A taxonomy and comparison of computer security incidents from the commercial and government sectors

computers & security 25 (2006) 522–538

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

A taxonomy and comparison of computer security incidents from the commercial and government sectors Maria Kjaerland Faculty of Social Sciences, University of Stavanger, Norway

article info

abstract

Article history:

Cyber incidents are growing in intensity and severity. Several industry groups are therefore

Received 4 January 2005

taking steps to better coordinate and improve information security across sectors. Also,

Revised 9 August 2006

various different types of public–private partnerships are developing, where cyber incident

Accepted 9 August 2006

information is shared across institutions. This cooperation may improve the understanding of various types of cyber incidents, their severity, and impact on various types of tar-

Keywords:

gets. Research has shown that different types of attackers may be distinguished in terms

Commercial

of sophistication, skill level, attacking style, and objective of attack. It may further be pro-

Government

posed that different sectors experience different types of attacks. Attack characteristics

Sectors

and information about the modus operandi of criminal offenders have been used to learn

Cyber incidents

more about the attacker and the motive of an attack. This information may also be used to

Taxonomy

distinguish between cyber attacks towards different types of targets. The current study fo-

CERT/CC

cuses on reported cyber intrusions by the commercial and government sectors. The re-

Reporting

ported data come from CERTCoordination Center (CERT/CC), which has categorized the

Facet theory

aspects of cyber intrusions in the current study. The aspects analyzed are: ‘Method of

Multidimensional scaling

Operation (MO)’ which refers to the methods used by perpetrator to carry out an attack; ‘Impact’ which refers to the effect of the attack; ‘Source’ which refers to the source of the attack, and ‘Target’ which refers to the victim of the attack. The current study uses 839 cases of cyber attacks towards the commercial sector and 558 cases towards the government sector. The 23 variables from the four different cyber intrusion aspects; MO, impact, source sector and target sector, were analyzed using multidimensional scaling (MDS), which is a technique that has often been used when profiling traditional types of crimes. The analysis gave a Guttman–Lingoes’ coefficient of alienation of 0.19 with 42 iterations in a 3-dimensional solution. It was shown that the commercial and government sectors experience different types of attacks, with different types of impact, stemming from different sources. The findings and implications are discussed in relation to the benefits of standardization, reporting, and sharing of cyber incident information. ª 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Cyber attacks are increasing both in number and severity (Hansman and Hunt, 2005). Clarke and Zeichner (2004) state that there were 21,000 reported virus incidents in 2000 and three years later the number was more than six times higher.

In 2002, the worldwide cost of worms and viruses was estimated at $45 billion, whereas in August 2003 alone one saw costs of almost the same magnitude. They estimate that the annual cost will rise 300% per year. Whereas businesses in the US spent 2–3% of their IT budgets on security in 1999, they spent about 8–12% in 2004 (Clarke and Zeichner, 2004).

E-mail address: [email protected] 0167-4048/$ – see front matter ª 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2006.08.004

computers & security 25 (2006) 522–538

The US administration’s draft National Strategy to Secure Cyberspace states that cyber incidents are increasing in number, sophistication, severity, and cost. Cyber attacks on US information networks occur regularly and can have serious consequences, such as disrupting critical operations, causing loss of revenue and intellectual property, and even causing loss of life (United States General Accounting Office, 2003). The dependency on information systems and the increasing interdependencies between systems are directly related to the severity of the threat. Cyber security was catapulted onto the security political agendas in the mid-1990s, when the issue was persuasively linked to both terrorism and critical infrastructure protection (Dunn, 2005). The worst possible consequences of risks created by information and communication technologies (ICT) manifest themselves in the possible failure of so-called critical infrastructures, which are systems and assets whose incapacity or destruction would have a debilitating impact on the national security and the economic and social well-being of a state. Several industry groups are taking steps to better coordinate efforts and to improve information security within and across industries. In the private sector, the banking and finance, telecommunications, information technology, transportation, and water infrastructure sectors, and the electricity and oil and natural gas segments of the energy sector, have established sector coordinators (Dunn, 2005). Various different types of public–private partnerships are developing, such as government-led partnerships, business-led partnerships, and joint public–private initiatives. The commercial sector is generally reluctant to report cyber incidents. Gordon et al. (2004) found that 51% of the respondents rate negative publicity as the main deterrent for not reporting incidents. Also, many companies do not have systems to report, or do not see any value in reporting. The commercial sector is predominately concerned with maintaining business continuity, and is worried law enforcement will further disrupt operations when security breaches occur (Casey, 2004). The CERT/CC Director, Richard D. Pethia states that as much as 80% of actual security incidents go unreported (Dacey and Hite, 2003). In most cases this is because the organization (1) was unable to recognize that its systems had been penetrated because there were no indications of penetration or attack, or (2) was reluctant to report incidents. The lack of reporting and formal standards in the area of cyber security makes it difficult for investigators to conduct digital investigations (Casey, 2004). Also, the development of threat assessments for companies, sectors, and nations are problematic to perform without valid and reliable data. As noted by Schultz (2005), information security is primarily a people problem. Technology is designed and managed by people, leaving opportunities for human error. Further, in order to understand intentional attacks towards technological systems, we have to take into account both the person or group attacking the system, as well as the organization or person being attacked. This suggests that research from the discipline of investigative psychology and offender profiling may be fruitful in the area of information systems security research. The current study introduces some of the research that has been done on computer crime together with the techniques used for profiling crime. It develops a taxonomy of

523

cyber intrusions that may be useful when gaining insight into cyber incidents. The study focuses on including information about the victim in the taxonomy of cyber incidents. It suggests how theories and methodologies from the area of criminal psychology, in particular facet theory and multidimensional scaling, may be helpful in showing how various targets experience different types of attacks, effects of attacks, as well as different sources of attacks. The research gives an example of how the standardization in the information collection of cyber incidents may prove useful for the victims of attacks. And shows that an improved understanding of the threat of cyber incidents towards different targets may be helpful for improving the organizational focus in terms of cyber incidents.

2. Research to improve the understanding of cyber incidents 2.1.

Computer crime research

The lack of reporting has made research into cyber crime and cyber incidents difficult. The research on cyber crime from the disciplines of psychology, criminology and sociology has traditionally relied on interviews with hackers, and questionnaires to organizations experiencing attacks. Research has revealed different types of attackers. Examples are Landreth (1985) who proposed a classification system based on the activities the hacker was involved in. He developed the categories novice, student, tourist, crasher, and thief. Another criminologist, Hollinger (1988), studied computer criminal activity within a university population. The study concluded that hackers followed a Guttman-like progression from less skilled activities to more technically elite crimes. Hollinger indicates that the individuals fit into three categories: pirates, browsers, and crackers. Chantler (1996) indicated that the attributes that could be used to study attacking activity are the hackers’ activities, their prowess at hacking, their knowledge, motivation, and how long they had been hacking. These attributes were used to come up with the categories elite group, neophytes, losers and lamers. Power (1998) subdivided hackers into sport intruders, competitive intelligence, and foreign intelligence. Parker (1998) differentiated cyber-criminals between pranksters, hacksters, malicious hackers, personal problem solvers, career criminals, extreme advocates, and malcontents, addicts, and irrational and incompetent people. Lemon (2000) argued that there are unstructured and structured attacks. Unstructured attacks include hackers who are acting alone or in small groups for individual goals, such as financial gains, thrills, and malicious intent. The unstructured attacks may be divided into novice and expert, and malicious and non-malicious. The structured attacks have clear objectives and financial backing, and are often organized and well planned. As supposed to the unstructured attacks that are conducted by script kiddies, the structured attacks may often be political and governmental groups. Rogers (2000) indicates that one must be extremely careful not to generalize from these findings, and that more research into attackers is needed.

524

2.2.

computers & security 25 (2006) 522–538

Profiling intentional cyber incidents

It is possible to use profiling techniques to understand intentional cyber incidents, how they are done, by whom, and why (Kjaerland, 2005). Kjaerland (2005) shows how aspects of cyber incidents (source sector, method of operation, and impact) may be used to draw inferences about the objective of the attack through profiling the incidents. By using attack characteristics and information about the modus operandi, one may learn more about the attacker and the motive of an attack. This type of criminal profiling has been done in many areas, such as arson (e.g. Canter and Fritzon, 1998); burglary (e.g. Bennell and Canter, 2002); sexual offences (e.g. Canter and Heritage, 1990); and terrorism (e.g. Fritzon et al., 2000). In investigative psychological (IP) research, the profiling of crimes through the analysis of relationships between behavioural variables has often been assisted by facet theory and multidimensional scaling (MDS) (e.g. Canter and Heritage, 1990). Facet theory was developed by Guttman (1968), and is philosophically based on hierarchical Guttman scaling. These non-metric techniques have often been used in the area of criminal profiling, as the crime data are normally not collected for research purposes and therefore often have its limitations. Analyzing crime data through multidimensional scaling (MDS) techniques, such as smallest space analysis (SSA) and multiple scaling analysis (MSA), has allowed for the use of binary data where the crime variable is either present or absent. Further, facet theory with the associated analysis techniques have proved useful when developing questionnaires for the collection of data. These types of analyses of qualitative crime data show the quantitative relationships between each variable with every other variable through the coefficient of alienation or other measures of correlation. Further, the variable relationships are shown through a graphical portrayal of the clusters of criminal behaviours and/or characteristics that appear close to each other in geographical space. These types of analyses have been useful in distinguishing between different types of offenders and have helped categorizing various types of crimes based on their modus operandi or action variables as well as characteristics of the offenders. As criminal offences often are related to type of victim or target, the characteristics of victims may also be included when profiling various types of crimes.

2.3.

Including the victim of attack

A taxonomy of cyber incidents has been developed by Howard (1997) based on CERT/CC data. This taxonomy focuses on the process or operational viewpoint of means, ways and ends, where the attacker is attempting to reach his/her objectives through an operational sequence of tools, access, and results. Howard’s (1997) taxonomy does not focus on the target or victim of the incident, which is an important category to include when attempting to gain insight into the attacker as well as the target security. Howard (1997) links ‘Attackers’ to the category ‘Objectives’ as developed by Icove et al. (1995). He suggests that ‘Hackers’ break into computers primarily for the challenge and status of obtaining access; ‘Spies’ break into computers primarily for information which can be used for political gain; ‘Terrorists’ break into computers primarily to

cause fear which will aid in achieving political gain; ‘Corporate raiders’ are employees of one company that break into computers of competitors for financial gain; ‘Professional criminals’ break into computers for personal financial gain (not as a corporate raider), and ‘Vandals’ break into computers primarily to cause damage. Kjaerland (2005) does not either include the ‘Target Sectors’. As in other criminal profiling research one may use information about the attackers’ modus operandi and behavioural traits, and also information about the victim. Turvey (1999) states in his behavioural evidence analysis (BEA) of computer forensic data that it is important to take into account information about the victim of the incident. We can divide criminal profiling into inductive and deductive models, where inductive profiling relies on statistical analysis (generalizing from the general to the specific), and deductive profiling argues from the specific to the general (e.g. from case studies) (Rogers, 2003). Until recently, there has been little inductive profiling of cyber incidents in general due to the lack of empirics. The data from CERT/CC may, however, assist in both conducting inductive profiling of cyber incidents, as well as expanding on the taxonomy developed by Howard (1997) through including information about the ‘Target Sectors’. No profiling based on statistical information of cyber incidents has included the ‘Target Sectors’.

2.4.

A new taxonomy

This article develops a new taxonomy based on cyber incident aspects categorized by CERT/CC personnel. Here, the aspects ‘Source Sectors’, ‘MO’, ‘Impact’, and ‘Target Sectors’ may compare to the categories ‘Attackers’, ‘Tools’, ‘Access’, and ‘Results’. ‘Source Sectors’ is defined by CERT/CC analytics as ‘source of the incident’ and tells us something about the attacker; ‘Method of Operation (MO)’ is defined as ‘method(s) used by perpetrator to carry out attack’ and tells us something about the tool used and also about the access point; ‘Impact’ of attack is defined as ‘the effect of the attack’ and thereby tells us something about the result; and ‘Target Sectors’ is defined as the ‘victim of the incident’. Another way of viewing cyber incidents is thus to see how the ‘Source Sectors’ (Attacker) in relation to the ‘Method of Operation (MO)’ (Tools and Access), are resulting in a certain ‘Impact’ (Result), towards particular ‘Target Sectors’. The ‘Objective’ or ‘motive’ of the attack may be opportunistic or targeted towards a particular ‘Target Sector’. It may be based on Challenge/Status, Political Gain, Financial Gain, and Damage as mentioned by Howard (1997). The ‘Target Sector’ may not know much about the ‘Objective’ of the attack, and is often concerned about security of information, disregarding the motive of the attacker. Many attacks are of a random nature, performed by script kiddies who copy code. As such, it is important to focus on the ‘Target Sectors’ security, and whether the target is actually creating an opportunity to be attacked. By comparing aspects of cyber incidents in a multidimensional manner, it is possible to say something about the ‘Target Sector’ security in relation to the other aspects of cyber incidents. By comparing sectors one may learn how these differ in terms of cyber security, as well as learn more about their interest among attackers. Table 1 shows the new taxonomy used in the current study. Table 2 gives a more thorough description of the variables.

525

computers & security 25 (2006) 522–538

Table 1 – A new taxonomy Source sectors Com Gov Edu Intl User Unknown

3.

Method of operation (MO)

Impact

Misuse of Resources User Compromise Root Compromise Social Engineering Virus Web Compromise Trojan Worm Recon Denial of Service

Disrupt Distort Destruct Disclosure Unknown

A study to differentiate cyber incidents

As organizations have been reluctant in reporting attacks, no research has to the author’s knowledge been relating attackers to the actual attacks as well as to the ‘Target Sectors’ of attacks. Data are, however, starting to emerge, something that allows for the quantitative analysis of cyber incident data. One organization that compiles such information is CERT/CC in Pittsburgh, which was created in 1988. CERT/ CC has for some time been the largest collector of cyber incidents, and a total of 319,992 incidents were reported to CERT/CC during 1988–2003 (CERT/CC, 2004).1 Based on the reported incidents to CERT/CC, researchers have categorized the incidents into 19 aspects: CERT ID, close date, report date, duration of handling, tools, sophistication, MO, OS, Ports, network services, impact of attack, target sectors, source sectors, other sectors, perpetrator UID, Mentoring, cross-reference, other info, and international involvement. In order to understand the attackers in relation to the targets and how various targets experience different types of attacks, the current study uses data from CERT/CC about the attacker, the method of operation, and the impact of attack, and focuses on the targets from the commercial and the government sectors. Studying these different sectors clarifies differences such as how various types of attackers use different types of method of operation, that result in various types of impacts of attacks. These differences are seen in relation to whether a commercial organization or government institution is attacked. The research question is: what are the relationships between the cyber incident aspects from the commercial and government sectors, and what are the differences between the incidents reported from these sectors? The research question is motivated by an apparently widespread belief that different sectors experience similar kinds of attacks (U.S. General Accounting Office, 2003), combined with widespread uncertainty about whether there are differences, and what the differences may consist of.

1 Given the widespread use of automated attack tools, merely counting incidents provides limited information about assessing the scope and impact of attacks, so from 2004 CERT/CC are working with others in the community to develop and report on more meaningful metrics (www.cert.org).

3.1.

Target sectors Com Gov

Design of the study

An exploratory design study was chosen for the study of cyber attacks towards the commercial and government sectors in the US. Facet theory with its associated multidimensional scaling technique (MDS), smallest space analysis (SSA) was used in the current analysis. For examples of earlier use of facet theory see Borg (1994), Borg and Shye (1995), Brown (1985), Canter (1985), Canter (1989), Canter and Alison (2000), Elizur and Sagie (1999), Foa (1965), Levy (1994), Shye (1978), and Shye et al. (1994). Cyber incidents are of a multivariate nature, and it is therefore central that the attack and target characteristics are studied in a multidimensional manner to account for a multitude of features simultaneously. The methodology does not make any assumptions about the data set and the structures that will become apparent, something that is appropriate for an exploratory study (Canter, 1995). The constituents discussed are therefore hypothesized to be naturally present. The first facet included in the study is ‘Impact’. This facet includes the five variables ‘Disrupt’, ‘Distort’, ‘Destruct’, ‘Disclosure’, and ‘Unknown’ (see the description of the variables in Table 2). There was no ‘Enigma’ (defined as ‘Activity of uncertain nature at victim, even in presence of information’) towards any of the targets in the data set, and this variable is therefore not included in the analysis. Appendix 1 gives a description of all variables in the CERT/CC data set, which is as an unedited classification by Dr. Tim Shimeall at CERT/CC. The attacks were also analyzed with regards to the facet ‘Method of Operation (MO)’. This facet includes the 10 variables ‘Misuse of Resources’, ‘User Compromise’, ‘Root Compromise’, ‘Social Engineering’, ‘Virus’, ‘Web Compromise’, ‘Trojan’, ‘Worm’, ‘Recon’, and ‘Denial of Service’. The Methods of Operations (MOs) ‘False Alarm’, ‘Data Manipulation’, and ‘Hoax’ were not present in the attacks towards the commercial and government sectors, and were therefore not included in the analysis. ‘False Alarm’ is defined as ‘Reported event that further analysis reveals to be a non-event where no malicious activity occurred’, ‘Data Manipulation’ is defined as ‘Unauthorized data modification or destruction’, and ‘Hoax’ is defined as ‘A ruse. Information falsely leads reporter to believe that attack will occur/has occurred.’ In the facet ‘Source Sectors’ all sectors refer to US sites, except ‘Intl’ which is short for ‘International Source’. This facet includes the six variables ‘Com’, ‘Gov’, ‘Edu’, ‘Intl’, ‘User’,

526

computers & security 25 (2006) 522–538

Table 2 – Facet and variable description Facets Impact: the effect of the attack

Variables Disrupt

Distort Destruct Disclosure

Unknown Method of operation (MO): method(s) used by perpetrator to carry out attack

Misuse of Resources User Compromise Root Compromise Social Engineering Virus Web Compromise Trojan Worm Recon Denial of Service

Source sectors (All sectors refer to US sites, except Intl.): source of the incident (if explicitly identified)

Com Gov

Edu Intl User Unknown Target sectors (all sectors refer to US sites, except Intl.): victim of the incident

Com Gov

Description Access change, removal of access to victim or to information. Manipulate permissions, e.g. Denial of Service attack or Trojan horse. ‘Disrupt’ would be the least invasive nature of attack. File change, modification of information from victim. This is a change to data within files. File deletion, removal of information from victim. Destruct would be seen as the most invasive and malicious and may include Distort or Disrupt. Unauthorized exposure of information, other than in support of one of the above. Disclose would imply disclosure of information that may lead to further compromises. Ex. Download of password file. Insufficient information to classify. Unauthorized use of IT resources. Ex. Storing unauthorized files on a server, using site as springboard for further unauthorized activity. Perpetrator gains unauthorized use of user privileges on a host. Perpetrator gains unauthorized administrator privileges on a host. Gaining unauthorized access to privileged information through human interaction and targeting people’s minds rather than their computers. A virus is a piece of code that, when run, will attach itself to other programs, which will again run when those programs are run. Using vulnerabilities in a website to further an attack. A program that adds subversive functionality to an existing program. A program that propagates itself by attacking other machines and copying itself to them. Scanning/probing site to see what services are available. Determining what vulnerabilities exist that may be exploited. An exploit whose purpose is to deny somebody the use of the service: namely to crash or hang a program or the entire system. Commercial (including consumer products, industry, small business) Local or national government (including buildings/housing, emergency services, public benefits, social services, state and federal government, taxes, tribal governments, worker protections, environment, military) Postsecondary school Non-US Individual users Unknown source (added ) Commercial (including consumer products, industry, small business) Local or national government (including buildings/housing, emergency services, public benefits, social services, state and federal government, taxes, tribal governments, worker protections, environment, military)

and ‘Unknown’. The variable ‘Unknown’ within the ‘Source Sector’ is added to CERT/CC’s categorization, due to the fact that 890 incidents were blank on the source sector for the 1397 incidents within the commercial and government sectors. The variables ‘Misc’ (‘a variety of the above categories’) and ‘Org’ (‘non-profit organization’) are not included in the current analysis, due to the fact that they are present in only 0.5% and 0.2% of the cases. ‘Net’ is also not included in the current analysis because it is not defined in the data dictionary by CERT/CC. ‘Other Sectors’, which in the ‘Spreadsheet Data Dictionary’ is defined as ‘Sectors used as intermediary site in the incident’, was not included in the analysis due to the focus in the current research, which was on analyzing the attacks in relation to the ‘Target Sectors’ ‘Com’ and ‘Gov’. The facet ‘Tools’, defined as ‘Names of specific tools that were apparently used to penetrate the attack’ was also not included in the analysis. Neither was ‘Sophistication’, which is defined as ‘Level of technological and organizational sophistication

as evidenced in intrusion records’. As defined in the ‘Naval Postgraduate School Center for the Study of Terrorism and Irregular Warfare’s Cyberterror White Paper’: ‘Simple unstructured’ is ‘The capacity to conduct basic hacks against individual systems using tools by someone else. The organization processes little target analysis, command and control, or learning capability.’ ‘Advanced-Structured’ is ‘The capability to conduct more sophisticated attacks against multiple systems or networks and possibly, to modify or create simple hacking tools. The organization possesses an elementary target analysis, command and control, and learning capability.’ ‘Complex-Coordinated’ is ‘The capability for coordinated attacks against complex, heterogeneous defences (including cryptography). Ability to create sophisticated hacking tools. Highly capable target analysis, command and control, and organizational learning capability.’ The variables within the ‘Impact’, ‘MO’, ‘Source Sector’, towards the ‘Target Sectors’ ‘Com’ and ‘Gov’, give a total of,

computers & security 25 (2006) 522–538

respectively, five, 10, six, and two variables within each facet. All in all, the total number of variables is 23.

3.2.

A description of the empirical data

During 2001 and 2002, a team of researchers at the Software Engineering Institute of Carnegie Mellon University profiled all incident reports received by the CERT Coordination Center (CERT/CC) from June 2000 through February 2001 and from September 2001 through February 2002. These reports are voluntarily contributed descriptions of security violations, supplied by a wide variety of organizations worldwide (literally, any interested person or organization can report incidents to CERT/CC). Following the report, security professionals at CERT/CC categorise and validate the reported information and then coordinate responses to the reported activity as appropriate (for example, communicate the process of exploit to the vendors of the software involved, provide virus reports to anti-virus vendors, etc., http://www.cert.org/tech_tips/inci dent_reporting.html). After excluding all reports that were hoaxes, false alarms, port scans with no follow-on activity, or information requests, and those reports that were too incomplete to categorise, 2755 reports remained (Shimeall et al., 2002, see particularly figures 3–5 and their surrounding discussion). Nineteen characteristics of each incident were then profiled, resulting in a confidential description. The profiling process involved generation of the profile from incident documentation using a combination of automatic and manual techniques, verification of the profile by review against the source documentation, and consistency checking to assure common criteria were used in the descriptions across incidents. Approximately 500 labour hours (split among 8 individuals) were consumed in this process. The confidential description was then turned into releasable (cleansed) data by selecting characteristics that could not identify the reporting organization: The internal incident identification, the type of reporting organization, the impact experienced by the reporting organization, the type of apparent source of the intrusion if known, the types of any other organizations involved with the incident, what method of intrusion was used, what degree of sophistication was employed and which malicious software appeared to be used in the incident (Dunlevy et al., 2002). From the 2755 incidents compiled by CERT/CC during 2001 and 2002, a filter to isolate the incidents was agreed upon, and the number of aspects was reduced to eight aspects.2 Finally, for the purpose of the current study, the three aspects ‘MO’, ‘Impact’, ‘Source Sector’ were selected, given that the fourth aspect ‘Target Sectors’ is either ‘Com’ or ‘Gov’ (that is, incidents where the fourth aspect is neither ‘Com’ nor ‘Gov’ are ignored). More specifically, the 1397 attacks were selected from a larger sample of 2755 attacks by identifying those attacks where the three facets ‘MO’, ‘Impact’, and ‘Source Sector’ are directed toward the fourth facet ‘Target Sector’ which is either the commercial sector (‘Com’) or the government sector (‘Gov’). This simplification procedure implies that 839 of the incidents are towards the commercial sector (‘Com’), and 558 2

These eight aspects are CERT ID, tools, sophistication, MO, impact of attack, target sectors, source sectors, and other sectors.

527

incidents are towards the government sector (‘Gov’), for a total of 1397 incidents. These 1397 incidents and the associated four aspects referred to as facets, constitute the empirical material used in this article. The 23 variables within these four facets are all variations of the four aspects as recorded by CERT/CC. This concludes exhaustively and exclusively for the description of the empirical data used in this article. The approach is multivariate because it is based upon the principle that every entity under study, and thus every associated observation, will be classifiable on every facet identified.

3.3.

Facet theory and smallest space analysis (SSA)

Each incident is recorded in terms of its presence or absence on each and every variable. These binary data are then analyzed through multidimensional scaling (MDS) (Lingoes, 1969), or more specifically, the smallest space analysis (SSA). Alternatives to MDS and SSA are certainly possible, such as principal component analysis, cluster analysis, and factor analysis. SSA is chosen since the study is exploratory, and attempts to classify aspects of incidents that are characteristic to the ‘Targets Sectors’ ‘Com’ and ‘Gov’. This technique has been popular in psychology, intelligence testing, and criminal analysis. See Godwin (2000) for an application to criminal analysis. Facets refer to categories in a conceptual spatial diagram partitioned based on prior theory. Some researchers use exploratory factor analysis to assign survey items to facets, which correspond to factors, but then use SSA as a confirmatory procedure. Alternative methods are in the author’s view fruitful and complementary and can be used synergistically to enhance our understanding of cyber incidents. Facet theory has philosophical roots in hierarchical Guttman scaling. Guttman (1968) has contributed substantially to quantitative and qualitative social science research, especially through his scale analysis. Facet theory, applied in this article, defines three related areas of research (Canter, 1993): these are the definitional system (a formal definition of the concepts and variables), the observational structure (a hypothesis of the relationship between the concepts and the empirical observations), and a rationale for the correspondence between the definitional system and the observational structure. Facet theory requires the study to be centered on a clearly defined research domain, with an anticipated response from the analysis and a reason for such an expectation. The definitional system may then be reworked and modifications of its facets and elements may be made based on the observations. Valid and reliable trends or relationships may then be found to explain the domain under examination. The definitional system is divided into coherent facets. A facet is ‘‘a conceptual categorization underlying a group of observations’’ (Brown, 1985), and the domain of research should be exhausted by the facets. Each facet in turn will contain a number of elements, each of which will be mutually exclusive and the elements will exhaustively describe the facet. Thus, the facets and their elements will fully define and account for the entire research domain and the range of relationships expected. Multidimensional scaling (MDS) is often used in association with the facet theory. MDS represents data locating each variable as a point in dimensional space. From a more technical point of view, MDS finds a set of vectors in p-dimensional space such that

528

computers & security 25 (2006) 522–538

the matrix of Euclidean distances among them corresponds as closely as possible to some function of the input matrix according to a criterion function called stress. The algorithms assign points to arbitrary coordinates in p-dimensional space; compute Euclidean distances among all pairs of points to form the matrix; compare the matrix with the input by evaluating the stress function, where the smaller the value, the greater the correspondence between the two; adjust the coordination of each point in the direction that best maximizes stress; and repeat the second and fourth steps until stress cannot get lower. See Wagenaar and Padmos (1971) for a discussion of the quantitative interpretation of stress. They show how stress is influenced by measurement error and the chosen dimensionality of the analysis. Spence (1972) looks into the computational properties of non-metric multidimensional scaling algorithms, and shows the variations between uses of different programs (Kruskal’s M-D-SCAL, Guttman–Lingoes’ SSA-I, and Young-Torgerseon’s ToRSCA-9). This shows that different programs are used, and that the data may be seen as vectors or points. In this article the data are represented as points, as from a non-technical point of view the purpose of multidimensional scaling (MDS) is to provide a visual representation of the pattern of proximities (i.e. similarities or distances) among a set of objects (Borgatti, 1998). The MDS techniques representing data as points allow non-metric analysis where data are categorical, with no quantitative value (SSA and MSA). The scaling represents the data having correlated every variable with every other variable, and the distances between the points thus represent the strength of the relative correlations between all the variables. Each variable is plotted in space in relation to every other variable. The Principle of Continuity (Foa, 1965; Canter, 1985) states that the physical proximity of the variables (points) in space represents their conceptual similarity. Attempts of understanding the differences between incidents seem more fruitful if a multitude of variables are analyzed jointly rather than dividing into independent and dependent variables, or one dependent variable and many independent variables as in factor analysis. One of the aims of empirical research is to understand the relationships between variables. Facet theory, and its associated multidimensional scaling (MDS) techniques, makes this possible by allowing all variables in a given content universe to be examined together in the production of an observational structure. The SSA, as well as being used to confirm the facets and elements of a content universe, can also be used in an explanatory manner when a subject is not well featured in the literature and is in the early stages of research. The method of analysis to be used in the current study is drawn from the software package LIFA3 which is a version of the original Guttman–Lingoes SSA. Many studies have been performed using LIFA over the last decades. Examples of studies using LIFA or Guttman–Lingoes SSA are Canter (1983), Canter et al. (2003), Salfati (2000), Salfati (2003), Santilla et al. (2005), and Youngs (2004). The reasons for using LIFA are that this program has been used in criminal profiling by the Centre for Investigative Psychology at the University of Liverpool. This program is specifically developed for 3

Liverpool interactive facet analysis, http://www.i-psy.com/ publications/publications_lifa2000.php.

the use of binary crime data (http://www.i-psy.com/publi cations/publications_lifa2000.php), but other programs may be used as well. An alternative that could have been used is MINISSA which was a development of SSA by Guttman, Lingoes, and Roskam (Roskam and Lingoes, 1970). Two other alternatives are TORSCA AND MDSCAL, which Spence (1972) and Wagenaar and Padmos (1971) have compared against SSA to show how the three programs may lead to local minimum solutions. Yet other examples of alternative software packages that could be used are INDSCAL, ALSCAL, SINDSCAL, PROXSCAL, KYST, FSSA, SYSTAT, STATISTICA, and SOLO.4 The statistical program SPSS is used for the conduction of the descriptive statistics.

4.

Results

The data input for the analysis is an Excel file with 2755 incidents, of which 1397 are used, and eight facets, of which four are used. Table 2 in the ‘Design’ section shows how the four facets consist of five, 10, six, and two variables, for a total of 23 variables. The Excel file is a binary data file where every incident is either present or absent on each variable. Every incident has a presence of one variable within each facet. The variables within each facet exclusively and exhaustively account for the aspects of reported cyber incidents. LIFA uses the binary file, and a label file that specifies the name for each variable. The Jaccard’s coefficient is selected, dichotomous data are selected, similarity associations are selected, Euclidean metric is selected, as well as the coefficient of alienation. Both a 2-dimensional solution and a 3-dimensional solution are run. The coefficient of alienation gives an indication of the extent to which the correlations between the variables are represented by the corresponding spatial distances. The smaller the coefficient of alienation the better the representation (or ‘fit’). The 3-dimensional solution gave a Guttman– Lingoes’ coefficient of alienation 0.19 with 42 iterations, indicating a reasonable fit for this type of data. The interpretation of this configuration is, however, very close to the regional structure of the 2-dimensional solution, which has a coefficient of alienation of 0.28 in 11 iterations. For simplicity and expositional convenience the 2-dimensional structure is therefore presented. The 2-dimensional solution of the geographical solution is represented beneath (see Fig. 1 for the SSA plot and Table 3 for the descriptions of the variables). For clarity it should be mentioned that each point is a variable describing aspects of cyber intrusions. The numbers refer to the variables as listed in Table 3, although a brief title for the variable has also been placed on the plot to ease interpretation. The squares on the plot indicate either ‘Com’ or ‘Gov’ ‘Target Sectors’. The circles indicate ‘Impact’, the diamonds indicate ‘Source Sectors’, and the triangles indicate ‘Method of Operation’. The points ‘Suser’ (Individual User) and ‘WebComp’ (Web Compromise) are placed close together on the plot, indicating that they often co-occur in cyber incident offences. The points ‘Sedu’ (Educational Source) and ‘Trojan’ are on the contrary placed far from each other, indicating 4

I thank an anonymous referee of this journal for pointing out alternative software packages that can be used.

529

computers & security 25 (2006) 522–538

100

50

DoS

Trojan WebComp

scom sedu Disrupt 0 Com 0 100 Root 50 Distort sunknown Virus Gov Reconn Disclosure sintel -50 UnImpact Destruct UserComp suser

-50

-100

Misuse

SocEng

Worm

sgov -100

Fig. 1 – SSA of information security incidents towards the commercial and government sectors.

that they do not often co-occur in the cyber incidents analyzed.

4.1.

Frequencies

Table 3 shows the frequencies and percentages of the variables in the SSA. The percentages may help understand the relationships between the variables in the SSA.

With regards to the ‘Target Sectors’ that are being compared to each other, ‘Com’ is represented in 838 (60%) of the incidents, and ‘Gov’ in 559 (40%) of the incidents. Further, with regards to the ‘Impact’ of the cyber intrusions towards ‘Com’ and ‘Gov’, the most common effect was ‘Disrupt’ which is occurring in 570 of 1397 incidents (40.8%). ‘Distort’ is occurring in 531 of 1397 incidents (38.0%). ‘Disrupt’ is the least invasive nature of attack, and ‘Distort’ is more severe. ‘Disrupt’ means access change and that the organization is unable to access information systems. This is a nuisance for organizations, and may cost money and time for an organization that is dependent on efficiency and effectiveness. Also, it may alter customers’ perception of trust, as sites may be down and business affairs interrupted. That this form of ‘Impact’ is common, is interesting in that it is the least severe form of ‘Impact’ that occurs most frequently. It must, however, be mentioned that ‘Distort’ is almost as frequent, and that this form of modification of information through file change may have severe implications. Quite a large amount of file change is reported, but it may be suggested that this form of modification of files may be harder to detect, than disruptions of services. Therefore, it may be the case that we have many cases that are not reported due to the victim not detecting it. Also, customers may not be as aware of file change as they may of access change, something that may give less incentive for reporting file change. The rest of the incidents (except for ‘Disrupt’, ‘Distort’, ‘Destruct’, Disclosure’, and ‘Unknown’) summing up to 100% are from the category ‘Deception’ (1.7%), which is not included in the analysis due to it not being mentioned in the ‘Spreadsheet Data Dictionary’ (see Appendix 1).

Table 3 – Frequencies and percentages of the variables in the SSA Facets

Variables

Identification name SSA

Identification number SSA

Frequencies

%

Sum %

Impact

Disrupt Distort Destruct Disclosure Unknown

Disrupt Distort Destruct Disclosure UnImpact

9 10 11 12 13

570 531 60 199 14

40.8 38.0 4.3 14.2 1.0

98.3

Method of operation (MO)

Misuse of Resources User Compromise Root Compromise Social Engineering Virus Web Compromise Trojan Worm Recon Denial of Service

Misuse UserComp Root SocEng Virus WecComp Trojan Worm Reconn DoS

1 2 3 4 5 6 7 8 14 15

73 85 433 7 299 143 10 41 156 110

5.2 6.1 31 0.5 21.4 10.2 0.7 2.9 11.2 7.9

97.1

Source sectors

Com Gov Edu Intl User Unknown

Scom Sgov Sedu Sintel Suser Sunknown

18 19 20 21 22 23

121 21 13 192 108 890

8.7 1.5 0.9 13.7 7.7 63.7

96.2

Target sectors

Com Gov

Com Gov

16 17

838 559

60.0 40.0

100

530

computers & security 25 (2006) 522–538

Within the ‘MO’ category, the most commonly used method used in cyber intrusions towards ‘Com’ and ‘Gov’ is ‘Root Compromise’, which is occurring in 433 of 1397 incidents (31.0%). This is interesting as ‘Root’ is the highest level of access. Further, ‘Virus’ is also a frequently used MO against ‘Com’ and ‘Gov’, occurring in 299 incidents (21.4%). It is not surprising that ‘Virus’ is reported quite commonly as these are visible and spread easily. There are also many detection programs that focus on identifying ‘Virus’. ‘Recon’ is also quite common, occurring in 156 incidents (11.2%). ‘Recon’ is scanning of machines to see whether there are any vulnerabilities, and is often used before an actual attack. It is believed that there are more scanning attempts than those reported, as ‘Recon’ does not always lead to a severe ‘Impact’ and may therefore be ignored by organizations. ‘Web Compromise’ is occurring in 143 incidents (10.2%) and ‘Denial of Service’ is occurring in 110 incidents (7.9%). ‘Web Compromise’ is quite visible both for the organization and the customer and may therefore quite commonly be reported. The rest of the incidents (except for ‘User Compromise’, ‘Misuse of Resources’, ‘Worm’, ‘Trojan’, and ‘Social Engineering’), are divided between ‘Disclosure’ and ‘Deception’. ‘Deception’ is not included in the analysis due to it not being mentioned in the ‘Spreadsheet Data Dictionary’ (see Appendix 1). The incidents that have the ‘MO’ ‘Deception’ also have ‘Deception’ as ‘Impact’ (1.7%). The last 1.2% is from the category ‘Disclosure’, which is not included as an ‘MO’ since it is taken care of in the ‘Impact’ section. It is suggested that ‘Deception’ is included in the ‘Spreadsheet Data Dictionary’, and that ‘Disclosure’ is included either in the ‘MO’ or the ‘Impact’ section. The frequencies of the ‘Source Sectors’ show that the most common source variable is ‘Unknown’, which is occurring in 890 incidents (63.7%). This is an important finding as it shows that improvements must be made if the attackers should be identified to a greater extent. It shows that it is easy to perform a cyber incident anonymously, and this suggests that these types of attacks will continue to grow in the future. ‘Intl’ is the second most occurring source with 192 incidents (13.7%). This suggests that CERT/CC ought to divide cyber incidents from abroad into various categories, so that more may be learnt about those attacking various targets. ‘Com’ and ‘User’ are present in 121 (8.7%) and 108 (7.7%) of incidents. It is here important to note that commercial institutions are attacking other organizations just as often as individual users. This finding has important implications in that it may break the cliche´ that it is the young, teenage hacker that is hacking from is bedroom that is the great threat. The last ‘Source Sectors’ ‘Misc’ (0.5%) and ‘Org’ (0.2%) (except for ‘Gov’ and ‘Edu’) are not included due to their presence in very few cases. ‘Net’ (3.1%) is not included since it is not mentioned in the ‘Spreadsheet Data Dictionary’. It is suggested that ‘Net’ is listed in the ‘Spreadsheet Data Dictionary’.

4.2.

Cross-tabulations

The cross-tabulations are further used to understand the relationships between the cyber incident aspects. (See Table 4 for

the cross-tabulations of the ‘Target Sectors’ ‘Com’ versus ‘Gov’, in relation to the facets ‘Impact’, ‘MO’, and ‘Source Sector’.) The cross-tabulations show that even though ‘Disrupt’ is the most common ‘Impact’ of cyber intrusions in total, it is only the ‘Target Sector’ ‘Com’ that most commonly experience ‘Disrupt’ (in 424 of 838 cases, 50.6%). This is an important finding, as it shows that commercial organizations commonly experience the form of ‘Impact’ that ‘Disrupt’ their service. It may be that commercial institutions are most aware of this disruption, since it disturbs business functions and thus leads to loss of resources. It is also quite visible to the customer, and may indicate that the business does not have a strong security. Some organizations may get refunds or have an insurance that covers disruptions of businesses. The most common ‘Impact’ for ‘Gov’ is, however, ‘Distort’ (in 290 of 559 cases, 51.9%). This is also interesting as it shows that attackers who target government institutions are changing information in these information systems. It may be interesting to know whether the information is altered due to political reasons, or due to other reasons such as personal gain or revenge. Within the ‘MO’ section, ‘Root Compromise’ is most frequently occurring within both ‘Com’ and ‘Gov’. However, whereas ‘Virus’ is the second most frequent ‘MO’ for ‘Com’, it is ‘Web Compromise’ that is the second most frequent ‘MO’ for ‘Gov’ (22.5%). For ‘Com’, ‘Web Compromise’ does only occurs in 2.0% of incidents. These findings are interesting as they show that commercial institutions often have problems with viruses that spread themselves across and between organizations, whereas governments most commonly have problems with web attackers who alter web pages. Many of these attackers are also political attackers (Kjaerland, 2000). ‘User Compromise’ is more common towards ‘Gov’ (10.2%)

Table 4 – Cross-tabulations of Com versus Gov in relation to impact, MO, and source sectors Facets

Variables

Com

Gov

Impact

Disrupt Distort Destruct Disclosure Unknown

424, 50.6% 241, 28.8% 42, 5.0% 102, 12.2% 13, 1.6%

146, 26.1% 290, 51.9% 18, 3.2% 97, 17.4% 1, 0.2%

MO

Misuse of Resources User Compromise Root Compromise Social Engineering Virus Web Compromise Trojan Worm Recon Denial of Service

54, 6.4% 28, 3.3% 293, 35.0% 5, 0.6% 222, 26.5% 17, 2.0% 6, 0.7% 28, 3.3% 73, 8.7% 90, 10.7%

19, 3.4% 57, 10.2% 140, 25.0% 2, 0.4% 77, 13.8% 126, 22.5% 4, 0.7% 13, 2.3% 83, 14.8% 20, 3.6%

Source sectors

Com Gov Edu Intl User Unknown

95, 11.3% 3, 0.4% 8, 1.0% 95, 11.3% 21, 2.5% 583, 69.6%

26, 4.7% 18, 3.2% 5, 0.9% 97, 17.4% 87, 15.6% 307, 54.9%

531

computers & security 25 (2006) 522–538

than ‘Com’ (3.3%), and ‘Denial of Service’ is more common towards ‘Com’ (10.7% versus 3.6%). This is interesting as governments thereby are experiencing problems with unauthorized users who are using privileges on a host, whereas commercial institutions are experiencing ‘Denial of Service’ which disrupts businesses. For both ‘Com’ and ‘Gov’, the most common ‘Source Sector’ is ‘unknown source’ (69.6% for ‘Com’ and 54.9% for ‘Gov’). Further, ‘Intl’ is also a common ‘Source Sector’ for both ‘Com’ and ‘Gov’. The ‘Source Sector’ ‘Com’ is, however, equally common towards the ‘Target Sector’ ‘Com’, and ‘Intl’ is therefore relatively more common for the ‘Target Sector’ ‘Gov’. It is interesting that commercial institutions are commonly being attacked by other commercial institutions, as it shows that cyber incidents may be used for competitive advantage. Though there are not very many attackers from ‘Gov’ (1.5%), it is interesting to note that these attacks most commonly occur towards other governmental institutions (3.2% versus 0.4%). Finally, it must be noted that ‘User’ is very common towards the ‘Target Sector’ ‘Gov’, occurring in 15.6% (versus 2.5% for ‘Com’). This shows that individual users often attack governmental institutions. Tables 5–7 show the cross-tabulations between ‘MO’ and ‘Impact’, ‘Source Sectors’ and ‘Impact’, and ‘MO’ and ‘Source Sectors’. From the cross-tabulations between ‘MO’ and ‘Impact’, it can be seen that the most common ‘Impact’ of ‘Root’ is ‘Distort’ (with 34.9%), but there is also a relatively large amount of ‘Root’ that result in ‘Disrupt’ (34.9%). Further, the most common ‘Impact’ of ‘Virus’ is ‘Disrupt’ (48.8%), but 28.4% results in ‘Distort’. ‘Web Compromise’ commonly results in ‘Distort’ (90.0%), and ‘User Compromise’ commonly results in ‘Distort’, whereas ‘Denial of Service’ commonly results in ‘Disrupt’ (95.5%). This shows that the attacks towards ‘Com’ that lead in ‘Disrupt’ often are caused by ‘Virus’ or ‘Denial of Service’, and that the attacks towards ‘Gov’ that often leads to ‘Distort’ commonly is caused by ‘Web Compromise’ or ‘User Compromise’. These are interesting results that help understand the larger picture of the differences in attacks towards ‘Com’ and ‘Gov’. From the cross-tabulations between ‘Source Sector’ and ‘Impact’, it can be seen that the most frequent ‘Impact’ of ‘Unknown’ and ‘Com’ is ‘Disrupt’, whereas the most frequent ‘Impact’ of ‘Intl’ and ‘User’ is ‘Distort’. This suggests that the source is not known or is another commercial institution when the least severe ‘Impact’ of attack occurs, but that when the more severe ‘Distort’ occurs it is often an

international or user source. Interestingly, ‘Web Compromise’ does most frequently have ‘User’ as ‘Source Sector’, ‘Denial of Service’ a ‘Com’ or ‘Intl’ ‘Source Sector’, and ‘Virus’ a ‘Com’ ‘Source Sector’. This suggests that commercial or unknown sources that are attacking other commercial institutions often use ‘Denial of Service’ or ‘Virus’ attacks, and that ‘Users’ or ‘international’ sources that are attacking government institutions often choose ‘Web Compromise’ (or ‘User Compromise’).

4.3.

Smallest space analysis (SSA) results

The SSA plot is shown with frequencies in Fig. 2. The SSA is here divided into three regions, with the outer region representing variables that have less than 5.2% occurrence. These variables are ‘Trojan’ (0.7%), ‘SocEng’ (Social Engineering) (0.5%), ‘Worm’ (2.9%), ‘Sgov’ (Government Source) (1.5%), ‘UnImpact’ (Unknown Impact) (1.0%), and ‘Sedu’ (Educational Source) (0.9%). The variables in the region of 6.1–14.2% (8–31%) are ‘WebComp’ (Web Compromise) (10.2%), ‘Suser’ (User Source) (7.7%), ‘sintel’ (International Source) (13.7%), ‘Disclosure’ (14.2%), ‘User Comp’ (User Compromise) (6.1%), ‘Reconn’ (Recon) (11.2%), ‘Scom’ (Commercial Source) (8.7%), and ‘DoS’ (Denial of Service) (7.9%). Finally, the variables within the inner circle of 21.4–63.7% (31–62%) are ‘Distort’ (38.0%), ‘Gov’ (Government Target) (40.0%), ‘Sunknown’ (Unknown Source) (63.7%), ‘Com’ (Commercial Target) (60%), ‘Virus’ (21.4%), ‘Root’ (31%), and ‘Disrupt’ (40.8%). The SSA is further used for partitioning in relation to what aspects of cyber intrusions are most commonly occurring in commercial versus government reported computer security incidents (see Fig. 3). The area defined as ‘Commercial Sector’ contains the variables ‘Sunknown’ (Unknown Source), ‘Com’ (Commercial Target), ‘Disrupt’, ‘Root’, ‘DoS’ (Denial of Service), ‘Scom’ (Commercial Source), and ‘Virus’. The area defined as ‘Governmental Sector’ contains the variables ‘WebComp’ (Web Compromise), ‘Suser’ (User Source), ‘Distort’, ‘Gov’ (Governmental Target), ‘sintel’ (International Source), ‘Disclosure’, ‘UserComp’ (User Compromise) and ‘Reconn’ (Recon).

4.4.

The 3-dimensional solutions

The area defined as ‘Commercial Sector’ contains the seven variables ‘Unknown Source’, ‘Commercial Target’, ‘Disrupt’,

Table 5 – Cross-tabulations between MO and impact MO

Impact Disrupt

Misuse of resources User compromise Root compromise Social engineering Virus Web compromise Trojan Worm Recon Denial of service

38, 20, 151, 2, 146, 11, 5, 16, 66, 105,

52.1% 23.5% 34.9% 28.6% 48.8% 7.7% 50.0% 39.0% 42.3% 95.5%

Distort

Destruct

21, 28.8% 41, 48.2% 222, 51.3% 0, 0.0% 85, 28.4% 128, 90.0% 1, 10.0% 20, 47.8% 9, 5.8% 4, 3.6%

1, 1.4% 8, 9.4% 13, 3.0% 2, 28.6% 29, 9.7% 3, 2.1% 1, 10.0% 2, 4.8% 1, 0.6% 0, 0.0%

Disclosure 8, 11, 37, 2, 37, 0, 3, 3, 79, 0,

11.0% 12.9% 8.5% 28.6% 12.4% 0.0% 30.0% 7.3% 50.6% 0.0%

Unknown 1, 2, 8, 0, 2, 0, 0, 0, 1, 0,

1.4% 2.4% 1.8% 0.0% 0.7% 0.0% 0.0% 0.0% 0.6% 0.0%

532

computers & security 25 (2006) 522–538

Table 6 – Cross-tabulations between source sectors and impact Source sectors

Impact Disrupt

Com Gov Edu Intl User Unknown

75, 6, 10, 58, 10, 375,

Distort

62.0% 28.6% 76.9% 30.2% 9.3% 42.1%

19, 5, 2, 102, 72, 323,

Destruct

15.7% 23.8% 15.4% 53.1% 66.7% 36.3%

‘Root’, ‘Denial of Service’, ‘Commercial Source’, and ‘Virus’. The area defined as ‘Governmental Sector’ contains the eight variables ‘Web Compromise’, ‘User Source’, ‘Distort’, ‘Governmental Target’, ‘International Source’, ‘Disclosure’, ‘User Compromise’, and ‘Recon’. The variables ‘Virus’ and ‘Sunknown’ fall within the ‘Commercial Sector’ close to the border towards the ‘Governmental Sector’. This indicates that these variables are somewhat more common within the ‘Commercial Sector’, but that they also occur within the ‘Governmental Sector’. In the 3-dimensional-plot (vector 1  vector 3) (see Appendix 2), however, ‘Virus’ shifts inwards in the ‘Commercial Sector’ region, indicating that ‘Virus’ is more common towards ‘Commercial Sector’. The variables ‘WebComp’, ‘Suser’, and ‘Recon’ fall within the ‘Governmental Sector’ close to the border towards the ‘Commercial Sector’. This means that these variables are somewhat more common within the ‘Governmental Sector’, but that they also occur within the ‘Commercial Sector’. In the 3-dimensional-plot ‘Recon’ shifts over to the ‘Commercial Sector’, whereas ‘WebComp’ and ‘Suser’ shift inwards in the ‘Government Sector’ region. This indicates that ‘WebComp’ and ‘Suser’ are indeed more common incidents towards the ‘Governmental Sector’. The 3-dimensional-plot (vector 1  vector 2) (see Appendix 2) does in general make sense in relation to the 2-dimensionalplot. The only changes are that ‘Sgov’ lies inside the circle in the 3-dimensional-plot (on the Governmental side), and ‘DoS’ outside. ‘DoS’ is generally not far inside the circle in the 2-dimensional-plot either, and the cross-tabulations show that ‘DoS’ is more common in attacks towards the ‘Commercial Sector’. All variables that are within the ‘Commercial Sector’ and ‘Governmental Sector’ are the same for the vector

2, 1, 0, 5, 1, 50,

Disclosure

1.7% 4.8% 0.0% 2.6% 0.9% 5.6%

21, 8, 1, 24, 22, 116,

17.4% 38.1% 7.7% 12.5% 20.4% 13.0%

Unknown 0, 0, 0, 0, 1, 13,

0.0% 0.0% 0.0% 0.0% 0.9% 1.5%

1  vector 2 version of the 3-dimensional-plot and the 2dimensional-plot. The 3-dimensional-plot (vector 1  vector 3) also makes sense in relation to the 2-dimensional-plot. The only change is that ‘Trojan’ lies inside the circle in the 3dimensional plot (on the Governmental side). All variables within the ‘Commercial Sector’ and ‘Governmental Sector’, are the same for the vector 1  vector 3 version of the 3dimensional-plot and the 2-dimensional plot, except for ‘Root’ that lies in the ‘Governmental Sector’, and ‘Disclosure’ that lies in the ‘Commercial Sector’. ‘Root’ was generally close to the dividing line in the 2-dimensional-plot as well. Finally the 3-dimensional-plot (vector 2  vector 3) (see Appendix 2) also makes sense in relation to the 2-dimensional-plot. The only change is that ‘Trojan’ lies inside the circle in the 3dimensional-plot (on the Governmental side). All variables that are within the ‘Commercial Sector’ and ‘Governmental Sector’, are the same for the vector 2  vector 3 version of the 3dimensional-plot and the 2-dimensional-plot, except for ‘Root’ that lies in the ‘Governmental Sector’, and ‘Disclosure’ that lies in the ‘Commercial Sector’. ‘Root’ was generally close to the dividing line in the 2-dimensional-plot as well. The location of the 23 variables differs only marginally in the 2dimensional and 3-dimensional analyses, which add to the robustness of the results.

4.5.

Final analysis of the results

With regards to the ‘Target Sectors’ that are being compared to each other, ‘Com’ is represented in 838 (60%) of the incidents, and ‘Gov’ in 559 (40%) of the incidents. This shows

Table 7 – Cross-tabulations between MO and source sectors MO

Source sectors Com

Misuse of resources User compromise Root compromise Social engineering Virus Web compromise Trojan Worm Recon Denial of service

7, 4, 32, 0, 33, 0, 0, 0, 16, 17,

9.6% 4.7% 7.4% 0.0% 11.0% 0.0% 0.0% 0.0% 10.3% 15.5%

Gov 2, 0, 3, 0, 6, 0, 0, 1, 9, 0,

2.7% 0.0% 0.7% 0.0% 2.0% 0.0% 0.0% 2.4% 5.8% 0.0%

Edu

Intl

User

1, 1.4% 1, 1.2% 4, 0.9% 0, 0.0% 1, 0.3% 0, 0.0% 0, 0.0% 0, 0.0% 5, 3.2% 1, 0.9%

8, 11.0% 23, 27.1% 64, 14.8% 1, 14.3% 15, 5.0% 20, 14.0% 0, 0.0% 22, 53.7% 24, 15.4% 11, 10.0%

5, 6.8% 1, 1.2% 4, 0.9% 1, 14.3% 14, 4.7% 66, 46.2% 1, 10.0% 0, 0.0% 5, 3.2% 2, 1.8%

Unknown 47, 55, 316, 5, 211, 55, 9, 18, 89, 70,

64.4% 64.7% 73.0% 71.4% 70.6% 38.5% 90.0% 43.9% 57.0% 6.4%

computers & security 25 (2006) 522–538

100

< 5.2% 50 Trojan

DoS 6.1-14.2%

WebComp

scom 21.4-63.7% sedu Disrupt Com 0 100 Root 50 Distort sunknown Virus Gov Reconn Disclosure sintel -50 UnImpact Destruct UserComp suser

0

-50

-100

Misuse

SocEng

Worm -100

sgov

Fig. 2 – SSA showing the percentage ranges of the cooccurring variables.

that we have more incidents that are reported from the commercial than the government sector to CERT/CC in the periods July 2000–Feb 2001 and Sept 2001–Feb 2002. This finding concurs with Lottor (1996) that reports that the ‘top level domain’ name is ‘Com’ (3.3 million hosts in 1996), whereas there are only 1.2 million ‘Gov’ domain names. The most common impact of cyber intrusions in the sample set was ‘Disrupt’ which occurred in 40.8% of incidents. This is around the same as in the study of cyber incidents towards all types of targets, where ‘Disrupt’ was present in 39.4% of the incidents (Kjaerland, 2005). ‘Distort’ (38.0%) is the second most common form of

100

50

DoS Commercial Sector

Trojan WebComp

scom sedu Disrupt Com -50 0 100 Root 50 Distort sunknown Misuse Virus Gov Govermental Reconn Sectorsintel Disclosure -50 UnImpact suser

0

-100

SocEng

Destruct

Worm -100

UserComp

sgov

Fig. 3 – SSA showing partitioning between the targets Com and Gov in relation to impact, method of operation, and source sector.

533

‘Impact’, which is also reflected in the study of all targets (36.3%). Interestingly, the cross-tabulations show that even though ‘Disrupt’ is the most common ‘Impact’ of cyber intrusions in total, it is only the ‘Target Sector’ ‘Com’ that most commonly experience ‘Disrupt’ (50.6%). The most common ‘Impact’ for ‘Gov’ is ‘Distort’ (51.9%). Thus, the ‘Target Sector’ ‘Gov’ generally experience more severe ‘Impact’ of attacks as ‘Disrupt’ is defined as: ‘‘Access change, removal of access to victim or to information. Manipulate permission. Ex. Denial of Service attack or Trojan horse. ‘Disrupt’ would be the least invasive nature of attack’’, whereas ‘Distort’ means: ‘‘File change, modification of information from victim. This is a change to data within files’’. When ‘Com’ most commonly experience access changes and ‘Gov’ most commonly experience file change, one may wonder whether this is related to the type of attacks towards the different sectors, or to the type of sources towards the different sectors. Further, the ‘Impact’ ‘Disclosure’, ‘Destruct’, and ‘Unknown’ occur in descending order for both ‘Com’ and ‘Gov’. ‘Com’ is more frequently experiencing all these types of ‘Impact’, except for ‘Disclosure’, which is experienced 17.4% for ‘Gov’ and only 12.2% for ‘Com’. ‘Disclosure’ is defined as ‘Unauthorized exposure of information, other than in support of one of the above. Disclose would imply disclosure of information that may lead to further compromises. Ex. Download of password file.’ Here, one may also wonder whether this may be related to the types of attacks, or to the types of sources. In order to find the answers to these questions, and understand the differences with regards to attacks towards different sectors, it will be useful to collect more data and see whether these results are replicated. Within the ‘MO’ category, the most commonly used method in the current sample was ‘Root Compromise’ (31.0%) and ‘Virus’ (21.4%). This is the same in the incidents towards all targets, where ‘Root Compromise’ occurs in 33.0% of the sample, and ‘Virus’ occurs in 26.2% of the sample. ‘Root’ is the highest level of access in a system. ‘Recon’ is also quite common (11.2%), which is not surprising as ‘Recon’ is used as a preface for searching available machines for attacks. It is therefore believed that the ‘Recon’ activity is not targeted, but randomly searching for weak machines. This may also suggest that the victim security is not updated, as the ‘Recon’ scanning attempts are most supposedly targeting known vulnerabilities. It may be suggested that the incidents are categorized in relation to whether they contain ‘Recon’, and then also are categorized in relation to whether they have another ‘MO’ within the incident. This would prove very useful for early warning purposes, as it may be a beginning in terms of looking at the relationships between preface activities and the actual attack activities. These relationships may have practical implications for both preventive and reactive security. The three least frequent ‘MOs’ are ‘Worm’ (2.9%), ‘Trojan’ (0.7%), and ‘Social Engineering’ (0.5%). In the sample towards all targets, the same ‘MOs’ are the least frequent ‘MOs’ also in this sample, with, respectively, ‘Worm’ in 2.8% of cases, ‘Trojan’ in 1.0%, and ‘Social Engineering’ in 0.6%. When looking at the cross-tabulations, it can be seen that ‘Root Compromise’ is the most frequent ‘MO’ for both ‘Com’ and ‘Gov’, and ‘Virus’ is the second most

534

computers & security 25 (2006) 522–538

frequent ‘MO’ for ‘Com’. Interestingly, it is ‘Web Compromise’ that is the second most frequent ‘MO’ for ‘Gov’. For ‘Com’, the same ‘MO’ ‘Web Compromise’ only occur in 2.0% of the incidents. Further, when ‘Recon’ is the third most frequent ‘MO’ towards ‘Gov’, occurring in 14.8% of incidents, the same ‘MO’ does only occur in 8.7% of incidents towards ‘Com’ (after, respectively, ‘Root’, ‘Virus’, and ‘DoS’). Also, ‘User compromise’ is much more common towards ‘Gov’ (10.2%) than ‘Com’ (3.3%). This suggests that random attacks, searching machines with no apparent motive to select particular targets, occur more commonly towards ‘Gov’. The ‘Web Compromise’ results may fruitfully be seen in relation to the source ‘User’ that is closely related to ‘Web Compromise’. Thus, individual users target ‘Gov’, and also use other random attacks (‘recon’). This reflects the nature of attacks towards ‘Gov’. It may be suggested that both these types of attacks most commonly come from script kiddies, and/or hactivists who alter web pages with their informative but threatening political messages (see Kjaerland, 2000). Further, as the ‘Virus’ occurrences towards ‘Gov’ are only 13.8%, it shows that attacks towards ‘Com’ are more often ‘Virus’ related than towards ‘Gov’. This may suggest that the attacks towards ‘Com’ are more often related to financial gain or reputation. This is also reflected in the common use of ’Denial of Service’ (DoS) towards ‘Com’.

5.

Future research

The results in the current study show that certain aspects of cyber attacks co-occur and how various types of aspects are distinguished between different types of targets. The implications of ‘Web Compromise’ from a ‘User’ ‘Source’ towards government ‘Target Sector’, resulting in file change (‘Distort’), and ‘Virus’ and ‘Root’ attacks with the consequence of access change (‘Disrupt’) from other commercial institutions towards commercial ‘Target Sector’, may be further drawn upon in future studies in order to support the underlying structures. The discrepancies between these sectors may be further studied through distinguishing between different types of organizations within these sectors, such as the oil industry and finance industry. This research may give further indications about differences between various types of organizations. It is generally suggested that additional data should be collected and shared on a large-scale basis. For the future, more cases are needed in order to compare the results to other institutions such as non-profit organizations, military sectors, and public sectors in general, etc. These future studies may look into the opportunities for attacks and thereby profiling the targets in depth using information about access points, etc. This may have direct implications for how organizations may change their exposal for being attacked. In terms of future studies it would also be interesting to relate data from Intrusion Detection Systems (IDS) and Internet traffic activity data to the historical cases. As such, it may be possible to say something about the link between historical and future cases. These efforts may assist early warning across sectors,

something that will also assist the work on protecting the critical infrastructure. In order to be able to conduct this type of research it is, however, important to have an enhanced focus on reporting and develop standardizations that function across reporting mechanism. Generally, there are too many country specific reporting mechanisms and not enough coordination between them. The current study has, however, given an example of analyses that may give improved threat assessments if cyber incident information is standardized and shared. The development of a common set of categorization-schemes for reporting, a proper assessment of threat levels, and a database for the linkages of offences in cyberspace will give the basis for improved cyber security across boarders. This type of database exists for other types of physical crimes, and if it is to be developed with regards to cyber crime, it requires universal reporting efforts. Research of the kind exemplified by this article may also help suggest measures to be taken in order to reduce the likelihood for attacks, or to limit their impact if they occur. These types of analyses of historical incidents, which focus on both the target and the attackers, may further help predict future incidents towards certain types of targets. As early warning strategies, these measures may assist in developing recommendations about changes to be made to the organizations in order to reduce their attractiveness as targets. The size, sophistication and reputation of a country’s financial market play, for example, a key role in determining the extent to which money laundering occurs in that country. By profiling the target sectors it should ideally also be possible to say something about whether the institutions or sectors are creating, discouraging, or reducing the opportunities for and success of attacks.

6.

Conclusion

The current study focuses on cyber incidents towards the commercial and government sectors, and how the two sectors experience different types of attacks. A new taxonomy with four facets was developed. The facets are ‘Method of Operation (MO)’ which refers to the methods used by the perpetrator to carry out an attack, ‘Impact’ which refers to the effect of the attack, ‘Source’ which refers to the source of the attack, and ‘Target’ which refers to the victim of the attack. Data from CERT/CC of 838 attacks towards the commercial sector and 559 attacks towards the government sector, for a total of 1397 attacks, were analyzed through the multidimensional scaling (MDS) technique, smallest space analysis (SSA). The study investigated the research question looking into the relationships between the cyber incident aspects from the commercial and government sectors, as well as the differences between the incidents reported from these sectors. The analysis showed that the government ‘Target Sector’ commonly experiences ‘Web Compromise’ from a ‘User’ source, resulting in file change (‘Distort’). Further, the Commercial ‘Target Sector’ experiences ‘Virus’ and ‘Root’ attacks with the consequence of access change (‘Disrupt’) from other commercial institutions.

computers & security 25 (2006) 522–538

A main finding is that the ‘Commercial Sector’ experiences the least invasive ‘Disrupt’, while the ‘Government Sector’ experiences the more invasive ‘Distort’. A possible explanation is that this is related to the different types of attacks that the ‘Commercial Sector’ and the ‘Government Sector’ are frequently experiencing. The ‘Commercial Sector’ more commonly experiences ‘Virus’ and ‘DoS’, whereas the ‘Government Sector’ more commonly experiences ‘Web Compromise’ and ‘User Compromise’. This may again be related to the type of attackers who are attacking the various sectors. The attacks towards the ‘Commercial Sector’ more often come from a ‘Commercial’ source, and the attacks towards the ‘Government Sector’ more often come from a ‘User’ source. In general, both sectors also have attacks from an ‘Unknown’ source. These results show that attacks towards different targets are different, and suggest that many attacks towards ‘Com’ may be financially related, and related to disrupting business functions through ‘Virus’ or ‘DoS’. Attacks towards ‘Gov’ are related to ‘Web compromise’ and ‘User compromise’, and are often from individual ‘Users’ that alter information. Dependent on whether these attacks are targeted or of a random nature, these attackers may have different objectives when altering web pages. It is important to get insight into what types of attackers, attack types, and impacts of attacks occur towards different sources, as this may help direct cyber security efforts. Through these results based on reported incidents, it seems apparent that commercial institutions should be aware that ‘Virus’ and ‘Denial of Service’ as well as ‘Root’ attacks commonly occur towards their types of institutions. They should also be aware that these attacks are not only coming from individual users, but most often from other commercial institutions. This may help understand the threat towards their businesses, and help to create a greater awareness of what is taking place. As government institutions often experience ‘Web Compromise’ and ‘User Compromise’, other government institutions that have not yet detected attacks may learn from the experience of other similar institutions. The web-alterations may be from hackers attacking for a challenge, but may also come from political activists. It is worth being aware of the type of alterations that are made in these file changes, and take notice of whether the organization is actually creating an opportunity for attacks through publishing information on the Net that should rather be kept hidden on internal servers. To conclude, it is apparent that commercial and government institutions are experiencing different types of attacks, something that indicates various precautions that should be taken. Cyber incidents will only continue to grow in the future, and in order to better understand the incidents and security efforts that may be taken, future research on this area is needed.

Acknowledgements I thank Dr Tim Shimeall for securing the release of cleansed data from CERTCoordination Center, as well as discussions

535

about these data. I also thank Professor Kjell Hausken for useful comments, and Professor David Canter for discussions about facet theory, smallest space analysis (SSA), and the Lifa program.

Appendix 1. Spreadsheet Data Dictionary ID: Incident Number assigned by the CERT/CC. Ex. CERT#19827 Impact: The effect of the attack. Disrupt: access change, removal of access to victim or to information. Manipulate permissions. Ex. Denial of Service attack or Trojan horse. ‘Disrupt’ would be the least invasive nature of attack. Distort: file change, modification of information from victim. This is a change to data within files. Destruct: file deletion, removal of information from victim. Destruct would be seen as the most invasive and malicious and may include Distort or Disrupt. Disclosure: unauthorized exposure of information, other than in support of one of the above. Disclose would imply disclosure of information that may lead to further compromises. Ex. Download of password file. Unknown: insufficient information to classify Enigma: activity of uncertain nature at victim, even in presence of information Source Sectors: source of the incident (if explicitly identified) Target Sectors: victim of the incident Other Sectors: Sectors used as intermediary site in the incident All sectors refer to US sites, except intl. com: commercial (including consumer products, industry, small business) k12: elementary or secondary school edu: postsecondary school fin: finance/banking gov: local or national government (including buildings/housing, emergency services, public benefits, social services, state and federal government, taxes, tribal governments, worker protections, environment, military) isp: Internet infrastructure mda: news/media med: medical/health misc: variety of above categories org: non-profit organization user: individual users utl: utilities eat: food supply lgl: (non-governmental?) legal sci: science and technology trn: transportation intl: non-US

536

computers & security 25 (2006) 522–538

Method of Operation (MO) Method(s) used by perpetrator to carry out attack Recon: scanning/probing site to see what services are available. Determining what vulnerabilities exist that may be exploited. Misuse of Resources: unauthorized use of IT resources Ex. Storing unauthorized files on a server, using site as springboard for further unauthorized activity. False Alarm: reported event that further analysis reveals to be a non-event where no malicious activity occurred Root Compromise: perpetrator gains unauthorized administrator privileges on a host. Virus: a virus is a piece of code that, when run, will attach itself to other programs, which will again run when those programs are run. Trojan: a program that adds subversive functionality to an existing program. Denial of Service: an exploit whose purpose is to deny somebody the use of the service: namely to crash or hang a program or the entire system. User Compromise: perpetrator gains unauthorized use of user privileges on a host. Worm: a program that propagates itself by attacking other machines and copying itself to them. Social Engineering: gaining unauthorized access to privileged information through human interaction and targeting people’s minds rather than their computers. Web Compromise: using vulnerabilities in a website to further an attack. Data Manipulation: unauthorized data modification or destruction Disclosure: unauthorized exposure of information Hoax: a ruse. Information falsely leads reporter to believe that attack will occur/has occurred Sophistication Level of technological and organizational sophistication as evidenced in intrusion records. As defined in the Naval Postgraduate School Center for the Study of Terrorism and Irregular Warfare’s Cyberterror White Paper. Simple-Unstructured: the capability to conduct basic hacks against individual systems using tools created by someone else. The organization possesses little target analysis, command and control, or learning capability Advanced-Structured: the capability to conduct more sophisticated attacks against multiple systems or networks and possibly, to modify or create simple hacking tools. The organization possesses an elementary target analysis, command and control, and learning capability. Complex-Coordinated: the capability for coordinated attacks against complex, heterogeneous defences (including cryptography). Ability to create sophisticated hacking tools. Highly capable target analysis, command and control, and organizational learning capability. (N.B.: default is Simple-Unstructured) Tools Names of specific tools that were apparently used to perpetrate the attack.

Appendix 2. 3-Dimensional plots vector 1 x vector 2 (a) 100 DoS

edu UnImpact

Worm -100

Root scom 50 Disrupt Commercial Com Reconn Sector sunknown sintel Distort UserComp Gov Virus 0 Disclosure -500 50 WebComp sgov Goverment suser Sector

Misuse 100

-50 Destruct SocEng Trojan -100

vector 1 x vector 3 (b) 100

UnImpact

50

Goverment Sector

UserComp

-100

Distort Trojan Root Gov Commercial 0 -50 0 sunknown 50 Sector Misuse Com DestructDoS Virus Disrupt sedu Disclosure -50 scom Reconn

-100

WebComp

suser

sintl

100

Worm SocEng

sgov

vector 2 x vector 3 (c) 100 sgov

sedu DoS

-100

Reconn 50 scom Commercial Disclosure SocEng Worm Sector Disrupt sintel Virus Destruct Com Misuse 0 sunknown Gov0 100 -50 50 Goverment Root Trojan Sector Distort

UnImpact

UserComp suser -50 WebComp

-100

computers & security 25 (2006) 522–538

references

Bennell C, Canter D. Linking commercial burglaries by modus operandi: tests using regression and ROC analysis. Science and Justice 2002;42:153–64. Borg I. Evolving notions of facet theory. In: Borg I, Mohler PPh, editors. Trends and perspectives in empirical social research. Berlin: deGruyter; 1994. p. 178–200. Borg I, Shye S. Facet theory: form and content. Thousand Oaks, California: Sage Publication; 1995. Borgatti S. Social network analysis instructional web site, http:// www.analytictech.com/networks/; 1998 [2006]. Brown J. An introduction to the uses of facet theory. In: Canter D, editor. Facet theory: approaches to social research. New York: Springer-Verlag; 1985. Canter D. The potential of facet theory for applied social psychology. Quality and Quantity 1983;17:36–57. Canter D. Facet theory: approaches to social research. New York: Springer-Verlag; 1985. Canter D. Offender profiles. The Psychologist 1989;2(1):12–6. Canter D, Heritage R. A multivariate model of sexual offence behaviour: developments in ‘‘Offender Profiling’’ I. Journal of Forensic Psychiatry 1990;1:185–212. Canter D. The wholistic, organic researcher. Central issues in clinical research methodology. In: Powell G, Young R, Frosh S, editors. Curriculum in clinical psychology. Leicester: BPS; 1993. p. 40–56. Canter D. The facets of place. In: Moore GT, Marans RW, editors. The integration of theory, research, methods, utilization. Advances in environment, behaviour and design, vol. 4. London: Plenum Press; 1995. Canter D, Fritzon K. Differentiating arsonists: a model of firesetting actions and characteristics. Legal and Criminological Psychology 1998;3:73–96. Canter D, Alison L. Profiling property crimes. Dartmouth: Cornwall, Ashgate; 2000. Canter D, Bennell C, Alison LJ, Reddy S. Differentiating sex offences: a behaviorally based thematic classification of stranger rapes. Behavioral Sciences & The Law(2):157–74, http://www3.interscience.wiley.com/cgi-bin/jissue/ 103527656, 2003;21 [2006]. Casey E. Reporting security breaches – a risk to be avoided or a responsibility to be embraced? Digital Investigation 2004;1: 159–61. CERTCoordination Center. CERT/CC statistics 1988–2004. Carnegie Mellon University, http://www.cert.org/stats/cert_stats. html; 2004 [2006]. Chantler N. Profile of a computer hacker. Florida: Infowar; 1996. Clarke R, Zeichner L. Beyond the moat: new strategies for cybersecurity, Bank systems & technology, http://www.banktech. com/showArticle.jhtml?articleID¼17501355; 2004 [2005]. Dacey RF, Hite RC. HOMELAND SECURITY: information sharing responsibilities, challenges, and key management issues. Testimony before the Committee of Government Reform House of Representatives, United States General Accounting Office. http://www.gao.gov/new.items/d03715t.pdf; 2003 [2006]. Dunlevy CJ, Shimeall TJ, Williams P. Cyber intelligence analysis. Contemporary Security Policy August 2002;23:2. Dunn M. A comparative analysis of cybersecurity initiatives worldwide. The paper was prepared by Myriam Dunn, Center for Security Studies, Swiss Federal Institute of Technology (ETH Zurich) for the WSIS Thematic Meeting on Cybersecurity, Geneva, 28 June–July 2005. http://www.itu.int/ osg/spu/cybersecurity/docs/Background_Paper_Comparative_ Analysis_Cybersecurity_Initiatives_Worldwide.pdf; 2005 [2006].

537

Elizur D, Sagie A. Facets of personal values: a structural analysis of life and work values. Applied Psychology: International Review 1999;48:73–87. Foa UG. New developments in facet design and analysis. Psychological Review 1965;77(4):262–74. Fritzon K, Canter D, Wilton Z. The application of an action systems model to destructive behaviour: the examples of arson and terrorism. Behavioral Science and the Law 2000;19:657–90. Godwin M. Hunting serial predators: a multivariate classification approach to profiling violent behavior. Boca Raton, FL: CRC Press; 2000. Gordon LA, Loeb MP, Lucyshyn W, Richardson R. CSI/FBI computer crime and security survey. Computer Security Institute; 2004. Guttman LA. A general nonmetric technique for finding the smallest coordinate space for a configuration of points. Psychometrika 1968;3:469–506. Hansman S, Hunt R. A taxonomy of network and computer attacks. Computers & Security 2005;24(1):31–43. Hollinger R. Computer hackers follow a Guttman-like progression. Social Science Review 1988;72:199–200. Howard J. Analysis of security incidents on the Internet. Unpublished doctoral dissertation, Carnegie Mellon University. Retrieved January. www.cert.org/research/JHThesis/Start. htm; 1997 [2006]. Icove D, Seger K, VonStorch W. Computer crime: a Crimefighter’s handbook. Sebastopol, CA: O’Reilly & Associates, Inc.; 1995. Kjaerland M. Electronic civil disobedience: a differentiation between ‘‘Hactivists’’ based on target and message of web-site hacks. MSc thesis in investigative psychology, Accepted by the Department of Psychology, The University of Liverpool; 2000. Kjaerland M. A classification of computer security incidents based on reported attack data. Journal of Investigative Psychology and Offender Profiling. ISSN: 1544-4759:105–20, http://www3.interscience.wiley.com/cgi-bin/jissue/ 110519535, 2005;2. Landreth B. Out of the inner circle. Redmond: Microsoft Books; 1985. Lemon D. Threat to computer systems & networks. Briefing to AIA Cyber Summit attendees. Kelly AFB, TX: Air Intelligence Center; 2000. Levy S. Louis Guttman on theory and methodology: selected writings 1994 [Aldershot: Dartmouth]. Lingoes J. The multivariate analysis of qualitative data. Multivariate Behaviour Research 1969;3:61–4. Lottor M. Internet domain survey, http://www.nw.com/zone/ WWW; 1996. Parker D. Fighting computer crime: a new framework for protecting information. New York: John Wiley & Sons, Inc.; 1998. Power R. Current and future danger. Computer Security Institute; 1998. Rogers M. International Crime Analysis Association. A new hacker taxonomy. Telematic Journal of Clinical Criminology, www.criminologia.org; http://www.criminologia.org/articoli/ articoli_pdf/cybercriminologia_pdf/newhacker_taxonomy. pdf; 2000 [2003]. Rogers M. The role of criminal profiling in the computer forensics process. Computers & Security 2003;22(14):292–8. Roskam EE, Lingoes JC. MINISSA-1: a FORTRAN IV (G) program for the smallest space analysis of square symmetric matrices. Behavioral Science 1970;15:204–5. Salfati CG. Profiling homicide: a multidimensional approach. Homicide Studies 2000;4(3):265–93. Salfati G. Offender interaction with victims in homicide: a multidimensional analysis of frequencies in crime scene behaviours. Journal of Interpersonal Violence 2003;18(5):490–512. Santilla P, Junkkila J, Sandnabba K. Behavioural linking of stranger rapes. Journal of Investigative Psychology and

538

computers & security 25 (2006) 522–538

Offender Profiling. ISSN: 1544-4759:87–103, http://www3. interscience.wiley.com/cgi-bin/jissue/110519535, 2005;2. Schultz E. The human factor in security. Computers & Security 2005;24(6):425–6. Shimeall TJ, Dunlevy CJ, Williams P. Models of information security trend analysis. In: SPIE aerosense law enforcement technologies conference, Orlando FL, April 2002. http://www. cert.org/archive/pdf/info-security.pdf; 2002 [2006]. Shye S. Theory construction and data analysis in the behavioral sciences. San Francisco: Jossey-Bass; 1978. Shye S, Elizur D, Hoffman M. Introduction to facet theory: content design and intrinsic data analysis in behavioural research. London: Sage Publications; 1994. Spence I. A Monte Carlo evaluation of three nonmetric multidimensional scaling algorithms. Pychometrica 1972;37:461–86. Turvey B. Criminal profiling: an introduction to behavioral evidence analysis. New York: Academic Press; 1999. United States General Accounting Office. Critical infrastructure protection: efforts of the financial services sector to address cyber threats. Report to the subcommittee on domestic monetary policy, technology, and economic growth. Committee on Financial Services, House of

Representatives. http://www.gao.gov/new.items/ d03173.pdf; 2003. Wagenaar WA, Padmos P. Quantitative interpretation of stress in Kruskal’s multidimensional scaling technique. British Journal of Mathematical and Statistical Psychology 1971;24: 101–10. Youngs D. Personality correlates of offence style. Journal of Investigative Psychology and Offender Profiling:99–119, http://www3.interscience.wiley.com/cgi-bin/jissue/ 108560916, 2004;1 [2006].

Maria Kjaerland is currently completing her PhD in Risk Management and Societal Safety at the University of Stavanger, Norway. She is a member of the Nordic Network for research on Psychology and Law, and the Norwegian Honeynet Project. She received her BSc degree in Psychology from Royal Holloway, University of London, UK, in 1999, and her MSc degree in Investigative Psychology from the University of Liverpool, UK, in 2000. Kjaerland has experience as a senior advisor in information security and risk management.