Patterson Wayne - Behavioral cybersecurity : applications of personality psychology and computer science

Behavioral Cybersecurity

Applications of Personality Psychology and Computer Science

Behavioral Cybersecurity

Applications of Personality Psychology and Computer Science

Wayne Patterson
Cynthia E. Winston-Proctor

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2019 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-1-138-61778-0 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Names: Patterson, Wayne, 1945- author. | Winston-Proctor, Cynthia E., author.

Title: Behavioral cybersecurity : applications of personality psychology and

computer science / Wayne Patterson and Cynthia E. Winston-Proctor.

Description: Boca Raton : Taylor & Francis, CRC Press, 2019.

Identifiers: LCCN 2019000325| ISBN 9781138617780 (hardback : alk. paper) |

ISBN 9780429461484 (e-book)

Subjects: LCSH: Computer security. | Computer fraud. | Hacking. |

Social engineering.

Classification: LCC QA76.9.A25 P3845 2019 | DDC 005.8--dc 3

LC record available at https://lccn.loc.gov/2019000325

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com

Dedication

To my partner in life for almost half a century: Savanah Williams. A most incredible woman who inspires me everyday, who has chosen her own incredible paths, and who somehow manages to cope with my difficult challenges; and also to my friends Hamid, Orlando, Martin and Arun, who continue to encourage all my work.

Wayne Patterson

I would like to dedicate this book to my loving family with the hope it inspires the Lindsey generation to pursue solving complex problems by integrating psychology and computer science.

Cynthia E. Winston-Proctor

Contents

Since the introduction and proliferation of the Internet, problems involved with maintaining cybersecurity have grown exponentially and evolved into many forms of exploitation.

Yet, cybersecurity has had far too little study and research. Virtually all of the research that has taken place in cybersecurity over many years has been done by those with computer science, electrical engineering, and mathematics backgrounds.

However, many cybersecurity researchers have come to realize that to gain a full understanding of how to protect a cyberenvironment requires not only the knowledge of those researchers in computer science, engineering, and mathematics, but those who have a deeper understanding of human behavior: researchers with expertise in the various branches of behavioral science, such as psychology, behavioral economics, and other aspects of brain science.

The authors, one a computer scientist and the other a psychologist, have attempted over the past several years to understand the contributions that each approach to cybersecurity problems can benefit from in this integrated approach that we have tended to call behavioral cybersecurity.

The authors believe that the research and curriculum approaches developed from this integrated approach provide a first book with this approach to cybersecurity. This book incorporates traditional technical computational and analytic approaches to cybersecurity, and also psychological and human factors approaches.

Among the topics addressed in the book are:

Introductions to cybersecurity and behavioral science

Profiling approaches and risk management

Case studies of major cybersecurity events and Fake News

Analyses of password attacks and defenses

Introduction to game theory and behavioral economics, and their application to cybersecurity

Research into attacker/defender personalities and motivation traits

Techniques for measuring cyberattacks/defenses using cryptography and steganography

Ethical hacking

Turing tests: classic, gender, age

Lab assignments: social engineering, passwords in the clear, privacy study, password meters

The history of science seems to evolve in one of two directions. At times, interest in one area of study grows to the extent that it grows into its own discipline. Physics and chemistry could be described in that fashion, evolving from natural science. There are other occasions, however, when the underlying approach of one discipline is complemented by a different tradition in a totally separate discipline. The study of computer science can be fairly described as an example of that approach. When the first author of this book was a doctoral student at the University of Michigan in the 1970s, there was no department of computer science. It was soon born as a fusion of mathematics and electrical engineering.

Our decision to create this book, as well as several related courses, arose from a similar perspective. Our training is in computer science and psychology, and we have observed, as have many other scholars interested in cybersecurity, that the problems we try to study in cybersecurity require not only most of the approaches in computer science, but more and more an understanding of motivation, personality, and other behavioral approaches in order to understand cyberattacks and create cyberdefenses.

As with any new approaches to solving problems when they require knowledge and practice from distinct research fields, there are few people with knowledge of the widely separate disciplines, so it requires an opportunity for persons interested in either field to gain some knowledge of the other. We have attempted to provide such a bridge in this book that we have entitled Behavioral Cybersecurity .