence measures, and suicide measures. The sampling was comprised of 1.000 Jordanian students from 12 governorates and the samples were random selected from different colleges and levels. Data collection was used by the survey method. All forms of measurement scales were measured at different levels, with a scale on a literature review consisting of 34 items with interval levels of 0-5, 0 meaning No and 5 meaning most frequently. Subscales measured the extent of cyberbullying victimization, perpetration, and knowledge of perpetrators with responses of 1-Yes or 0-No.
The types of data and analysis were descriptive statistical analyses and logistic regression analysis. Concepts related to class are the social principles and behaviors explained in module two. Specifically, the nomothetic model identifying the few causes of behavior and the idiographic model identifying multiple causes over time.
The marginalized groups are the college students and men and women along with adolescent groups. Students and adolescent groups are more at risk for cyberbullying and cyberbullicide. With men and women, cyberbullying fades as they get older but is more prevalent among women being cyberbullied or being the perpetrators themselves.
Societal contributions the study from this article has made are bringing awareness to the topic of cyberbullying. Cyberbullying in the beginning was either not looked at or punished due to anonymity or lack of awareness and most victims never report it. Another contribution was putting cyberbullying into perspective of both sides, the victim and the perpetrator, the victims may become perpetrators for others and perpetrators could be victims of others.
Discussion Posts
Determinism relates to computer hacking by a series of events that have taken place or will take place which gives hackers a reason to do malicious acts. For instance, hackers do not attack simply for the fun of it, unless they’re script kiddies or unskilled hackers. Something has to happen in order to desire creating a plan and executing an attack. Commonly those preceding events are getting revenge for being fired or let go form a job, political and religious beliefs, and being motivated by financial gain.
The best way to reduce human errors and improve security is education and training which in turn builds experience prompting less mistakes. Hackers usually take advantage or social engineer inexperienced users because they know that they don’t know. Of course, as long as humans are involved errors are bound to happen to which I believe artificial intelligence could close that gap but there are still multiple factors affecting human error. Employees or users in general could just be plain lazy or nonchalant with security practices such as not downloading the latest version of a software or ignoring security alerts and notifications on their own system. Even with the know how or experience to mitigate these security issues ethics can also play a role in security breaches. Phishing attempts could be pretty elaborate, or the user knows they shouldn’t click on a link or open an illicit web page but ignore the risk along with the consequences. Downloading or playing online games at work could also be a potential hazard but simply because the user thinks it’s just a harmless game nothing could go wrong. Stricter controls and properly configured firewalls would help manage the access to these types of programs or software.
Victim precipitation is the behavior or factors that led to their victimization and exposed themselves to increased risk either intentionally or unwittingly. In terms of cyber victimization this would be accessing files or data without proper authorization. Along with sharing information that is considered sensitive or secret directly or indirectly. Victim precipitation does not directly place blame on the victim but rather point out ways they could have prevented becoming a victim. After becoming a victim, their behavior changes and they try to figure out why they became the victim in the first place while correcting that behavior to prevent future victimization. If nothing can be done to prevent victimization the risk is ongoing as the module states. Victimization is not a choice whether it’s through cyber or physical, nobody chooses to be a victim, the offenders make them a victim and the responsibility falls on them not the victim. There are multiple factors contributing to becoming a victim even though that wasn’t the intention. Risky cyber activity can boil down to such things as poor mood, lack of care or knowledge of risky online activities, sensation-seeking, or general curiosity of availability to certain aspects of software and technology that one doesn’t normally have access to or have experienced before.
I would have to say that the neutralization theory best explains cybercrime. Most criminal offenders know they are committing a crime along with the consequences if they are caught and to go along with it, they try to justify their own actions or misdeeds and believe they are doing the right thing based on their own beliefs. I would agree that the justice system isn’t perfect, but laws are put in place for a reason and to protect people who can’t protect themselves. What I like about this theory is that it points out the reality of cyber offenders or offenders in general that they know right from wrong and know what they are doing is wrong because of how they have to rationalize their actions before committing a crime. Out of the five types of neutralization, denial of injury, or nobody got hurt, is something I completely disagree with because even though nobody physically got hurt, they are still hurt in some way whether it was mentally, financially. You could have a good reputation with people or employees and after an incident such as a data leak or false information lose it. Financially you could completely lose everything in your personal and business life.
The human firewall and his analogy of a pipeline reminds me of the phrase “You’re only as strong as the weakest link,” it only takes one break in the chain for the whole operation to come crumbling down and I completely agree with his statement that it’s everyone’s responsibility to protect yourself and others. Even though we have been living in the digital age for some time now people still aren’t taking cybersecurity seriously or some are just completely out of the know thinking they aren’t at risk. The fact that people also willingly give out personal information for practically nothing is very concerning. I feel if cyber awareness or cyber education became normalized not just in businesses but schools at an early period, threats as common as phishing wouldn’t be so prevalent. With that being said I think education and awareness are the firewall and not just humans as a whole. Later down the road I feel it will eventually become a minimal threat due to newer generations having more technical experience than the older generations, but then again new threats will have probably evolved by then and phishing scams and social engineering will have evolved along with them.
1. How is cybersecurity protecting families, schools, and cities from hackers when technology is growing and is integrated into everything?
2. How has cybersecurity improved in the healthcare industry since the pandemic and rising popularity for teleworking/telehealth?
Of the social forces of technology, researchers might suggest how cybersecurity is measuring up to today’s societal culture where technology is becoming a part of everyone’s life in some aspect or form. We use technology for communication, school, work, entertainment, finances, and many other things to the point of not being able to survive without it. Hackers could easily exploit this vulnerability and completely ruin someone or something. Researchers might ask how cybersecurity is going to stay ahead of the curve when hackers or malicious actors evolve along with cybersecurity or they exploit unknown vulnerabilities before security professionals obtain knowledge of it.
Ever since the pandemic started in early 2020, the healthcare industry has shifted toward more and more technology use especially in regard to remote work and telehealth. While it has brought on continuation of care under irregular circumstances and convenience it also gives threat actors a bigger attack surface to sensitive data. Researchers would likely ask how this is being protected and are there new and improved methods of keeping personal and sensitive information safe when everything is stored electronically.
Economics have everything to do with cybersecurity when it comes to protecting businesses and companies and especially when it comes to finances. Data breaches costs companies millions of dollars with each breach. Although cybersecurity is flexible when it comes to how much you are willing to pay to protect it is more economically sound to pay for protection than to leave your business wide open to attacks. The cybersecurity framework gives you a baseline of what to invest in security practices based on common threats. It is also important to invest in security beyond the common threats and counter more sophisticated attacks that target critical systems and data worth more than common functions. Regarding more sophisticated attacks, it’s not entirely without risk and companies should be able to accept some risk with the less critical functions. Companies should also conduct a ROI or return on investment analysis to compensate for security practices they may no longer need or discover the need for better security in other systems and functions, which in turn is economically more beneficial saving businesses and clients on spending while also being protected from breaches. Over time cybersecurity costs will lower or even out as solutions become available and integrated.
I think individuals do not report cybercrime due to the fact that it could be embarrassing or ruin certain individual’s reputations. Secondly, I believe that most people do not report incidents simply because they do not know how to properly report it or lack the knowledge of how serious an incident really is and the impact they can have on an individual or company and dismiss it as nothing to worry about. Also, I think someone would feel like they would be wasting their time trying to deal with an incident and be more concerned with meeting a deadline and turning their attention to more “important” priorities. This all goes back to lack of awareness and training besides the fact of fear for one’s well-being or finances. An individual could have been threatened, or they are simply afraid of the repercussions of reporting whether that be getting fired or let go or what people would think of them afterwards such as being a liability due to lack of knowledge or incompetence with security. Lastly, I believe there are some individuals who simply do not care enough about themselves or others to even bother with reporting cyber victimization which some malicious actors could exploit.
Career Paper
Penetration Tester
Penetration Testing or pen testing is where companies or businesses hire an ethical hacker to either breach their own network or find vulnerabilities and better improve security by simulating a cyberattack. Pen testers use techniques such as ethical hacking, social engineering, and whatever means are necessary to breach a clients’ network. They don’t solely rely on computer hacking and mostly rely on social engineering techniques, especially during the reconnaissance phase of a pen test. Pen testers can use social science practices to exploit an individual’s inexperience or incompetence into revealing sensitive information. Such techniques are phishing, vishing, and smishing. Phishing uses emails to make an individual believe it is legitimate and from someone higher up requesting information be sent out or downloaded through a malicious link within the email unknowingly to the recipient, usually conveying a sense of urgency to get the recipient to click the link or send something out without any suspicion. Vishing is using voice calls and impersonating either tech support/IT or someone on an executive level using pretext. Similar to phishing is smishing where an attacker uses SMS or texting to get someone to give out sensitive information or download malicious links.
Without the social science aspect of pen testing, it would be much more difficult to conduct a full scope of a company’s security vulnerabilities because after all the biggest vulnerabilities are people themselves. Using behavioral methods, social constructs, and general users lack of awareness or education brings us to victimization. Victimization can happen unknowingly or knowingly based on a user’s behavior with cyber. Pen testers use cyber psychology to take advantage, particularly those who engage in risky behavior online at work which happens with men more than women. Mostly victims are ashamed of reporting an incident due the nature of what they have fallen victim to which a pen tester can exploit. The human factor is a large part of discovering vulnerabilities within a network. Human behavior and ethical considerations play a vital role in considering a target for an ethical hacker. While keeping privacy and compliance in mind they still use methods an actual attacker would use to exploit vulnerabilities but instead of using it against a victim they use it to improve cybersecurity and warn of risky behaviors and the consequences of such behavior.
Penetration testing can have a very meaningful impact in the social science realm of cybersecurity by creating a sense of humility and help people realize how vulnerable they can be and find ways to better protect themselves from such attacks. Most believe since they aren’t important, or no one is looking for me, they aren’t at risk when in fact it’s not a matter of who but when will you be attacked. With penetration testing users of all levels can be made aware and receive the education needed to protect themselves while giving businesses the ability to educate and employ better cybersecurity practices. This in turn saves businesses money and saves people from the negative outcomes such as psychological or sociological damage.
In conclusion, penetration testing uses a multitude of social engineering and social science methods to improve overall security not just within a network but people themselves. To be able to conduct such practices requires the use and understanding of psychology and sociology of the cyber connected world we live in today. Understanding of ethics, human behavior, and social constructs are vital in a penetration testers role in cybersecurity.