My coursework in CYSE 201S integrated some of the human aspects of cybersecurity into cybersecurity practices. I learned about the ways policy is written to address human factors and how frameworks help integrate best practices and scientific principles as a tool for cybersecurity professionals.
Module 1 journal prompt: Review the NICE Workforce Framework. Are there certain areas that you would want to focus your career on? Explain which areas would appeal the most to you and which would appeal the least.
The NICE workforce framework details a couple of work roles of particular interest to me. They are primarily based in the “Identify” and “Respond” framework functions. My previous career in the military was only partially focused on cybersecurity for a time, but the interpersonal and communication skills I passionately developed during my career lead me to a strong interest in working as a Risk Manager.
The prospect of helping an organization identify weaknesses and risks in their IT infrastructure and working to communicate those risks to executives and decision makers to influence risk management decisions appeals to me. I believe the soft skills I developed as a leader in the military along with my interest in computers and other hardware, as well as the way people use them on a daily basis would make Risk Management a strong fit for my skills and interests.
The other work role that would be of particular interest to me is that of penetration testing. The opportunity to use my people skills and love of puzzle solving challenges to execute penetration test operations for organizations seems like the ultimate challenge of cybersecurity technical skill, closely coupled with interpersonal skills. Since the majority of cybersecurity breaches these days involve human factors and social engineering, the thought of using people skills to find flaws in an organization’s training and daily practices seems like another great way to leverage the skills I’m working on along with the ones I’ve already developed.
Module 2 journal prompt: Explain how the principles of science relate to cybersecurity.
Scientific principles relate to cybersecurity in several ways. First and foremost, the
principle of openness is one every cybersecurity professional must hold in the highest regard. In
order to improve the processes and practices we use to prevent and detect cybercrime, we must
be willing to acknowledge our own faults and inherent personal biases that can impede our work.
In other words, science seeks to actively disprove a hypothesis to test its accuracy.
Any professional must accept that they will be wrong at times. The more we can reach a level of
comfort with failure and recognize its value in improving our work, the better off we are.
The principles of honesty, cooperation, and rigor in testing also strike a chord with me.
As a cybersecurity student, I am seeking to become a member of a team that will rely on my
ability to share what I know and exchange knowledge with my peers in a free-flowing manner. I
must accept criticism with grace and gratitude because you can’t rigorously test anything without
the vulnerability that comes with potentially being proven wrong.
In summary, I think the best way to explain the relationship between scientific principles
and cybersecurity is: We are willing to fail and recognize that failure is inevitable and merely a
step in the process of arriving at a solution.
Module 3 journal prompt: Visit privacyrights.org to see the types of publicly available information about data breaches. How might researchers use this information to study breaches?
PrivacyRights.org (PR.O) contains information on data breaches such as number of records impacted, organization type, and type of breach. Furthermore, one can view locations of breaches, dates the breach occurred, and even the reporting source (as a beta feature).
Information on the number of records impacted would be useful to researchers in order to ascertain the overall potential impact of a breach. For instance, a breach of a small manufacturing business with a few hundred customers in its database, although significant to that business and the customers affected, would likely not garner as much attention as a hacker gaining access to the identity information of hundreds of millions of residents of India. However, even the breach of a small business could be useful. If one were developing security solutions for small businesses, they could research smaller data breaches to see if there were trends in methods of attack or other useful data.
If a researcher was studying trends in what types of businesses or organizations were being targeted, they could look for records by category such as finance, manufacturing, retail, education, government and military, healthcare and medical providers, or nonprofits.
For someone putting together a report on the most common types of breaches, PR.O breaks down breaches by category such as debit and credit card fraud, hacking by outside parties, insider attacks, physical theft of paper documents, or portable device loss or theft, to name a few.
One can easily see the utility in being able to assemble data in so many forms for researchers. With the ability to combine so many data and manipulate parameters as desired, a researcher could use PR.O to show historical trends for data theft crimes targeted to the type of organization they might work for or wish to provide services for.
Module 4 journal prompt: Review Maslow’s Hierarchy of Needs and explain how each level relates to your experiences with technology. Give specific examples of how your digital experiences relate to each level of need.
Maslow’s Hierarchy of Needs posits that there are five basic categories of needs that a person seeking a happy must have met. The categories can be visualized in pyramid form where the base of the pyramid must be built before any higher layers. The categories are psychological needs, safety needs, love and belonging, esteem, and self-actualization.
As I think back on how technology has played into my life, I think of psychological needs as the basic awareness of technology I started gathering as a child. An understanding of the most basic elements of technology are the base of the pyramid. Things like flipping a light switch to see, or adjusting a thermostat to heat a home in the winter can be thought of as the base layer of the hierarchy.
Once I understood the basics, it was necessary to learn the dangers. Learning that car keys don’t go in electrical outlets, or that stove tops get hot and will burn you, are the basic safety needs that we all get as children.
Next, Maslow cites the need for love and belonging. When it comes to technology, I think back on the first time my father sat me down in front of his computer to show me how to turn it on and type words on the screen, or a few years later, to write my book reports by typing them into a word processor and printing them out. I think this equates to love and belonging in that it was where my earliest fond memories of technology occurred.
As my knowledge progressed from merely using technology to do things, I started to become more skilled at technology. This can be compared to the need for esteem on Maslow’s hierarchy. When I started using the internet to gain knowledge, or became good at a particular video game, or build my own custom personal computer from parts I ordered from a website, I started building my confidence in my use of technology.
Finally, we come to self-actualization, which is defined as our desire to become the most that we can be. This is where my choice to major in cybersecurity comes into play. Developing my knowledge, skills, and abilities to understand how criminals hack into networks and learning to thwart them is how I intend to become self-actualized in the world of technology.
Module 5 journal prompt: Review the articles linked with each individual motive. Rank the motives from 1 to 7 as the motives that you think make the most sense (being 1) to the least sense (being 7). Explain why you rank each motive the way you rank it.
I rank the motives behind crimes as follows, with the number one slot making the most sense.
- Multiple reasons
- Money
- Political
- Recognition
- Entertainment
- Revenge
- Boredom
First, I believe people commit crimes for multiple reasons. People and their motives are generally complex, especially when it comes to crimes that are seen as victimless, or non-violent. It makes the most sense to me that more than one factor would be present in most crimes.
I listed money in the number 2 slot because we all depend on money, and most of us believe we could always use more of it. Money can easily be a means to obtain comfort, entertainment, or social status (sadly). The only reason I don’t list money in the number one slot is because I believe that even a strong desire for money would likely be combined with other circumstances in order to drive a person to commit a crime to obtain it.
Politics comes in at number three. It’s fairly clear to see that a lot of cybercrime is politically motivated. The article linked to recognition illustrates my points about both multiple reasons and political reasons. The article describes how Bradley Niblock attacked a political candidate’s website using a DDoS attack. The recognition aspect is present, but so is a political motive.
Next, we have recognition. Hackers are no different than the rest of us in their desire to seek recognition from others like them. In hacker message boards, people often post about their exploits to gain the praise and recognition of their peers. They want to show that they are skilled and worthy of status in their chosen social group. I believe this is a strong motivator for crime.
Entertainment seems closely related to recognition for me. Those who seek the recognition of their peers by showing off their skills are likely doing so for entertainment as well. We all tend to enjoy doing the things in which we have strong skill.
At number six, I listed revenge. Although revenge porn is clearly a widely-known and problematic crime unique to relatively recent years, I feel it is less prevalent than the other reasons I have listed above it. I say this with the utmost sympathy to victims of revenge crimes and in no way should this be construed as a dismissal of the seriousness of the crime. I’m simply saying it seems less common than other motives.
Finally, we have boredom. I listed it last because I don’t think mere boredom is often the primary motive behind a crime. It seems far more likely that boredom could be the proverbial straw that broke the camel’s back on a person’s path to crime, but this takes us back to multiple reasons, in the number one slot. A person simply being bored doesn’t seem like enough motivation, in most cases, to commit a crime.
Module 6 journal prompt: Can you spot three fake websites and compare the three fake websites to three real websites, plus showcase what makes the fake websites fake?
An example of a fake website is zapatopi.net/treeoctopus/. Although it’s a fairly obvious attempt at humor, it could dupe those unaccustomed to internet “trolling” behavior. For example, the site has a help tab and recommends ways to save the Pacific Northwest tree octopus such as writing to celebrities to ask them to speak out on behalf of the tree octopus. It also asks people to help build awareness by telling friends and random people on the street about the tree octopus.
In contrast, savethewales.org is a legitimate non-profit organization. Their website is a .org, which actually tells us nothing about the legitimacy of the website since there is no vetting process for purchasing a .org. However, there are several clues that this is a legitimate site. There are pages dedicated to teaching people how to report a stranded whale and steps they should take to help while remaining safe. It also provides links and contact information for several other governmental resources. The website name is spelled correctly and has no misleading characters such as a zero in place of the letter o or a one in place of an i.
Another fake website is DHMO.org. DHMO stands for Dihydrogen Monoxide, or H20, which is the chemical formula for water. This website is a bit more apt to dupe the unsuspecting due to its vague, but technically accurate descriptions of the problems potentially associated with DHMO. For example, the site explains that DHMO is a highly prevalent chemical of which prolonged exposure to the solid form (ice) causes sever tissue damage (frostbite). This is true, but misleading. Although the website seems to be created purely for amusement, it pokes fun at how easy it is to fool those who don’t vet their information sources.
We can compare DHMO.org to climate.nasa.gov/what-is-climate-change. First, NASA is a well-known governmental organization and their site is a .gov, which is only available to U.S. governmental organizations. On their site, NASA lists facts and evidence in simple to understand terms. It provides links to additional information which is always presented in layperson’s terms. It also provides references to be used to independently verify their information.
Finally, we have a fake website called allaboutexplorers.com. This site is arguably the most insidious of our three fakes. It is presented in a format clearly aimed at ease of use and exploration, which would appeal to younger students looking for information. However, the site is filled with a litany of bogus facts. For example, the site claims Vasco Nunez de Balboa was forced to lead expeditions over land through the jungles of Panama due to the temporary closure of the Panama Canal in 1513. For a young person without much life experience, they could easily be fooled into including such facts in school assignments.
Britannica.com/biography/Francis-Drake is a legitimate site that provides factual, cross-referenced information on the actual life and exploits of Sir Francis Drake. Britannica is a well-known organization with a long history in academia. Articles are presented with lists of authors, dates published and updated, information on fact checking, and numerous links to amplifying information.
The sites I have listed are clearly far more devious to young people than older people with more knowledge of the world we live in, but education in the dangers of fake or unvetted information on the internet is a life skill we must all possess in life.
Module 7 journal prompt: Review the following ten photos through a human-centered cybersecurity framework. Create a meme for your favorite three, explaining what is going on in the individual’s or individuals’ mind(s).
In the image above, our subject is possibly shown in a coffee shop enjoying a beverage and working on his laptop. A common problem associated with mobile computing, or remote-work scenarios is the use of unknown Wi-Fi networks. In this meme, I’m making what could pass for a mildly humorous attempt to illustrate that bad-actors frequent public places to set up honeypot-type free internet access. With these bait access-points, criminals can hijack myriad data from unsuspecting users with the potential of catastrophic damage to a company’s vital data.
In this picture, we have what I imagine as a company mandated training scenario. The meme is a hyperbolic play on how boring and pedantic some workers might find cybersecurity training. However, we must deeply engrain the thought that every member of a company or organization is an important part of security, as humans are arguably the weakest point of any security posture. We can assume that every employee with access to a company’s network could make mistakes or succumb to social engineering that may cause monumental damage to the company’s ability to conduct business.
Finally, we have a cute picture of a dog posed behind a tablet. In this meme, I am drawing parallels between the adorable pup in glasses and legitimate hackers to point out the importance of password security and the need for multi-factor authentication or other more robust measures to ensure access is limited to those authorized to access a network. Although the thought of a dog ordering treats with its human’s credit card is light humor, the threat of hackers accessing networks or sites through use of weak passwords is very serious. We are all prone to take the path of least resistance. Password security is no exception. Remembering complex passwords for multiple networks, sites, or applications is a daunting task for anyone. People tend to prefer easy to remember passwords which make it much simpler for hackers to gain access with dictionary or brute-force attacks.
Module 8 journal prompt: After watching the video, write a journal entry about how you think the media influences our understanding about cybersecurity. Has this understanding changed over time? What is different in the older pieces of media vs more current media?
After watching the video, write a journal entry about how you think the media influences our understanding about cybersecurity. Has this understanding changed over time? What is different in the older pieces of media vs more current media?
For most people who don’t make a hobby or career out of the “hacking” world, the bulk of their understanding of the concepts and methods of hacking undoubtedly comes from various media portrayals of hackers. Back in 1983, when computers were not yet common in American households, the movie War Games came out. In the movie, Mathew Broderick’s character uses a telephone handset modem to dial random phone numbers and through blind luck, hacks into a computer that controls the entire nuclear arsenals of both the United States and Russia (USSR, at the time).
Moving forward in time to 1991, the movie Hackers was released. In this movie, a high school hacker does things like making his school fire suppression sprinklers go off to get out of class, hacking the bank account of an enemy through a payphone with a laptop to declare him deceased, and somehow interpreting endless waterfalls of scrolling text instantly to know how to gain access.
As our final example for the purposes of this paper, we can look at the HBO show Silicon Valley, which ran from 2014 to 2019. In the show, a character gains access to a rival tech company by stealing a post-it note from the office of an executive to access the company’s financial records. They also execute a man-in-the-middle attack using a WiFi pineapple to capture data from users.
Back in 1983, the media painted a picture of potential doom and destruction at the hands of somehow autonomous computers. As we move on to 1991, we get slightly more plausible scenarios, which do happen in real life, but with nowhere near the same ease and speed. In Silcon Valley, the hacking methods were often completely realistic and based on actual hacking techniques.
Clearly, the hacking methods started out highly distorted and sensationalized. However, as time went on, we started getting more realistic and plausible scenarios. As the population of computer-savvy people increased over time, people’s general awareness of cybersecurity issues and methods grew as well. As a result, media portrayals of hackers shifted to an increased realism. It stands to reason that we will continue to see increased realism and accuracy in many future portrayals of hackers since our society is so heavily technology and computer driven now and for the foreseeable future.
Module 9 journal prompt: Complete the Social Media Disorder Scale. How did you score? What do you think about the items in the scale? Why do you think that different patterns are found across the world?
Although I participate in social media from time to time and have accounts that I’ve used for over a decade, I am an infrequent user these days. I scored zero on the Social Media Disorder scale. However, as a proud member of Generation X, I was first introduced to the internet when chat rooms were incredibly popular and I would often use an application called The Palace.
In The Palace, one could choose or create an avatar that you could move around a virtual room (a background image chosen to make the “palace” look like you were hanging out in a room or venue of some sort). For a brief period, I was enthralled with the creative possibilities of the program and met a few people who became friends in real life as well. At that point in my life, I would have likely scored high on the Social Media Disorder Scale. I was lucky to have made a couple of friends and subsequently became bored with visiting chatrooms. I feel like I got very lucky that my over-use of early social media didn’t have any real-life consequences for me.
To our detriment as a society, I believe social media has become far more addictive and destructive over the years. In my youth, one was generally anonymous when visiting chat rooms. There was very little temptation to “chase clout” because there were so few ways to do so in the age if dial-up internet and AOL. Today, people frequently document the majority their daily lives on social media and suffer harsh criticism from people they may not even know.
The items on the scale are a somber reminder that we should all maintain sound judgement and err to the side of restraint when it comes to allowing the world-at-large access to the happenings of our daily lives and our beliefs. This is doubly true for generations younger than mine, as their exposure to the evils of social media started happening at a much younger age than what I experienced. We owe it to ourselves to safeguard our privacy, limit our exposure to potential psychological damage, and avoid damaging our relationships with the people we are close to.
Module 10 journal prompt 1: Watch this video. As you watch the video, think about how the description of the cybersecurity analyst job relates to social behaviors. Write a paragraph describing social themes that arise in the presentation.
https://www.youtube.com/watch?v=iYtmuHbhmS0Links to an external site.
In the video by Nicole Enesse, she provides an overview of the cybersecurity job market for entry level positions. This will be of particular interest to me and my fellow students in the near future as we strive to become marketable cybersecurity professionals. There are a number of social themes that are brought to our attention in her video as she goes through what some positions entail. Three that jump out at me are: economic status, education, and ageism.
Economic status is at the front of nearly everyone’s mind as they seek a new career and hope to achieve success. Many, if not most highly paid entry-level jobs in cybersecurity necessitate moving to a large city where cost of living is likely to be high. It presents a difficult choice to a recent college graduate. Do they move to an expensive city where much of their pay will go to rent and living expenses while they may have large student loans to contend with? Do they live in a cheaper area and hope for a job that can make ends meet?
Education is where we start to see a more positive social theme. The need for a college degree is becoming less mandatory in the computer science and cybersecurity fields. Although I believe my own path to success involves developing cybersecurity skills in college, this path is not for everyone. Some people do not have the freedom to attend college full time due to personal or family situations. The fact that people can learn about cybersecurity on their own and simply test for certifications is good for all of us and levels the playing field for those who cannot attend college.
Ageism, while not a primary focus of the video, also comes into play. Many of the entry level jobs she mentioned are aimed at younger people without family obligations who are free to work graveyard shifts as analysts. To the older population, this can create a potential barrier to getting hired. Although refusing to hire someone based on their age is illegal, it’s nearly impossible to enforce because hiring laws are well known, and nobody is likely to tell a candidate they are too old for a job. They would simply hire someone else without comment.
Module 10 journal prompt 2: Read this and write a journal entry summarizing your response to the article on social cybersecurity.
The prospect of a war that has already been in progress for decades, unbeknownst to many, is likely frightening and ominous to most of us. Yet it is fact and we are inundated with dubious information from all angles, especially when we venture onto social media. The article referenced in the journal prompt focuses primarily on Russia. However, it is important to recognize that misinformation can come from any nation-state, organization, or individual. Social media is open to anyone, which is clearly both a blessing and a curse to society.
The article discusses the fact that recent history has, for the first time, waived the requirement for physical proximity to influence society, and the decentralization of information flows has reduced the cost of entry. There is essentially no quality control for information shared on social media which places the onus of information filtering on us when we access it. We are entering an era where critical thinking is becoming increasingly crucial to our psychological health and general outlook on the state of the world.
The age of well researched, scrutinized, fact-checked articles submitted by professional journalists seems to be dying as print journalism falls out of favor and click-bait online headlines have become the norm. Attention spans appear to be suffering as a result, as does civil discussion of the issues that capture our attention.
Although I am painting a picture of doom and gloom in this journal entry, I believe we will collectively turn a corner in time. Even though people are saturated with low-quality or false information, we are becoming more aware of the pitfalls we face on social media. One day we will recognize that there are organizations and countries trying to drive a wedge between us for their own benefit and be more able to ignore rage-bait, misinformation, and divisive intents.
Module 11 journal prompt 1: Read this https://dojmt.gov/wp-content/uploads/Glasswasherparts.com sample breach letter “SAMPLE DATA BREACH NOTIFICATION” and describe how two different economics theories and two different social sciences theories relate to the letter.
The moral hazards theory of economics says a business raises its risk exposure during a transaction to maximize profit because the entity may not have to bear the repercussions of taking that risk. In our example letter, the company in question mentions that the data breach came from a third-party vendor who handles credit card transactions. Companies often hire vendors to handle payments, shipping, maintenance, etc. Although it is generally economically beneficial to outsource certain business functions, there is also an element of displaced risk. The company consumers bought from is responsible for notifying its customers, but the vendor bears the expense of recovering from breaches.
The Marxian economic theory illustrates how those with power and access to great technology collect information from those without power to leverage technology. The hypothetical company in the sample breach letter lost payment card data for nearly a year to a data breach. Such a company collects first and last names, addresses, phone numbers, payment card numbers and expiration dates, as well as valuable demographic data and purchase history. Personal information is a commodity in the modern world. Companies can leverage and often sell their access to vast amounts of information that the layperson would never have the means to compile.
Functionalism is the notion that all facets of society serve a function and are essential to the survival of that society. A company with a large online presence is a huge and vital part of our economy in the United States. As we watch increasing numbers of brick-and-mortar businesses fold as consumers purchase more goods online, online sales become the focus for most companies. During the late 1990s and early 2000s, many people were reluctant to use credit cards online for purchases. Today, online purchases, bill payments, and investments are completely normalized and prevalent. Clearly, our example company fits nicely into the concept of functionalism.
Social action theory tells us that society is based on the interactions between people in the society. When we apply this to our example, we can think of the company as someone people interact with. The theory assumes that people adjust their actions based on social contexts and how it will affect others. In the case of online transactions and the risk of losing private data to hackers, data breaches affect the value of a company. Although this is a fairly loose example, there is value in thinking of a company’s actions in the same manner we think of a person’s actions. A company that fails to protect the data of those they serve risks those people taking their business elsewhere. Furthermore, many companies are publicly owned and stock prices are affected by data breaches. If the company is large enough, this can influence global trade, supply chains, and the entire economy of a nation.
Module 11 journal prompt 2: A later module addresses cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=trueLinks to an external site. and write a summary reaction to the use of the policies in your journal. Focus primarily on the literature review and the discussion of the findings.
The concept of the gig economy as it relates to cybersecurity is of particular interest to me. The idea that one could work a regular “day” and take on side projects for extra money on such a flexible basis is enticing. The pursuit of bug bounties requires a skillset most do not possess. The opportunity to leverage those hard-earned skills for extra money and the chance to further develop skills, while helping to increase security and privacy for everyone is fascinating and seems very unique to me.
I was completely unaware of the impact security breaches have on small businesses. The article references a study by Verizon that found 60% of small businesses shut down within 6 months of suffering a major breach. The fact that small companies can leverage platforms such as HackerOne to recruit talent they would likely be unable to afford otherwise is encouraging. Furthermore, the ability to have a code base tested by so many different people is a godsend for a small company. As the article mentions, “…firms should employ a host of methods and diverse groups of people to find the greatest number of bugs”. Using a platform to crowd-source bug hunting is beneficial to both the companies that submit code bases and the ethical hackers who pick up side work finding bugs.
Another benefit of the bug bounty concept I found fascinating is the ability of ethical hackers to find bugs in well-known companies. This can lead to positive publicity and could lead to lucrative job offers. The idea that a student or recent graduate can hunt bugs in their spare time and gain experience in the cybersecurity industry seems very unique and attractive to me.
Although the article says the top 7% of hackers account for nearly 40% of valid vulnerability submissions, there is still plenty of room for less experienced or skilled ethical hackers to develop their skills while still pulling in some extra money.
Module 12 journal prompt: Andriy Slynchuk has described eleven things Internet users do that may be illegal. Review what the author says and write a paragraph describing the five most serious violations and why you think those offenses are serious.
Of the potential crimes Slynchuk described in his post, I believe the five most serious violations are:
- Using torrent services
- Sharing passwords, addresses or photos of others
- Bullying and trolling
- Collecting information about people younger than 13
- Faking identity online
Although torrenting is not illegal in and of itself, an ARS Technica census found that about 99% of files on BitTorrent infringe on copyrights. The two dominant types of files on BitTorrent are movies/television shows and games or software. The two mainstays of the service also impact the economy harder than any others. This is a serious problem because the free distribution of myriad movies and software directly impacts the job market for two very significant industries for the entire global economy.
Sharing personal information about other people, also known as doxing, is a very serious problem. Use of social media platforms is so ubiquitous in the United States that it is generally the work of a few keystrokes to find at least some information about anyone you meet. Information obtained illegally through doxing opens doors for criminals to stalk, extort, exploit, blackmail, or otherwise take advantage of unsuspecting people. Grave damage to a person’s life can occur when their personal data is made public.
Bullying and trolling seem like the most obvious problems on this list. Stories of young people taking their own lives after suffering attacks by bullies and trolls are commonplace. One of the most serious and tragic prices that come with the free exchange of information is the ability to menace others and spread misinformation with near impunity.
Collecting information on children under 13 years old is deplorable. The danger from child predators is the most obvious reason why children’s data should be illegal to collect and clearly illustrates how serious the problems are that can come with data collection of young children.
Faking identity online is a major issue for our society. Romance scams, fraudulent loan and credit applications, and illegal money withdrawals are the most common crimes using fake identities. With hundreds of millions of dollars being lost to these crimes, the seriousness of fake identities is apparent.
Module 14 Journal Prompt: Watch this video and think about how the career of digital forensics investigators relate to the social sciences. Write a journal entry describing what you think about the speaker’s pathway to his career.
Everyone loves a good success story. Davin, the speaker in the journal prompt video, went to school and prepared himself for a career as an accountant. He subsequently opted into a job working in IT for his company due to his personal interest in computers. Later, he was selected for a job as a digital forensic analyst, a new field at the time. Today, Davin is the director of a digital forensic company with experience working and consulting around the globe.
People generally find stories like Davin’s compelling because they inspire or offer hope that success is possible for anyone. Although I firmly believe success is possible for anyone and everyone, I believe TED talks and other short-form stories should be viewed with cautious realism. Opportunity is often mistakenly used as a synonym for luck. However, I like to think of opportunity in a different way.
We can imagine success as a great treasure locked away in a castle and protected by a powerful wizard. The wizard offers us the treasure if we complete a series of difficult tasks. Opportunity is not the wizard simply opening the door to the treasure. Rather, opportunity is being allowed to try to exchange a lot of hard work for the treasure. Since not everyone is offered a shot at the treasure, opportunity can be unfair, exclusive, and inaccessible for many people.
Although I have painted a somewhat bleak picture of opportunity, I believe as we evolve as a society, opportunity becomes more accessible to everyone. Davin seemingly prepared himself for his career in forensics by being a computer hobbyist right as the field forensics was emerging. It is safe to assume few people were offered the opportunity to pursue a forensics career at the time. Davin was able to exchange hard work for great success, but he was essentially a lottery winner when we consider how few others were at the cutting edge of a new career field.
Today, with the progression of technology over the last two decades, we can study digital forensics, or any other aspect of the cybersecurity professions in school and become certified to prove our skills to employers. Opportunity has become more inclusive and universal. Although we have not reached an era where opportunity is truly equal for all, we have taken large steps in the right direction. In a perfect world, we would all have opportunity for fulfilling and lucrative careers. We clearly do not have this yet, but we are progressing in the right direction and gaining speed as technology advances.
Article Review 1
Social Sciences and the Classification of Social Media Bots
This paper will analyze an article about a study to identify features indicative of anomalous behavior between benign and malicious bots. The study asserts that current efforts to research how to differentiate between malicious and benign bots is inadequate. (Mbona & Eloff, 2023)
The article reviewed uses the principles of relativism, objectivism, and skepticism in its call for more robust study of accurately classifying the use of bots used on social media platforms. Relativism is the notion that morality is measured by its relation to societal or cultural norms and is not absolute. Since social media is arguably woven into the fabric of society in our time, the relative nature of hostile or neutral bot use is self-evident.
Objectivism is essentially impartiality. Mbona and Eloff show no signs of a hidden agenda and seek to improve the work of previous studies. It can be said that their analysis of the gaps in previous studies shows inherent objectivity. We can easily infer skepticism as a partner to objectivity in this study. The fact that the authors have analyzed previous studies and questioned their findings is the heart of what science is about. One cannot conduct a scientific study of any value without the willingness to question every aspect of our assumptions and beliefs to either prove or disprove them.
As the study examines the classification of bots used on social media, it takes on an important issue of marginalized groups, which is integrity of information. As we learn in cybersecurity courses, Confidentiality, Integrity, and Availability are the three sides of the model used to guide policies for information security. The inherent trait of all marginalized groups is that they are discriminated against and at a social disadvantage in society. When it comes to social media, if a powerful group can make use of malicious bots to seed social media platforms with misinformation or false rhetoric. When done at a large scale, false information can make its way into mainstream media outlets and the daily conversations of millions. Disadvantaged groups are naturally far less capable or resourced to fight misinformation.
This study makes an important contribution to society in its call for the need to fight malicious actors on social media platforms to prevent the spread of misinformation and social unrest. It also seeks to improve one of the main tools we use to interact with one another. If all social media platforms had a way to accurately classify bots for targeted removal, it would prevent asymmetrical representation of fringe, hostile elements in the things we consume from social media every day.
The researchers of this paper made note of anomalies in previous studies, insufficiently large datasets, and the inclusion of deactivated or inactive accounts. These methods for analyzing the quality of previous data allow researchers to duplicate and improve on previous studies to ensure more accurate and objective findings.
The use of bots to sway elections or cause political unrest is a daunting problem to our society. It is of vital importance that we make use of technology to assist us in our efforts to ensure the integrity of the media we consume. The need for continued and rigorous efforts to improve our ability to implement technology in this fight is clearly spelled out in the article reviewed.
Article Review 2
Understanding the Connection Between Hackers and Their Hacks: Analyzing USDOJ Reports for Hacker Profiles Analyzing USDOJ Reports for Hacker Profiles
The article I chose to review, from the International Journal of Cybersecurity Intelligence & Cybercrime, sought to determine if there is a relationship between the age, gender, and nationality of hackers and the characteristics of the cyberattacks that they perpetrate. (Gerstenfeld, 2023) It also attempts to view how hackers relate to the characteristics of their own hacks. (Gerstenfeld, 2023) The writer acknowledges that the study of hackers and their crimes is challenging because cybercriminals are relatively small in number and difficult to access. (Gerstenfeld, 2023)
To analyze the potential relationships between hacker demographics and their crimes, researchers used 122 press reports from the United States Department of Justice (USDOJ) from January 2019 to December 2021. The authors also used a classification system developed by S. Chng, H. Y. Lu, A. Kumar, and D. Yau in 2022. Their system breaks hackers down into 13 types based on their objectives and skill levels. The authors acknowledge that, due to the difficulty in accessing hackers and the fact that the term “hack” can apply to many different cybercrimes, the findings of their paper are limited, and they call for more research in the future. (Gerstenfeld, 2023)
Researchers identified variables involved in hacks such as use of insider information, social engineering, and attacker-built software. They also checked for political/national elements and the number of hackers involved. (Gerstenfeld, 2023) The author also further acknowledged that the nature of USDOJ press releases did not always provide enough information to fully determine if a variable applied to a particular case.
Demographics from USDOJ reports and interviews with hackers were both used to reveal shared traits. The author noted that hackers share traits such as an analytical thinking style and high self-confidence. It scored a level of sophistication using the variables of insider information, social engineering, and purpose-built software. (Gerstenfeld, 2023)
In our class, we studied the concept of relativism, or the study of how things are related, and how the criminal justice system develops new ways to respond to crime. This study calls mentions the author’s desire to provide law enforcement with useful information to address cybercrime in the future. Furthermore, the article sought to more clearly show the relationship between criminals and their crimes as a useful tool for preliminary profiling by law enforcement as they investigate cybercrimes.
The author notes that most cybercrimes are perpetrated by white males of widely varying ages. One effect of this finding is that it may take some undue pressure off marginalized groups due to false assumptions by law enforcement personnel. However, international cybercrime raises another potential concern for marginalized groups such as the immigrant community. The article states that Korean hackers were more likely to hack nations other than their own. While this statement is based on data researchers found, the current political climate creates a potential danger of prejudice and lack of objectivity.
I believe this study makes two very important societal contributions. First, it acknowledges its own flaws and calls for increased research into cybercrime and more robust access to data and cybercriminals. Since cybercrime is relatively new in societal terms, it is important to highlight our shortcomings and make efforts to improve. Second, the article was written with the specific intent to provide law enforcement with useful information and tools to help them investigate cybercrimes. Law enforcement in our country has improved over time and become less susceptible to prejudice, but there is always room for improvement. The author’s efforts to provide information that can help law enforcement find starting points for their investigations in a more objective manner is laudable and always a positive contribution to society.
Career Paper
Cybersecurity Penetration Testing and the Social Sciences
A penetration tester (pen tester), often called an ethical hacker, is one who is hired by
companies, organizations, or government agencies to conduct specifically authorized, non-
malicious attacks on networks and other systems to test the security and resilience of their
security measures. A pen tester leverages social interactions and common social traits of humans
to gain access to networks to improve security and create a target-hardening effect. The fact that
98% of cyber-attacks rely on social engineering (Nguyen & Bhatia, 2020) gives an inherently
interdisciplinary quality to the field of penetration testing.
One unique aspect of the job of a pen tester is when they are physically present at a
workplace and acting as a complete participant, or one who participates without others knowing
they are a researcher. To conduct a useful test of an organizations cybersecurity health, a pen
tester often builds knowledge of employees using open-source intelligence (OSINT). They then
use that information to trick employees into thinking they are justified in providing information
to someone who needs it for legitimate purposes. It would defeat the purpose of pen testing if
employees knew they were being tested, and therefore it requires the complete participant
approach. (Hatfield, et al., 2019)
Another important social aspect of pen testing is the concept of empiricism. A pen tester
is responsible for providing accurate and realistic reports of their findings to whoever hired them.
Such reports must be free of unsubstantiated opinions or hunches. A pen tester must study behavior and facilities with first-hand knowledge gathered through field testing which is the same means a cyber attacker would. This is not to say that a pen tester would not or should not explore a hunch based on personal experience, but that the hunch must be substantiated by real-world findings.
Although a pen tester employed to finesse their way into a workplace and ethically hack
networks may not have specific training in the field of psychology, there is no doubt the concepts
of psychology as a social science come into play. A pen tester uses the cognitive school of
psychology to empathize with targets. Knowledge of the mental processes an employee uses to
choose or remember passwords is a key example. A pen tester is looking for the easiest way to
gain access to the network and people are always the weakest link in the cybersecurity chain.
They also rely on social-cultural psychology. For example, a pen tester may attempt to
bypass a keycard protected entry by carrying a large load of boxes or pretending to need crutches
to walk. People are far more likely to hold a door for someone who seems to need help because
they want to avoid appearing rude. If a pen tester is familiar with Maslow’s Hierarchy of Needs,
they know people have esteem and relationship needs. The feeling of helping someone who
seemingly cannot help themselves meets these needs. A good pen tester knows how to exploit
social-cultural norms for their job.
The field of criminology also relates heavily to the job of a pen tester. In order to become
an ethical hacker, one must study methods and mindsets used by criminals to conduct cyber-
attacks. Criminologists use concepts such as rational choice perspective and routine activities
theory to study cyber criminals and the choices they make. (Rege, 2014) Although the pen tester
is not likely to participate directly in criminological research, there is a symbiotic relationship
between criminologists and pen testers. The pen tester gleans wisdom from the findings of criminologists, and the criminologist makes use of the methods and techniques used by pen testers to understand adversarial decision making in cyber-attacks. (Rege, 2014)
A career in penetration testing addresses many concerns for marginalized groups. As the
world moves away from the dominant use of hard currency and our economy becomes
increasingly global, the need for digital financial services grows. Unbanked or underbanked
people across Africa are starting to use the digital financial system, and as a result they put
themselves at risk of abuse and malicious exploitation. (Anthony, 2023) For wealthy nations,
citizens loss of money through cyber-crime is mitigated heavily by financial institution
insurance. For those in developing nations, the cost of fraud has more impact on individuals.
(Anthony, 2023) As those nations further develop, penetration testers will clearly become a vital
part of the job market in those countries.
Lack of secure and affordable hardware is another significant concern for low-income
socioeconomic groups. Although technology steadily becomes more accessible to poor people,
those people do not typically get current devices with the latest security patches and may be
unable to afford the bandwidth to download regular updates. (Anthony, 2023) In order to protect
the economically disadvantaged from exploitation, pen testers work to decrease the chances of
unauthorized access to money by criminals.
Lack of education in proper security and manipulation techniques used by criminals is
another major concern for those who are forced to use older devices and more primitive means of
managing funds. Those of us who grow up in industrialized, wealthy nations are inoculated
against the common scams and social engineering attempts used by criminals. For those raised in
poverty or developing nations, the sudden introduction of digital financial services for banking
creates a wealth of soft targets for cyber-criminals. One of the core purposes of a penetration tester is to foster target hardening. As developing nations grow and improve digital infrastructure, the role of pen testing will be introduced to nations where such jobs have never existed.
With the world becoming a smaller place every day as technology and connectivity
advances, penetration testing becomes more essential on a global scale. In the same manner
electricians are essential to maintenance power grids, penetration testers are vital to ensure
everyone who uses technology is as protected as possible from criminals who seek to exploit
weak points for illicit gain.
Works cited:
Nguyen, T., & Bhatia, S. (2020). Higher Education Social Engineering Attack Scenario,
Awareness & Training Model . Digital Commons Sacred Heart University.
https://digitalcommons.sacredheart.edu/
Anthony, A. (2023, March 13). Cyber resilience must focus on marginalized individuals, not just
institutions – carnegie endowment for international peace. carnegieendowment.org.
https://carnegieendowment.org/2023/03/13/cyber-resilience-must-focus-on-marginalized-
individuals-not-just-institutions-pub-89254
Hatfield, J. M., Mouton, F., Arendt, H., Baha, A.-S., Brenner, J. E., Chauhan, S., Davidson, D.,
Dimkov, T., Drake, J. R., Elovici, Y., Finn, P. R., Fulton, E., Hursthouse, R., Jefferson, T.,
Johnson, M., Johnson, M. R., Jones, H. S., Jones, W. T., … Levy, Y. (2019, February 28).
Virtuous human hacking: The ethics of Social Engineering in penetration-testing.
Computers & Security.
https://www.sciencedirect.com/science/article/abs/pii/S016740481831174X
Rege. (2014). A Criminological Perspective on Power Grid Cyber attacks: Using Routine
Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-
Making. Journal of Homeland Security and Emergency Management, 11(4), 463–487.
https://doi.org/10.1515/jhsem-2013-0061