Monday, April 15, 2019

Dark markets, threat cumulativity, siegeware, and a cybercrime barometer

This is an update on five parts of my research and writing so far this year. The first part built on a suggestion from ESET PR Manager Anna Keeve: help people better understand the cybercrime threat by showing them the "dark markets" that are used to sell stolen information and buy the tools with which to steal it. So I decided to highlight their “evolution” into mainstream online services for enabling cybercrime.

1. Next Generation Dark Markets? Think Amazon or eBay for the criminally-inclined
In addition, Anna set up a session with the wonderful folks at Markeplace on NPR. So, if you want to hear more about the dark web, close your eyes and take this audio tour: Exploring the dark web with Kai Ryssdal on Marketplace

Wednesday, February 20, 2019

It's official: I'm an award-winning technologist

Earlier this month I was delighted to receive a CompTIA Tech Champion Award, "recognizing leaders focused on driving innovation, job growth and advancements for the information technology (IT) industry." There was even a press release and a video!



Saturday, February 16, 2019

Risk assessment and situational awareness: minding the gender gap

Man and woman in elevator iconConsider this: a man and a woman get into an elevator.

Which one is doing risk assessment:

the man or the woman?

I've been posing this question to random groups of people on the fringes of information security and cyber-workforce events for about a year now and the results have been very interesting to say the least. Almost without exception women respond by saying "the woman." And while I can honestly say that this is what I had expected, I continue to be surprised by two things.
  • How quickly that response is voiced, usually in less than a few seconds. 
  • How many women, after answering, proceed to share - without any encouragement - their personal elevator strategies (more on these later).
Also interesting: I have not yet heard a woman say: "I've never really thought about it."

How do men answer? A lot of them do eventually say "the woman" and I take that as a positive sign. It suggests that those men understand one of the fundamental realities of gender inequality in our society: women have had to adapt to living with a higher base level of fear for their personal safety than men.

But there are some men who hesitate before answering. You see quite interesting facial expressions when someone in mixed company answers "the woman" very quickly and decisively. And yes, some men seem genuinely puzzled. For those in doubt, I suggest some reading, like Rage Becomes Her.

Fear, risk perception and social science 

My original motivation in asking this question was to get a quick sanity check on a hypothesis that I had formed while researching risk perception as it relates to technology: women tend to see more risk in technology than men and so increasing female participation in technology development and cybersecurity may reduce risk and increase security.

Some results from the more formal research into risk perception as it relates to gender and technology are illustrated in the graph below - read more about the work here.


Of course, posing the elevator question to random groups of people does not count as formal social science. The reactions that I get may be influenced by the uncontrolled demographics of the group (all male, all male, mixed). That said, I'd love to hear from anyone who is in a position to do a more formal study.

What the graph above illustrates is the gender gap in technology-related risk perception. Numerous studies have documented this over the course of several decades (see the 1994 paper "Gender, race, and perception of environmental health risks" by Flynn, Slovic, and Mertz for early references: Risk Analysis, 14, pp. 1101-1108).

As far as I know, it was studies of public sentiment around environmental issues that led to the first documentation of a gender gap in technology-related risk perception. The research that I did with my colleague at ESET, Lysa Myers, was to the best of my knowledge the first to show that this gender gap also exists with respect to risks related to digital technologies. That finding led me to hypothesize that women - on average or in the aggregate - are more risk aware than men when it comes to technology.

A counter-argument might be that men are more realistic in their assessment of risk because the true level of risk is lower than women think and closer to the population mean. However, it is my opinion that many technology risks are higher than the mean, therefore I would argue that women are more accurate in their technology risk perception than men (on average or in the aggregate).

Research into the gender and ethnic variations in risk perception has shown that white males, as a whole, see less risk in technology than black males, white females, or black females (these were the names of the categories used by the researchers). But that score - which has been dubbed the white male effect - is the result of a subset of while males seeing drastically less risk than anybody else. The group, possibly 30% of white males, lowers the overall risk scores for all white males, creating the gap you see in this chart from the 1994 Flynn, Slovic, and Mertz study (adapted):
As I indicated earlier, this study was not an outlier, other studies point in the same direction and I am not aware of any that point in the opposite direction (I did look for them). You can find quite a few studies, as well as deep dives into why some people see less risk in technology than others, at the Cultural Cognition Project at Yale Law School.

What does it all mean? As I suggested in my TEDx talk a few years ago, I think it means that the rate at which new technology risks are created would go down if decision-making roles in tech companies were more evenly distributed between genders.

Back then I said "we need more women in decision-making roles" and some surveys suggest that there are now more women in such roles than there used to be; but I think we are nowhere near the level of gender equality needed to put the brakes on fresh technological blunders.

In the coming months and years I will continue to articulate these views. In the meantime, I have another study concept you might want to consider. Document what happens when you ask women this question: "What goes through your mind if you're alone in an elevator and a man gets on."

I think you will hear some interesting personal elevator strategies. The ones that I have heard certainly gave me a better sense of just how different life still is for women and men.

Thursday, January 24, 2019

How serious is the cybercrime problem in America?

The short answer to "how serious is the cybercrime problem in America?" is: Way more serious than our government seems to realize. That is one of the conclusions that can be drawn from recent ESET research into public attitudes to cybercrime, cybersecurity, and data privacy.

To check out the details, please visit this article I wrote at WeLiveSecurity, which is where you can download the full report. It has some pretty solid that may help us persuade policy makers to move cybercrime deterrence up the public policy agenda and make it the #1 priority that it should already be.

Frankly, as a student of criminology I was shocked to see that respondents thought cybercrime was a more important challenge than drug trafficking or money laundering. Almost equally worrying was the finding that less than half of Americans surveyed think that the authorities, including law enforcement, are doing enough to fight cybercrime.

So here is the conclusion that I wrote for the sruvey report: unless cybersecurity initiatives and cybercrime deterrence are made a top priority of government agencies and corporations, the rate at which systems and data are abused will continue to rise, further undermining the public’s trust in technology, trust that is vital to America’s economic well-being, now and in the future.

Please take a moment to share this information...thank you!