Abstract
While ‘thinking like an attacker’ is a perspective commonly put forward in security, the usefulness and value of focussing on attackers when thinking about threats is contested in the security community, especially in the area of threat modelling. Using the case example of digital banking, this thesis aims to examine and discuss attacker-centric approaches and thinking in security: both at a high-level to evaluate the views of security professionals regarding such methods, but also specifically focussing on key examples of attacker-centric tools such as attacker categorisations and personas.
The intent behind this work is therefore two-fold: firstly, an enquiry into attacker-centric security thinking and its methods; and secondly, a detailed analysis of attacker-related data, resulting in a presentation of key characteristics and behaviours of digital banking attackers. To realise this, a dataset of over 300 items of open source information on cases of cybercrime against digital banking systems is analysed using grounded theory, identifying factors such as personal traits, group structures and geography as well as modus operandi, targets and legal implications.
Building on these results, an attacker typology containing seven attacker types is proposed, including a heuristic evaluation. Forming the second study within this thesis, a construction method borrowed from user-centred design is adopted to build a set of seven realistic, but fictional, attacker personas. An enquiry into the perception of these attacker personas using a survey study amongst 85 financial services practitioners is completed for validation purposes. A third study examines the role of attacker-centric approaches and thinking in security through 12 in-depth interviews with senior financial services practitioners.
Several original contributions can be identified for this thesis. An overview on malicious users (attackers) in a specific business context is provided, including a detailed investigation into the nature of digital banking attackers grounded in real-life data. Existing socio-technical methods are evaluated and extended using these initial findings, producing tangible and data-driven outputs in the form of an attacker typology and attacker personas specific to digital banking. A unique focus on attacker-centric security thinking in theory and practice is offered, providing guidance on how such approaches may be used in both academic research
and security practice in the future.
The intent behind this work is therefore two-fold: firstly, an enquiry into attacker-centric security thinking and its methods; and secondly, a detailed analysis of attacker-related data, resulting in a presentation of key characteristics and behaviours of digital banking attackers. To realise this, a dataset of over 300 items of open source information on cases of cybercrime against digital banking systems is analysed using grounded theory, identifying factors such as personal traits, group structures and geography as well as modus operandi, targets and legal implications.
Building on these results, an attacker typology containing seven attacker types is proposed, including a heuristic evaluation. Forming the second study within this thesis, a construction method borrowed from user-centred design is adopted to build a set of seven realistic, but fictional, attacker personas. An enquiry into the perception of these attacker personas using a survey study amongst 85 financial services practitioners is completed for validation purposes. A third study examines the role of attacker-centric approaches and thinking in security through 12 in-depth interviews with senior financial services practitioners.
Several original contributions can be identified for this thesis. An overview on malicious users (attackers) in a specific business context is provided, including a detailed investigation into the nature of digital banking attackers grounded in real-life data. Existing socio-technical methods are evaluated and extended using these initial findings, producing tangible and data-driven outputs in the form of an attacker typology and attacker personas specific to digital banking. A unique focus on attacker-centric security thinking in theory and practice is offered, providing guidance on how such approaches may be used in both academic research
and security practice in the future.
| Original language | English |
|---|---|
| Qualification | Ph.D. |
| Supervisors/Advisors |
|
| Award date | 1 Mar 2021 |
| Publication status | Unpublished - 2020 |
Keywords
- information security
- threat modelling
- attacker-centric
- attacker profiles
- human factors
- human-computer interaction
- digital banking
- cybercrime
