Combating cybercrime

Cyber Security and Cyber Crime experts in the University's Schools of Computer Science and Informatics and Social Sciences have been awarded £1.2M to study the human and technical factors in cybercrime.

Funded by the EPSRC/ESRC Global Uncertainties Consortia for Exploratory Research in Security (CEReS), the project will see collaboration between computer scientists, criminologists, lawyers, psychologists, economists and mathematicians.

Cyber attacks have extraordinary potential to impact on the economic and social well-being of individuals and businesses. More services and functions move online every year, creating newer and more complicated threats. The UK National Security Strategy categorises cyber attacks as one of its four Tier One Priority Risks. It is estimated that at least 20 foreign intelligence services are currently operating to some degree against UK interests in cyberspace. It is widely expected that cyber attacks will be a key aspect of future warfare and it is strongly suspected that this has already begun to happen.

The CEReS call aimed to bring social and computer scientists together to better understand cyber security, which is a complex and multi-dimensional concept. The call recognised that while there is much high quality social science knowledge that can be applied to the field, there has been a relative lack of social science research specifically into cyber security and collateral issues. 

The fusion of human and technical features in the modern cyber ecosystem all contribute to cyber risks, but currently many individuals and businesses poorly understand their relative importance impeding the appropriate choice of countervailing actions and sound cyber security strategising.

The Cardiff-led project aims to address the lack of integration of social and technical factors by conceptualising cybercrime as a multi-factor event.  Drawing on criminological scholarship the team propose that cybercrime rates and patterns are influenced by four factors: i) victims, ii) perpetrators,iii) the regulatory system and iv) the public.

From a victim perspective, perceptions of risk and security and proactive and reactive behaviour to risk management, has an impact on how well prepared a company or individual is to deal with cyber attacks. From a perpetrator perspective, malicious software, employees and social engineers have been a large factor of cybercrime in recent years. The regulatory reaction to cybercrimes, including legislative response and drives for multi-agency crime reduction and greater cooperation also shapes exposure to cyber attack. Public (and business) response via informal control such as market regulation, trust networks etc. also play a role in cybercrime reduction.

Criminologist at the Cardiff School of Social Sciences, Dr Matthew Williams, co-investigator and project leader on social factors said: "By approaching the problem of security in this multi-disciplinary way we are able to develop a more accurateevaluation of cyber risks as they relate to UK businesses, the critical national infrastructure and the general public. This project will be the first to generate 'soft' metrics from interviews and surveys with businesses and criminal justices agencies and integrate these with 'hard' technical metrics. This more holistic approach will produce a step-change in our understanding of cyber security risks, which is necessary if the UK is to remain competitive in a global economy."

Computer Scientist Dr Peter Burnap, co-investigator and project leader on technical factors, said: "A key deliverable of the research is a computational tool that will assist in the prediction of business related cyber attacks. For the first time both technical and social measures will be combined in this predictive process helping targets to minimise the harms of cyber-victimisation by being informed of emerging risks and being proactive in mitigating them, as opposed to repairing damage once an attack has occurred."

Professor of Computer Science and Principal Investigator Professor Omer Rana said: "This tool will assist both policy makers and practitioners in the field of cyber security and crime. It will identify which businesses are most vulnerable to attack allowing policy, codes of practice and advice to be tailored and targeted. With recent attacks reported in South Korea on broadcasters and banks, it has become essential to find strategies to detect and respond to cyber threats. Within our connected societies, the impact of such crimes on critical infrastructures, such as Energy Grids, could be devastating. This project will enable us to bring together a multi-disciplinary perspective to this problem."

Project collaborators include BT, Kaspersky, the Association of Chief Police Officers, the Cabinet Office Identity Assurance Programme and Get Safe Online. The project outputs will be of use to non-academics including micro, small, medium and large businesses, organisations within the critical national infrastructure, and government groups such as the newly established Cyber Crime Reduction Partnership.

The consortium team includes Cardiff University (School of Computer Science and Informatics, School of Social Sciences, Cardiff Business School and School of Mathematics), and the universities of Durham, Plymouth, City and West London. 

Follow the project on Twitter: @CardiffSecurity