Cybercrimeology

• DeReact, DeFatigue and Deceive: Psychology for Better Cybersecurity Design

  Episode Notes:Dr. Reeves’ Background – Trained as a psychologist, his interest in cybersecurity emerged from a talk connecting human error to security breaches.Cybersecurity Fatigue Defined – A form of disengagement where employees lose motivation to follow security practices due to overload and conflicting advice.Not Just Apathy – Fatigue often affects people who initially cared about cybersecurity but were worn down by excessive or ineffective interventions.Training Shortcomings – Lecture-style, one-way training is frequently perceived as boring, irrelevant, or contradictory to users' experiences.Compliance vs. Effectiveness – Many organizations implement security training to meet legal requirements, even if it fails to change behavior.Reactance in Security – Users may intentionally ignore advice or rules to assert control, especially when training feels micromanaging or patronizing.Better Through Design – Reeves argues that secure systems should reduce the need for user decisions by simplifying or removing risky options altogether.Remove Rather Than Train – Limiting administrative rights is often more effective than trying to educate users out of risky behaviors.Mismatch With Reality – Generic training that conflicts with real policies or system restrictions can confuse or alienate users.Cognitive Load and Decision-Making – Under stress or fatigue, users rely on mental shortcuts (heuristics), which attackers exploit.Personal Example of Being Fooled – Reeves recounts nearly falling for a scam due to time pressure, illustrating how stress weakens judgment.Cybersecurity Buddy System – Recommends encouraging users to consult peers when making sensitive decisions, especially under pressure.Cyber Deception Strategies – Reeves now researches ways to mislead and trap attackers inside systems using decoys and tripwires.Applying Psychology to Attackers – The same behavioral models used to study users can help predict and manipulate attacker behavior.Empowering Defenders – Deception technologies can help security teams regain a sense of agency, shifting from reactive defense to proactive engagemenAbout our guest:Dr. Andrew Reeveshttps://www.linkedin.com/in/andrewreevescyber/https://research.unsw.edu.au/people/dr-andrew-reeveshttps://www.unsw.edu.au/research/ifcyberPapers or resources mentioned in this episode:Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE Open, 11(1).https://doi.org/10.1177/21582440211000049Reeves, A., Calic, D., & Delfabbro, P. (2023). Generic and unusable: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Computers & Security, 128, 103137.https://doi.org/10.1016/j.cose.2023.103137Reeves, A., & Ashenden, D. (2023). Understanding decision making in security operations centres: Building the case for cyber deception technology. Frontiers in Psychology, 14, 1165705.https://doi.org/10.3389/fpsyg.2023.1165705Other:UNSW Institute for Cyber Security (IFCYBER)https://www.unsw.edu.au/research/ifcyber

  --------  

  38:32
• Wake up Calling: Impacting businesses by communicating cybersecurity risk

  Episode NotesSMEs struggle with cybersecurity due to time, cost, and lack of expertise, despite recognizing its importance.An automated cybersecurity scan was developed to assess SME websites and email security without requiring them to opt-in.Physical reports were mailed instead of emailed to avoid phishing concerns and increase credibility.Reports included security ratings on ten key areas and recommendations for improvement.Businesses were encouraged to consult their existing IT providers for fixes rather than relying on external services.Different risk communication strategies were tested to encourage SMEs to act on the findings.“Anticipated Regret” messaging (“Fix it now or regret it later”) led to the highest cybersecurity improvements.All groups, including the control group, showed some improvement, suggesting broader awareness of cybersecurity issues.Engagement was low, with only a small number of businesses reaching out after receiving the report.Legal concerns about scanning businesses without consent were addressed—publicly available cybersecurity data can be legally assessed.Ethical approval confirmed the project was non-commercial and aimed solely at helping businesses improve security.A follow-up version of the project will introduce an opt-out option before scanning businesses.Industry associations may partner with the project to increase credibility and adoption.The intervention will be scaled up, with more businesses included and a longer time frame for assessing impact.Future plans include adapting the intervention internationally, using lessons learned to assist SMEs in other regions. About Our GuestDr. Susanne van ’t Hoff-de Goedehttps://www.linkedin.com/in/susanne-van-t-hoff-de-goede/https://www.thuas.com/research/centre-expertise/team-cyber-security Resources and Research MentionedExamining Ransomware Payment Decision-making Among SMEsMatthijsse, S. R., Moneva, A., van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R.European Journal of Criminology.Explaining Cybercrime Victimization Using a Longitudinal Population-based Survey Experimentvan ’t Hoff-de Goede, M. S., van de Weijer, S., & Leukfeldt, R.Journal of Crime and Justice, 47(4), 472-491 (2024).How Safely Do We Behave Online? An Explanatory Study into the Cybersecurity Behaviors of Dutch Citizensvan der Kleij, R., van ’t Hoff-de Goede, S., van de Weijer, S., & Leukfeldt, R.In: International Conference on Applied Human Factors and Ergonomics (2021), pp. 238-246.The Online Behaviour and Victimization Studyvan ’t Hoff-de Goede, M. S., Leukfeldt, E. R., van der Kleij, R., …In:Cybercrime in Context: The human factor in victimization, offending, and … (2021). OtherDutch Government Cybersecurity Resourcehttps://english.ncsc.nl(English-language site for the Netherlands’ National Cyber Security Centre)Secure Internetting (in Dutch)https://veiliginternetten.nl/

  --------  

  21:52
• Anomie.exe: Geography, Strain and the Motivated Cyber Offender

  Episode Summary (Dot Points)Understanding Cybercrime through Strain and Anomie TheoriesDr. Dearden explains how strain theory and anomie theory provide insights into cybercriminal motivations.Discussion on economic and social pressures that push individuals toward cybercrime, including unemployment, inequality, and lack of upward mobility.The Role of Honeypots in Cybercrime ResearchOverview of honeypots—deceptive systems designed to attract cyber attackers.How honeypots help researchers observe and analyze hacker behaviors in real-world settings.Differences in hacking techniques and motivations across different regions.Regional Variations in Cybercriminal ActivitiesWhy cybercrime is not uniformly distributed worldwide despite the internet being a global network.Case studies on West African romance scams, Russian cyber operations, and Indian call center frauds.The interplay between legitimate and illegitimate economies in cybercrime hotspots.Cybercrime and Economic OpportunityFindings from recent research on how financial strain vs. greed influences cybercrime.The role of cryptocurrency in enabling financial cybercrimes and providing anonymity to offenders.Discussion on how cybercrime prevention strategies need to address offender motivations, not just security vulnerabilities.Future Research and Policy ImplicationsThe need for broader, structural changes to mitigate cybercrime, rather than relying solely on reactive security measures.How cross-national studies and criminological data collection can improve cybercrime prevention strategies.Upcoming projects on measuring cyber-offending patterns and regional differences in hacking behavior.About Our GuestDr. Thomas Deardenhttps://liberalarts.vt.edu/departments-and-schools/department-of-sociology/faculty/thomas-dearden.htmlPapers and Resources Mentioned in This EpisodeDearden, T. E., & Gottschalk, P. (2024).Convenience Theory and Cybercrime Opportunity: An Analysis of Online Cyberoffending.Deviant Behavior.DOI LinkParti, K., & Dearden, T. (2024).Cybercrime and Strain Theory: An Examination of Online Crime and Gender.International Journal of Criminology and Sociology. https://doi.org/10.6000/1929-4409.2024.13.19Dearden, T. E., Parti, K., & Hawdon, J. (2022).Institutional Anomie Theory and Cybercrime: Cybercrime and the American Dream.Journal of Contemporary Criminal Justice. https://doi.org/10.1177/10439862211001590 Related Episodes Featuring Dr. DeardenEpisode 39 : Strained Dreams: Cybercrime and Institutional Anomiehttps://www.cybercrimeology.com/episodes/strained-dreams-cybercrime-and-institutional-anomie Other:The Human Factors in cybercrime Conference: https://www.hfc-conference.comWe had a chat in a room with a bunch of people just outside having their own great conversations. Kind of nice to get a little bit of that vibe into the mix.  Conferences can be a lot of fun ;)/.To the best of my knowledge, no bovines were harmed during the recording of this episode. 

  --------  

  22:00
• The Ethical Hacker Pathway: Exploring Positive Cyber Behavior

  Key Points Discussed:Defining Ethical Hacking: Ethical hackers use their skills to identify and report vulnerabilities, often to enhance cybersecurity in various capacities, including voluntary work, bug bounty programs, or professional roles.Research Focus: Dr. Weulen Kranenbarg’s studies highlight a significant overlap between positive and negative cyber behaviors, particularly among IT students, and explore how individuals transition toward ethical hacking.Ethical Hacking as a Pathway:Early positive experiences, such as reporting vulnerabilities to schools or organizations, can strongly influence individuals toward ethical hacking.Responses from organizations play a critical role—positive reinforcement encourages further ethical behavior, while negative experiences can deter individuals.Challenges in Defining Ethics:Ethical hackers themselves debate the boundaries of what constitutes ethical behavior, such as whether making vulnerabilities public is acceptable if organizations fail to act.The term "ethical hacker" is often contentious within the community.Role of Education: Schools struggle to address and guide ethical behavior among IT students effectively. Clear vulnerability disclosure policies and ethics education in IT programs are crucial.Future Research Directions: Dr. Weulen Kranenbarg plans to conduct life-history interviews with hackers to better understand their pathways and influences toward ethical behavior.About our Guest:Dr Marleen Weulen Kranenbarghttps://research.vu.nl/en/persons/marleen-weulen-kranenbarg Papers or Resources Mentioned:Weulen Kranenbarg, M. (2018). Cyber-offenders versus traditional offenders: An empirical comparison. Vrije Universiteit Amsterdam. Retrieved from https://research.vu.nl/en/publications/cyber-offenders-versus-traditional-offenders-an-empirical-comparisonWeulen Kranenbarg, M., Ruiter, S., & Nieuwbeerta, P. (2018). Cyber-offending and traditional offending over the life-course: An empirical comparison. Crime & Delinquency, 64(10), 1270–1292. https://doi.org/10.1177/0011128718763134Weulen Kranenbarg, M., Holt, T. J., & van Gelder, J.-L. (2021). Contrasting cyber-dependent and traditional offenders: A comparison on criminological explanations and potential prevention methods. In J. van Gelder, H. Elffers, D. Reynald, & D. Nagin (Eds.), Routledge International Handbook of Criminology and Criminal Justice Studies (pp. 234–249). Routledge. Retrieved from https://research.vu.nl/en/publications/contrasting-cyber-dependent-and-traditional-offenders-a-comparisoWeulen Kranenbarg, M., & Noordegraaf, J. (2023). Why do young people start and continue with ethical hacking? A qualitative study on individual and social aspects in the lives of ethical hackers. Criminology & Public Policy, 22(3), 465–490. https://doi.org/10.1111/1745-9133.12640Additional Resources:Capture the Flag (CTF) events:Hack the Box - A popular online platform offering a variety of CTF challenges to test and improve cybersecurity skills.https://www.hackthebox.comNorthSec - A popular  in-person CTF competition designed for everyone excited about cybersecurity.https://nsec.ioBug Bounty Programs:HackerOne - A leading bug bounty platform connecting ethical hackers with organizations to find and fix vulnerabilities.https://www.hackerone.comBugcrowd - A platform that hosts bug bounty programs for a wide range of companies and industries.https://www.bugcrowd.com

  --------  

  23:21
• Building the Basics: Preparing Officers for the Present and Researching Training for the Future

  About Our Guest:Dr. Tom Holthttps://cj.msu.edu/directory/holt-tom.htmlKey Topics Discussed:Dr. Tom Holt emphasized the urgent need for consistent and evidence-based cybercrime training in law enforcement, pointing out disparities in how local agencies handle these crimes.He highlighted the challenges agencies face in responding to cyber-enabled and cyber-dependent crimes, particularly in rural areas.Dr. Holt discussed the development of training modules covering both basic digital evidence handling and specialized topics tailored to agency needs.The conversation underscored the importance of bridging resource gaps between rural and urban agencies.Dr. Holt explained how police leadership’s support is crucial for improving the adoption and effectiveness of training programs.The prevalence of interpersonal cybercrimes like sextortion and fraud, often encountered by local officers, was addressed.Dr. Holt elaborated on long-term evaluation plans for these training programs, aiming to measure their impact on officers and agencies.He also discussed the potential for a national standard curriculum to bring consistency to cybercrime training across the U.S.Papers and Resources Mentioned:Articles on the Training Center Initiative:Cybercrime Training at MSU –https://cj.msu.edu/community/cyber-center/cyber-center-home.htmlProgram announcement - https://msutoday.msu.edu/news/2024/msu-receives-$1M-to-create-center-for-cyber-security-trainingOther:This episode was recorded on location in at HEC Montreal. The occasional background noise from students only adds to the vibrant atmosphere of the discussion. So you can’t complain about the noise being distracting, consider it an authentic experience!

  --------  

  25:05

Meer Wetenschap podcasts

Trending Wetenschap -podcasts

Over Cybercrimeology