research-article

Simulation Games Platform for Unintentional Perpetrator Attack Vector Identification

Authors:

Agata Kruzikova,

Barbora BuhnovaAuthors Info & Claims

ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops

Pages 222 - 229

https://doi.org/10.1145/3387940.3391475

Published: 25 September 2020 Publication History

Abstract

Cyber-security protection of critical systems is one of the major challenges of today. Although the attacks typically originate from attackers with malicious intent, a substantial portion of attack vectors is enabled by unintentional perpetrators, i.e., insiders who cause an incident by negligence, carelessness, or lack of training. Prevention of these situations is challenging because insiders have better access to the organization's resources and hence, are more likely to cause harm. Moreover, the insider-mediated actions of an attack vector often come unrecognized by security admins as well as the insiders themselves.

In this paper, we focus on the identification of the attack vector of unintentional perpetrators. To this end, we propose to employ specialized games that simulate the working period, while the player faces multiple dangers that might cause harm in their company. From the analysis of their actions, we discover the attack vector, which could be addressed before an actual attack happens. To reflect a variety of insiders and company environments, we introduce a platform for designing variants of these games, together with its architecture, an example of a simple game that can be created using the platform, and the used analysis method.

References

[1]

M. Arafat, A. Qusef, and G. Sammour. 2019. Detection of Wangiri Telecommunication Fraud Using Ensemble Learning. In 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). 330--335. https://doi.org/10.1109/JEEIT.2019.8717528

[2]

Ryan J Baxter, D Kip Holderness Jr, and David A Wood. 2015. Applying basic gamification techniques to IT compliance training: Evidence from the lab and field. Journal of information systems 30, 3 (2015), 119--133.

[3]

Long Cheng, Fang Liu, and Danfeng Yao. 2017. Enterprise data breach: causes, challenges, prevention, and future directions: Enterprise data breach. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery (06 2017), e1211. https://doi.org/10.1002/widm.1211

[4]

Tom Chothia, Stefan-Ioan Paiu, and Michael Oultram. 2018. Phishing Attacks: Learning by Doing. In 2018 { USENIX} Workshop on Advances in Security Education ({ASE} 18).

[5]

Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why Phishing Works (CHI '06). Association for Computing Machinery, New York, NY, USA, 581--590. https://doi.org/10.1145/1124772.1124861

[6]

John D'Arcy and Pei-Lee Teh. 2019. Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management 56, 7 (2019), 103151. https://doi.org/10.1016/j.im.2019.02.006

[7]

X. Feng, Z. Zheng, D. Cansever, A. Swami, and P. Mohapatra. 2016. Stealthy attacks with insider information: A game theoretic model with asymmetric feedback. In MILCOM 2016 - 2016 IEEE Military Communications Conference. 277--282. https://doi.org/10.1109/MILCOM.2016.7795339

Digital Library

[8]

Aaron J Ferguson. 2005. Fostering e-mail security awareness: The West Point carronade. Educause Quarterly 28, 1 (2005), 54--57.

[9]

Iffat A Gheyas and Ali E Abdallah. 2016. Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis. Big Data Analytics 1, 1 (2016), 6.

[10]

F. L. Greitzer, J. R. Strozer, S. Cohen, A. P. Moore, D. Mundie, and J. Cowley. 2014. Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits. In 2014 IEEE Security and Privacy Workshops. 236--250. https://doi.org/10.1109/SPW.2014.39

Digital Library

[11]

Athul Harilal, Flavio Toffalini, John Castellanos, Juan Guarnizo, Ivan Homoliak, and Martín Ochoa. 2017. TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition (MIST '17). Association for Computing Machinery, New York, NY, USA, 45--56. https://doi.org/10.1145/3139923.3139929

[12]

Jaeseung Hong, Jongwung Kim, and Jeonghun Cho. 2009. The Trend of the Security Research for the Insider Cyber Threat. In Security Technology, Dominik Śkęzak, Tai-hoon Kim, Wai-Chi Fang, and Kirk P. Arnett (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 100--107.

[13]

Ponemon Institute. 2020. 2020 Cost of Insider Threats: Global Report. https://www.observeit.com/2020costofinsiderthreat/. Accessed: 2020-03-25.

[14]

L. Liu, O. De Vel, Q. Han, J. Zhang, and Y. Xiang. 2018. Detecting and Preventing Cyber Insider Threats: A Survey. IEEE Communications Surveys Tutorials 20, 2 (Secondquarter 2018), 1397--1417. https://doi.org/10.1109/COMST.2018.2800740

[15]

Robert Luh, Marlies Temper, Simon Tjoa, Sebastian Schrittwieser, and Helge Janicke. 2018. PenQuest: a gamified attacker/defender meta model for cyber security assessment and education. Journal of Computer Virology and Hacking Techniques (2018), 1--43.

[16]

J. R. C. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. T. Wright, and M. Whitty. 2014. Understanding Insider Threat: A Framework for Characterising Attacks. In 2014 IEEE Security and Privacy Workshops. 214--228. https://doi.org/10.1109/SPW.2014.38

[17]

Taiwo Oyedare, Ashraf Sharah, and Sachin Shetty. 2016. A Reputation-Based Coalition Game to Prevent Smart Insider Jamming Attacks in MANETs. 241--253. https://doi.org/10.1007/978-3-319-33936-8_19

[18]

Radek Ošlejšek, Vít Rusňák, Karolína Burská, Valdemar Švábenský, and Jan Vykopal. 2019. Visual Feedback for Players of Multi-Level Capture the Flag Games: Field Usability Study. In 2019 IEEE Symposium on Visualization for Cyber Security (VizSec).

[19]

Fatima Salahdine and Naima Kaabouch. 2019. Social Engineering Attacks: A Survey. Future Internet 11, 4 (2019), 89.

[20]

Karen Scarfone, Karen Scarfone, Scarfone Cybersecurity, Peter Mell, Rebecca M. Blank, and Acting Secretary. 2007. Guide to Intrusion Detection and Prevention Systems (IDPS.

[21]

Margit Scholl. 2019. Sensitizing students to information security and privacy awareness with analogue gamification. (2019).

[22]

Timothy Shimeall and Randall Trzeciak. 2008. Common Sense Guide to Prevention and Detection of Insider Threats. (01 2008).

[23]

Mario Silic and Paul Benjamin Lowry. 2019. Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance. Journal of Management Information Systems (JMIS)(accepted 01-Aug-2019) (2019).

[24]

Sara Sinclair and Sean Smith. 2008. Preventative Directions For Insider Threat Mitigation Via Access Control. Vol. 39. 165--194. https://doi.org/10.1007/978-0-387-77322-3_10

[25]

M. Siponen, S. Pahnila, and M. A. Mahmood. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer 43, 2 (Feb 2010), 64--71. https://doi.org/10.1109/MC.2010.35

[26]

SolarWinds. January 2019. SolarWinds Federal Cybersecurity Survey Report. SOLARWINDS WORLDWIDE.

[27]

Jai-Yeol Son. 2011. Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management 48, 7 (2011), 296--302. https://doi.org/10.1016/j.im.2011.07.002

Digital Library

[28]

Yunpeng Song, Cori Faklaris, Zhongmin Cai, Jason I. Hong, and Laura Dabbish. 2019. Normal and Easy: Account Sharing Practices in the Workplace. Proc. ACM Hum.-Comput. Interact. 3, CSCW, Article Article 83 (Nov. 2019), 25 pages. https://doi.org/10.1145/3359185

Digital Library

[29]

Thomas Stafford, George Deitz, and Yaojie Li. 2018. The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal 33, 4 (2018), 410--424.

[30]

Adéle Veiga. 2016. Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study. Information and Computer Security 24 (06 2016), 139--151. https://doi.org/10.1108/ICS-12-2015-0048

[31]

Jan Vykopal, Radek Oslejsek, Pavel Celeda, Martin Vizvary, and Daniel Tovarnak. 2017. KYPO Cyber Range: Design and Use Cases. In Proceedings of the 12th International Conference on Software Technologies - Volume 1: ICSOFT. INSTICC, SciTePress, 310--321. https://doi.org/10.5220/0006428203100321

Cited By

Daubner LMacak MMatulevičius RBuhnova BMaksović SPitner T(2023)Addressing insider attacks via forensic-ready risk managementJournal of Information Security and Applications10.1016/j.jisa.2023.10343373:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103433
Macak MDaubner LSani MBuhnova B(2022)Cybersecurity Analysis via Process Mining: A Systematic Literature ReviewAdvanced Data Mining and Applications10.1007/978-3-030-95405-5_28(393-407)Online publication date: 31-Jan-2022
https://doi.org/10.1007/978-3-030-95405-5_28
Daubner LMacak MBuhnova BPitner T(2020)Towards verifiable evidence generation in forensic-ready systems2020 IEEE International Conference on Big Data (Big Data)10.1109/BigData50022.2020.9378035(2264-2269)Online publication date: 10-Dec-2020
https://doi.org/10.1109/BigData50022.2020.9378035

Index Terms

Simulation Games Platform for Unintentional Perpetrator Attack Vector Identification
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
  2. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
2. Software and its engineering
  1. Software creation and management
    1. Designing software

Recommendations

Scenarios for Process-Aware Insider Attack Detection in Manufacturing
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Manufacturing production heavily depends on the processes that need to be followed during manufacturing. As there might be many reasons behind possible deviations from these processes, the deviations can also cover ongoing insider attacks, e.g., ...
Biometric attack vectors and defences

Much has been reported on attempts to fool biometric sensors with false fingerprints, facial overlays and a myriad of other spoofing approaches. Other attack vectors on biometric systems have, however, had less prominence. This paper seeks to present a ...
A lab implementation of SYN flood attack and defense
SIGITE '08: Proceedings of the 9th ACM SIGITE conference on Information technology education

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. SYN flood attack is one of the most common types of DoS. In this lab, we model and simulate a real world ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops

June 2020

831 pages

ISBN:9781450379632

DOI:10.1145/3387940

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

EC European Commission

Conference

ICSE '20

Sponsor:

SIGSOFT
KIISE

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, Republic of Korea

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
164
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)5

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Daubner LMacak MMatulevičius RBuhnova BMaksović SPitner T(2023)Addressing insider attacks via forensic-ready risk managementJournal of Information Security and Applications10.1016/j.jisa.2023.10343373:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103433
Macak MDaubner LSani MBuhnova B(2022)Cybersecurity Analysis via Process Mining: A Systematic Literature ReviewAdvanced Data Mining and Applications10.1007/978-3-030-95405-5_28(393-407)Online publication date: 31-Jan-2022
https://doi.org/10.1007/978-3-030-95405-5_28
Daubner LMacak MBuhnova BPitner T(2020)Towards verifiable evidence generation in forensic-ready systems2020 IEEE International Conference on Big Data (Big Data)10.1109/BigData50022.2020.9378035(2264-2269)Online publication date: 10-Dec-2020
https://doi.org/10.1109/BigData50022.2020.9378035

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents