How to gear up against cyber crime
E-CRIME (Economic impacts of Cybercrime) research revolved around two main objectives. First, the project team sought to better understand the spreading, development and impact of cybercrime in non-ICT sectors: They created a detailed inventory of cybercrimes, analysed cybercriminal structures and economies, and assessed existing counter-measures. ‘To come up with effective strategies, we first had to close existing knowledge gaps,’ Dr Timothy Mitchener-Nissen, coordinator of the project, recalls. ‘The most important ones were essentially related to predicting or modelling the overall economic cost of cybercrime, as well as the actual steps undertaken by those engaged in conducting financially-motivated cybercrimes - regardless of the specific form of attack they are employing.’ Dr Mitchener-Nissen and his team proceeded by using the crime script methodology often employed in criminology. By analysing information from the best-available data sources, they were able to plot out the steps required by cybercriminals when undertaking financial cybercrime, from the pre-attack stage of selecting targets and attack methods, right through to the point of monetarisation. ‘By adopting this approach, we could overlay the steps required to successfully complete multiple different types of cyber-attacks and identify the commonalities, thereby producing a master criminal-journey which effectively encompassed all attack types,’ Dr Nissen explains. This approach was complemented with insights from specialists, as well as a vast European survey of over 6 000 citizens and 1 250 victims of cybercrime. The data sets from the victim survey are available to researchers, and constitute a time-stamped sample of opinions and levels of economic cybercrime. The questionnaire, on the other hand, provides a standardised set of questions that can be used for re-sampling in longitudinal studies – to measure changes in opinions and cybercrime impact levels over time. Finding the right countermeasures With their crime scripts in hand, the team could go on with the second objective of E-CRIME, which consisted in defining appropriate measures for the non-ICT sector to effectively counter and prevent cyberattacks. The crime scripts indeed enable a defender to identify conceptual gates that attackers need to break into as they conduct multiple types of cybercrimes. The value is twofold, as Dr Mitchener-Nissen points out: ‘First, it enables a conceptual model that helps explain criminal attacks to audiences which may lack prior understanding of attack methods. Then, it can assist the defenders in identifying "pinch-points" where they should be focusing their efforts on preventing as many attacks as possible.’ All in all, the project has developed recommendations for regulatory measures, enhancements for crime-proofed applications, risk management tools, best practices, trust and confidence measures, and more: ‘Our countermeasures include the development of a law enforcement Awareness Training Programme specifically targeted at Law Enforcement Agencies (LEAs) and a manual on preventing and deterring economic cybercrime which has already been deployed across Europe. For industry, we have produced a cost/benefit calculation methodology and guidelines that enable a company to measure the costs and benefits of countermeasures to determine what makes the most sense to use,’ Dr Mitchener-Nissen says. With the project now completed, the E-CRIME consortium is hopeful that the law enforcement awareness training programme will continue to be refined and employed by police in multiple EU Members States. ‘This in itself would ensure that the work of the E-CRIME project will continue to have relevance and impact well past the end date of the project itself,’ Dr Mitchener-Nissen says.
Keywords
E-CRIME, cybercrime, cyber-attack, crime script, crime-proofed, risk management, countermeasures
