Evidence-Based Cybersecurity : Foundations, Research, and Practice/ Pierre-Luc Pomerleau & David Maimon.

The prevalence of cyber-dependent crimes and illegal activities that can only be performed using a computer, computer networks, or other forms of information communication technology has significantly increased during the last two decades in the USA and worldwide. As a result, cybersecurity scholars and practitioners have developed various tools and policies to reduce individuals' and organizations' risk of experiencing cyber-dependent crimes. However, although cybersecurity research and tools production efforts have increased substantially, very little attention has been devoted to identifying potential comprehensive interventions that consider both human and technical aspects of the local ecology within which these crimes emerge and persist. Moreover, it appears that rigorous scientific assessments of these technologies and policies "in the wild" have been dismissed in the process of encouraging innovation and marketing. Consequently, governmental organizations, public, and private companies allocate a considerable portion of their operations budgets to protecting their computer and internet infrastructures without understanding the effectiveness of various tools and policies in reducing the myriad of risks they face. Unfortunately, this practice may complicate organizational workflows and increase costs for government entities, businesses, and consumers.

The success of the evidence-based approach in improving performance in a wide range of professions (for example, medicine, policing, and education) leads us to believe that an evidence-based cybersecurity approach is critical for improving cybersecurity efforts. This book seeks to explain the foundation of the evidence-based cybersecurity approach, review its relevance in the context of existing security tools and policies, and provide concrete examples of how adopting this approach could improve cybersecurity operations and guide policymakers' decision-making process. The evidence-based cybersecurity approach explained aims to support security professionals', policymakers', and individual computer users' decision-making regarding the deployment of security policies and tools by calling for rigorous scientific investigations of the effectiveness of these policies and mechanisms in achieving their goals to protect critical assets. This book illustrates how this approach provides an ideal framework for conceptualizing an interdisciplinary problem like cybersecurity because it stresses moving beyond decision-makers' political, financial, social, and personal experience backgrounds when adopting cybersecurity tools and policies. This approach is also a model in which policy decisions are made based on scientific research findings.

Authors Biography

Biography
Dr. Pierre-Luc Pomerleau is a Partner at VIDOCQ. His role consists of assisting VIDOCQ’S clients in growing their business and innovating while managing their risks and protecting their assets. He does so by bringing years of experience and deep expertise in cybercrime, investigation, fraud prevention, anti-money laundering, physical security, business administration, technology, and risk management. Before joining VIDOCQ, he was Vice President at National Bank of Canada, managing the Financial Crime and Corporate Security division, including data analytics and innovation.

Dr. Pomerleau holds a Ph.D. in Business Administration with a specialization in Homeland Security from Northcentral University (USA), an MBA from the University of Sherbrooke (Canada), and a bachelor's degree in criminology from the University of Montreal (Canada). He holds various security and financial crime professional certifications such as the CPP, PSP, PCI, CFE, CAMS, CCCI & CFCI certifications. In addition to his role with VIDOCQ, Dr. Pomerleau is currently an adjunct in cybersecurity at Polytechnique Montreal. From 2020 to 2021, he was a postdoctoral researcher and a research associate in cybercrime at Georgia State University (USA). In 2020, he published his book Countering Cyber Threats to Financial Institutions; A Private and Public Partnership Approach to Critical Infrastructure. From 2015 to 2018, he was the President of the Association of Certified Fraud Examiner Montreal Chapter. In October 2016, he was awarded an honorary diploma by the University of Montreal School of Criminology for his exemplary contribution to the advancement of society.

Dr. David Maimon is an Associate Professor in the Department of Criminal Justice and Criminology at Georgia State University (GSU) and the director of the Evidence-Based Cybersecurity research group (see ebcs.gsu.edu). He received his Ph.D. in Sociology from the Ohio State University in 2009. Prior to joining GSU, Dr. Maimon held academic position in the Department of Criminology and Criminal Justice in the University of Maryland, and the Department of Sociology in the University of Miami. In 2015 he was awarded the "Young Scholar Award" from the "White-Collar Crime Research Consortium of the National White-Collar Crime Center" for his cybercrime research. Throughout his career he has raised more than $3 million to conduct Evidence-Based Cybersecurity research. Since joining GSU, Dr. Maimon has established the Evidence-Based Cybersecurity Research Group, where he and his researchers seek to produce and review multi- and interdisciplinary empirical evidence about the effectiveness of cybersecurity tools and policies. The group and its unique approach to cybersecurity education and research have been acknowledged on popular media platforms (https://edtechmagazine.com/higher/article/2020/09/training-next-generation-cyber-professionals). Moreover, the group's close relationships with cybersecurity professionals in several industries and law enforcement agencies have led to the adoption of the Evidence-Based Cybersecurity approach by several organizations. Dr. Maimon teaches the course "Intro to Evidence-Based Cybersecurity" at the undergraduate level, and "Evidence-Based Cybersecurity" at the graduate level.

TABLE OF CONTENTS Foreword xv

About the authors xvii

Acknowledgment xix

1 The case for an evidence-based approach to cybersecurity 1

The evidence-based approach 3

Evidence-based medicine 4

Evidence-based policing 5

Evidence-based learning 6

The case for evidence-based cybersecurity 7

References 9

2 Computers, computer networks, the Internet,

and cybersecurity 11

Introduction: computers and computer networks 11

The open system interconnection (OSI) model

and the communication process 13

The importance of cybersecurity 14

The cybersecurity ecosystem 16

Cybersecurity doctrines, practices, and policies 18

Current practices, tools, and policies to secure cyber infrastructures 23

References 25

3 Human behavior in cyberspace 29

Introduction: cybercrime and cyberspace 29

Four key actors within the cybercrime ecosystem 31

The offenders 31

The enablers 32

The victims 33

The guardians 33

Human behaviors as a central element of cybercrime 34

The human factor in the literature on cybercrime 36

A look inside the organization 37

Conclusion 39

References 39

4 Criminological, sociological, psychological, ethical, and

biological models relevant to cybercrime and cybercriminals 43

Introduction 43

Criminological and sociological models relevant to cybercrime 43

The routine activity approach and the problem analysis triangle 44

Environmental criminology 45

Situational crime prevention 47

Anthropological criminology and ethnographic studies 48

Biosocial criminology 50

Psychology and cyberpsychology in the management of cybercrime 51

Cyberpsychology 52

Philosophical and ethical models 54

Hard determinism and crime 54

Compatibilism and crime 55

References 57

5 Science and cybersecurity 63

Introduction 63

The importance of quantitative, qualitative, and mixed research 64

Quantitative, qualitative, or mixed methods? 65

Science, theories, and facts 65

Science in cybersecurity 68

Case reports 70

The problems with surveys, benchmarks, and

validation testing in cybersecurity 71

Surveys 71

Benchmarks 72

Validation testing 72

Research designs in cybersecurity 73

Fundamental observational and controlled research 73

Case-control 74

Simulations 75

Longitudinal research 75

The difference-in-differences research method 76

Time-series design 78

Field research 79

Conclusion 79

References 80

6 Network security and intrusion detection systems 85

Introduction 85

Network security and intrusion detection systems

in cybersecurity 86

Intrusion detection system categories 87

Endpoint detection systems (EDSs) 89

Security information and event management (SIEM) systems 90

Data loss prevention (DLP) 91

Challenges in evaluating security tools 92

Surveys and think tanks reports 93

Intrusion-detection assessment metrics 94

The way forward in protecting the network from intrusions 95

Data science: data analytics, machine learning,

and artificial intelligence 95

From a rule-based approach to data analytics 96

Machine learning and artificial intelligence 97

The use of honeypots in intrusion detection and network security 98

An evidence-based approach 101

Conclusion 101

Note 102

References 102

7 The Internet of Things (IoT), data security, and website

security 109

Introduction 109

The IoT 110

What risks are associated with the IoT? 111

Online attacks against IoT 114

IoT architecture and protocol stack 115

IoT risk frameworks 116

IoT security tools and defense techniques for data security 117

Network intrusion detection systems (NIDSs)

in an IoT environment 119

Metrics to measure effectiveness 120

Examples of IoT security empirical research designs 120

Website security 121

Web defacement 122

An example of evidence-based research design 124

Threat hunting: a proactive approach to mitigating

risks to IoT, data security, and website security 125

Conclusion 126

References 127

8 Data privacy, training, and awareness and cybersecurity

frameworks 133

Introduction 133

Data privacy 133

Digital risks 134

Data breaches 135

Cybersecurity governance 135

Information security control frameworks 137

ISO 27001 and 27002 137

NIST 138

Laws, regulations, and industry standards 139

The General Data Protection Regulation (GDPR) 139

PCI DSS – payment card industry 139

HIPAA – health-related information 140

New York Department of Financial Services

(NYDFS) cybersecurity regulations 140

Cybersecurity training and awareness 141

Games and gamification 142

Assessment tools 144

The Federal Financial Institution Examination

Council (FFIEC) cybersecurity assessment tool 144

Research methods to evaluate cybersecurity

awareness tools 145

Additional practical tools 145

Targeted audit and penetration testing 145

Surveys and executive workshops 146

Risk assessment 146

Impact and probability levels to assess risks 147

Relevant conceptual and research designs 148

Other examples of related work 150

Conclusion 151

Notes 152

References 152

9 Risk and threat intelligence: The effectiveness of online

threat intelligence in guiding financial institutions’ incident

response to online banking account takeovers 159

Introduction 159

Background 160

Bank ATO and financial institutions response 160

Situational crime prevention 161

Denying benefits as a proactive incident response

to ATO incidents 162

Threat intelligence and responding to ATO incidents 166

The current study 167

Data and methods 168

Results 169

How prevalent is information on breached bank

accounts on text message applications? 169

How much of the information posted on the dark

web or online encrypted applications is valid? 170

How much of this intelligence is actionable and could be

used to support financial institutions’ incident response? 172

How much money could an effective intelligence-based

incident response to ATO save for the victim? 172

Discussion 174

Limitations 176

Conclusion 176

Notes 177

References 177

10 The future of evidence-based cybersecurity 181

Introduction 181

The advancement of technology and the intertwining

of our digital and physical lives 182

Future cybersecurity threats to consider 182

Common specific threats to consider in the future 184

Email security and social engineering 184

Ransomware attacks 184

Single-factor authentication 185

Future sophisticated threats 187

Quantum computing 187

Blockchain threats 188

Machine learning and artificial intelligence 189

Deepfakes 191

State-level hackers and nation-state attacks 191

List of suggestions and recommendations 193

Rethink investment in cybersecurity 193

Law enforcement 194

Academics 194

Governments and private organizations 195

Education 195

Multidisciplinary cybersecurity teams 195

Threat hunting tools and techniques 196

Learning from mistakes 197

Homomorphic encryption and privacy 198

The Zero Trust approach 199

Public and private partnerships 200

An evidence-based cybersecurity approach to developing

new and innovative detection and mitigation approaches 201

Conclusion 203

References 203

Index 209

Critics' Reviews

This is a tremendous resource for every security professional and organization whose goal is to improve their cybersecurity posture. The evidence-based cybersecurity approach ties the criticality of understanding human behavior with the technical aspects of cyber-crime. A true data centric treasure trove of valuable knowledge."

- Kausar Kenning, Executive Director, Cyber Security, Morgan Stanley

"Despite its technical nature, the evidence base supporting cybersecurity as a field of practice remains flimsy, at best. Some have even compared cybersecurity to "medieval witchcraft". This timely and essential book provides a much needed and comprehensive overview of the available evidence and of the knowledge gaps that persist, also charting the path ahead for a more scientific approach to the design, implementation, and evaluation of cybersecurity measures."

- Dr. Benoît Dupont, Professor of Criminology, University of Montreal, Canada, and Canada Research Chair in Cybersecurity.

"Dr. Pomerleau does a masterful job of deep diving into the realm of contemporary Cybersecurity. Beyond recounting the historical evolution of Cybersecurity, Pomerleau astutely weaves together a traditional IT risk management system approach with a multi-faceted humanistic approach (with ethical, sociological, psychological, and criminal elements) to present a comprehensive how-to guide for evidence-based Cybersecurity analysis."

- Dr. David L. Lowery, Full Professor of Homeland Security & Public Administration, Northcentral University