1st Edition

Evidence-Based Cybersecurity Foundations, Research, and Practice

By Pierre-Luc Pomerleau, David Maimon Copyright 2022
    250 Pages 4 B/W Illustrations
    by CRC Press

    The prevalence of cyber-dependent crimes and illegal activities that can only be performed using a computer, computer networks, or other forms of information communication technology has significantly increased during the last two decades in the USA and worldwide. As a result, cybersecurity scholars and practitioners have developed various tools and policies to reduce individuals' and organizations' risk of experiencing cyber-dependent crimes. However, although cybersecurity research and tools production efforts have increased substantially, very little attention has been devoted to identifying potential comprehensive interventions that consider both human and technical aspects of the local ecology within which these crimes emerge and persist. Moreover, it appears that rigorous scientific assessments of these technologies and policies "in the wild" have been dismissed in the process of encouraging innovation and marketing. Consequently, governmental organizations, public, and private companies allocate a considerable portion of their operations budgets to protecting their computer and internet infrastructures without understanding the effectiveness of various tools and policies in reducing the myriad of risks they face. Unfortunately, this practice may complicate organizational workflows and increase costs for government entities, businesses, and consumers.

    The success of the evidence-based approach in improving performance in a wide range of professions (for example, medicine, policing, and education) leads us to believe that an evidence-based cybersecurity approach is critical for improving cybersecurity efforts. This book seeks to explain the foundation of the evidence-based cybersecurity approach, review its relevance in the context of existing security tools and policies, and provide concrete examples of how adopting this approach could improve cybersecurity operations and guide policymakers' decision-making process. The evidence-based cybersecurity approach explained aims to support security professionals', policymakers', and individual computer users' decision-making regarding the deployment of security policies and tools by calling for rigorous scientific investigations of the effectiveness of these policies and mechanisms in achieving their goals to protect critical assets. This book illustrates how this approach provides an ideal framework for conceptualizing an interdisciplinary problem like cybersecurity because it stresses moving beyond decision-makers' political, financial, social, and personal experience backgrounds when adopting cybersecurity tools and policies. This approach is also a model in which policy decisions are made based on scientific research findings.

    Foreword xv

    About the authors xvii

    Acknowledgment xix

    1 The case for an evidence-based approach to cybersecurity 1

    The evidence-based approach 3

    Evidence-based medicine 4

    Evidence-based policing 5

    Evidence-based learning 6

    The case for evidence-based cybersecurity 7

    References 9

    2 Computers, computer networks, the Internet,

    and cybersecurity 11

    Introduction: computers and computer networks 11

    The open system interconnection (OSI) model

    and the communication process 13

    The importance of cybersecurity 14

    The cybersecurity ecosystem 16

    Cybersecurity doctrines, practices, and policies 18

    Current practices, tools, and policies to secure cyber infrastructures 23

    References 25

    3 Human behavior in cyberspace 29

    Introduction: cybercrime and cyberspace 29

    Four key actors within the cybercrime ecosystem 31

    The offenders 31

    The enablers 32

    The victims 33

    The guardians 33

    Human behaviors as a central element of cybercrime 34

    The human factor in the literature on cybercrime 36

    A look inside the organization 37

    Conclusion 39

    References 39

    4 Criminological, sociological, psychological, ethical, and

    biological models relevant to cybercrime and cybercriminals 43

    Introduction 43

    Criminological and sociological models relevant to cybercrime 43

    The routine activity approach and the problem analysis triangle 44

    Environmental criminology 45

    Situational crime prevention 47

    Anthropological criminology and ethnographic studies 48

    Biosocial criminology 50

    Psychology and cyberpsychology in the management of cybercrime 51

    Cyberpsychology 52

    Philosophical and ethical models 54

    Hard determinism and crime 54

    Compatibilism and crime 55

    References 57

    5 Science and cybersecurity 63

    Introduction 63

    The importance of quantitative, qualitative, and mixed research 64

    Quantitative, qualitative, or mixed methods? 65

    Science, theories, and facts 65

    Science in cybersecurity 68

    Case reports 70

    The problems with surveys, benchmarks, and

    validation testing in cybersecurity 71

    Surveys 71

    Benchmarks 72

    Validation testing 72

    Research designs in cybersecurity 73

    Fundamental observational and controlled research 73

    Case-control 74

    Simulations 75

    Longitudinal research 75

    The difference-in-differences research method 76

    Time-series design 78

    Field research 79

    Conclusion 79

    References 80

    6 Network security and intrusion detection systems 85

    Introduction 85

    Network security and intrusion detection systems

    in cybersecurity 86

    Intrusion detection system categories 87

    Endpoint detection systems (EDSs) 89

    Security information and event management (SIEM) systems 90

    Data loss prevention (DLP) 91

    Challenges in evaluating security tools 92

    Surveys and think tanks reports 93

    Intrusion-detection assessment metrics 94

    The way forward in protecting the network from intrusions 95

    Data science: data analytics, machine learning,

    and artificial intelligence 95

    From a rule-based approach to data analytics 96

    Machine learning and artificial intelligence 97

    The use of honeypots in intrusion detection and network security 98

    An evidence-based approach 101

    Conclusion 101

    Note 102

    References 102

    7 The Internet of Things (IoT), data security, and website

    security 109

    Introduction 109

    The IoT 110

    What risks are associated with the IoT? 111

    Online attacks against IoT 114

    IoT architecture and protocol stack 115

    IoT risk frameworks 116

    IoT security tools and defense techniques for data security 117

    Network intrusion detection systems (NIDSs)

    in an IoT environment 119

    Metrics to measure effectiveness 120

    Examples of IoT security empirical research designs 120

    Website security 121

    Web defacement 122

    An example of evidence-based research design 124

    Threat hunting: a proactive approach to mitigating

    risks to IoT, data security, and website security 125

    Conclusion 126

    References 127

    8 Data privacy, training, and awareness and cybersecurity

    frameworks 133

    Introduction 133

    Data privacy 133

    Digital risks 134

    Data breaches 135

    Cybersecurity governance 135

    Information security control frameworks 137

    ISO 27001 and 27002 137

    NIST 138

    Laws, regulations, and industry standards 139

    The General Data Protection Regulation (GDPR) 139

    PCI DSS – payment card industry 139

    HIPAA – health-related information 140

    New York Department of Financial Services

    (NYDFS) cybersecurity regulations 140

    Cybersecurity training and awareness 141

    Games and gamification 142

    Assessment tools 144

    The Federal Financial Institution Examination

    Council (FFIEC) cybersecurity assessment tool 144

    Research methods to evaluate cybersecurity

    awareness tools 145

    Additional practical tools 145

    Targeted audit and penetration testing 145

    Surveys and executive workshops 146

    Risk assessment 146

    Impact and probability levels to assess risks 147

    Relevant conceptual and research designs 148

    Other examples of related work 150

    Conclusion 151

    Notes 152

    References 152

    9 Risk and threat intelligence: The effectiveness of online

    threat intelligence in guiding financial institutions’ incident

    response to online banking account takeovers 159

    Introduction 159

    Background 160

    Bank ATO and financial institutions response 160

    Situational crime prevention 161

    Denying benefits as a proactive incident response

    to ATO incidents 162

    Threat intelligence and responding to ATO incidents 166

    The current study 167

    Data and methods 168

    Results 169

    How prevalent is information on breached bank

    accounts on text message applications? 169

    How much of the information posted on the dark

    web or online encrypted applications is valid? 170

    How much of this intelligence is actionable and could be

    used to support financial institutions’ incident response? 172

    How much money could an effective intelligence-based

    incident response to ATO save for the victim? 172

    Discussion 174

    Limitations 176

    Conclusion 176

    Notes 177

    References 177

    10 The future of evidence-based cybersecurity 181

    Introduction 181

    The advancement of technology and the intertwining

    of our digital and physical lives 182

    Future cybersecurity threats to consider 182

    Common specific threats to consider in the future 184

    Email security and social engineering 184

    Ransomware attacks 184

    Single-factor authentication 185

    Future sophisticated threats 187

    Quantum computing 187

    Blockchain threats 188

    Machine learning and artificial intelligence 189

    Deepfakes 191

    State-level hackers and nation-state attacks 191

    List of suggestions and recommendations 193

    Rethink investment in cybersecurity 193

    Law enforcement 194

    Academics 194

    Governments and private organizations 195

    Education 195

    Multidisciplinary cybersecurity teams 195

    Threat hunting tools and techniques 196

    Learning from mistakes 197

    Homomorphic encryption and privacy 198

    The Zero Trust approach 199

    Public and private partnerships 200

    An evidence-based cybersecurity approach to developing

    new and innovative detection and mitigation approaches 201

    Conclusion 203

    References 203

    Index 209


    Dr. Pierre-Luc Pomerleau is a Partner at VIDOCQ. His role consists of assisting VIDOCQ’S clients in growing their business and innovating while managing their risks and protecting their assets. He does so by bringing years of experience and deep expertise in cybercrime, investigation, fraud prevention, anti-money laundering, physical security, business administration, technology, and risk management. Before joining VIDOCQ, he was Vice President at National Bank of Canada, managing the Financial Crime and Corporate Security division, including data analytics and innovation.

    Dr. Pomerleau holds a Ph.D. in Business Administration with a specialization in Homeland Security from Northcentral University (USA), an MBA from the University of Sherbrooke (Canada), and a bachelor's degree in criminology from the University of Montreal (Canada). He holds various security and financial crime professional certifications such as the CPP, PSP, PCI, CFE, CAMS, CCCI & CFCI certifications. In addition to his role with VIDOCQ, Dr. Pomerleau is currently an adjunct in cybersecurity at Polytechnique Montreal. From 2020 to 2021, he was a postdoctoral researcher and a research associate in cybercrime at Georgia State University (USA). In 2020, he published his book Countering Cyber Threats to Financial Institutions; A Private and Public Partnership Approach to Critical Infrastructure. From 2015 to 2018, he was the President of the Association of Certified Fraud Examiner Montreal Chapter. In October 2016, he was awarded an honorary diploma by the University of Montreal School of Criminology for his exemplary contribution to the advancement of society.

    Dr. David Maimon is an Associate Professor in the Department of Criminal Justice and Criminology at Georgia State University (GSU) and the director of the Evidence-Based Cybersecurity research group (see ebcs.gsu.edu). He received his Ph.D. in Sociology from the Ohio State University in 2009. Prior to joining GSU, Dr. Maimon held academic position in the Department of Criminology and Criminal Justice in the University of Maryland, and the Department of Sociology in the University of Miami. In 2015 he was awarded the "Young Scholar Award" from the "White-Collar Crime Research Consortium of the National White-Collar Crime Center" for his cybercrime research. Throughout his career he has raised more than $3 million to conduct Evidence-Based Cybersecurity research. Since joining GSU, Dr. Maimon has established the Evidence-Based Cybersecurity Research Group, where he and his researchers seek to produce and review multi- and interdisciplinary empirical evidence about the effectiveness of cybersecurity tools and policies. The group and its unique approach to cybersecurity education and research have been acknowledged on popular media platforms (https://edtechmagazine.com/higher/article/2020/09/training-next-generation-cyber-professionals). Moreover, the group's close relationships with cybersecurity professionals in several industries and law enforcement agencies have led to the adoption of the Evidence-Based Cybersecurity approach by several organizations. Dr. Maimon teaches the course "Intro to Evidence-Based Cybersecurity" at the undergraduate level, and "Evidence-Based Cybersecurity" at the graduate level.

    "This is a tremendous resource for every security professional and organization whose goal is to improve their cybersecurity posture. The evidence-based cybersecurity approach ties the criticality of understanding human behavior with the technical aspects of cyber-crime. A true data centric treasure trove of valuable knowledge."

    - Kausar Kenning, Executive Director, Cyber Security, Morgan Stanley

    "Despite its technical nature, the evidence base supporting cybersecurity as a field of practice remains flimsy, at best. Some have even compared cybersecurity to "medieval witchcraft". This timely and essential book provides a much needed and comprehensive overview of the available evidence and of the knowledge gaps that persist, also charting the path ahead for a more scientific approach to the design, implementation, and evaluation of cybersecurity measures."

    - Dr. Benoît Dupont, Professor of Criminology, University of Montreal, Canada, and Canada Research Chair in Cybersecurity.

    "Dr. Pomerleau does a masterful job of deep diving into the realm of contemporary Cybersecurity. Beyond recounting the historical evolution of Cybersecurity, Pomerleau astutely weaves together a traditional IT risk management system approach with a multi-faceted humanistic approach (with ethical, sociological, psychological, and criminal elements) to present a comprehensive how-to guide for evidence-based Cybersecurity analysis."

    - Dr. David L. Lowery, Full Professor of Homeland Security & Public Administration, Northcentral University