Cybercrimeology

• Courses, Clicks and Consequences: Empiricizing Enterprise Security

  Episode Notes:Dr Ho describes an empirical research agenda focused on how security actually operates in organisations. He explains his experience with getting this research off the ground to allow them to perform the research in this setting.Study setting and scope: eight-month randomised controlled trial at UC San Diego Health involving ~19,500 employees and ten distinct phishing campaign lures.Annual awareness training: the study found no significant relationship between how recently staff completed the mandated course and their likelihood of failing a simulated phishing campaign.Embedded training (when someone clicks a phishing simulation and is immediately redirected to training): the measurable improvement was very small (≈2% reduction in failure rate) and varied significantly by lure and engagement.Engagement challenge: The vast majority of embedded-training sessions were extremely short or incomplete, a key factor in explaining limited effect size.Variability of lure difficulty: Some phishing lures elicited very low click-rates (~1.8%) while others up to ~30.8%, indicating that the phishing stimulus matters as much as, or more than, the training intervention.Practical takeaway: Organizations should treat training (especially annually mandated modules) as only one part of a broader defence strategy, and design empirical measurement systems (including controls, realistic lures, and sustained engagement) before assuming large effect sizes.About our Guest:Dr Grant Ho Profile: https://cs.uchicago.edu/people/grant-ho/Papers or resources mentioned in this episode:Ho, G.; Mirian, A.; Luo, E.; Tong, K.; Lee, E.; Liu, L.; Longhurst, C.A.; Dameff, C.; Voelker, G.M. (2025). Understanding the Efficacy of Phishing Training in Practice: A Randomized Controlled Trial at a Large Health Organisation. Presented at the IEEE Symposium on Security & Privacy (May 2025). Full PDF: https://people.cs.uchicago.edu/~grantho/papers/oakland2025_phishing-training.pdfOther: I mentioned some figures about the spending on cybercsecurity education and training, You can find those here.  Canadian Survey of Cyber Security and Cybercrime (CSCSC)https://www23.statcan.gc.ca/imdb/p2SV.pl?Function=getSurvey&SDDS=5244Get convenient Excel Tables of the Statistics from 2017 and 2019. https://www.serene-risc.ca/en/statistics-canadaOther Other:Dr Ho was great to chat with and has a long history of researching phishing, Some of his older work that is more technical in nature, as so we didn't talk about in the episode, but in the case that it  might be interesting to you, here are some links: Ho, G., Sharma, A., Javed, M., Paxson, V., & Wagner, D. (2017). Detecting Credential Spearphishing Attacks in Enterprise Settings. In Proceedings of the 26th USENIX Security Symposium (USENIX Security ’17), Vancouver, BC, Canada, August 16-18, 2017. USENIX Association. ISBN 978-1-931971-40-9.PDF: https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-ho.pdf USENIX+2USENIX+2Presentation page: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/hoUSENIX+1Ho, G., Cidon, A., Gavish, L., Schweighauser, M., Paxson, V., Savage, S., Voelker, G. M., & Wagner, D. (2019). Detecting and Characterizing Lateral Phishing at Scale. In Proceedings of the 28th USENIX Security Symposium (USENIX Security ’19), Santa Clara, CA, USA, August 14-16, 2019. USENIX Association. ISBN 978-1-939133-06-9.PDF: https://www.usenix.org/system/files/sec19-ho.pdf USENIX+1Presentation page: https://www.usenix.org/conference/usenixsecurity19/presentation/ho USENIX

  --------  

  1:04:28

  --------

  1:04:28
• The many minds of MITRE: building multidisciplinary human insider-risk research

  Trigger warning: This episode includes discussion of suicide in the context of researching measurable predictive indicators and the lack thereof in the context of cyber. Episode NotesDr Caputo's path from social psychology to applied security, including intelligence analysis and building a behavioural-science team at MITRE.What MITRE is: a not-for-profit operating six federally funded R&D centres that provide independent, public-interest research alongside government.Why early “indicator” hunting on endpoints often chased the last bad case; shifting to experiments and known-bad/created-bad data to learn patterns of behaviour change.The LinkedIn recruiter field experiment: ethically approved creation of recruiter personas, staged outreach in three messages, and follow-up interviews to understand reporting barriers.What user-activity monitoring can and cannot tell you; the role of human judgement and programme design.Insider-risk is not only “malicious users”: designing programmes for negligent, mistaken or outsmarted behaviours as well.Current lines of work include improving employee recognition and reporting of malicious elicitations and exploring whether insider-risk telemetry offers early signals of suicide risk.Why multidisciplinary teams beat solo efforts in insider-risk operations.About our guest:Dr. Deanna D. Caputo MITRE Insider Threat Research & Solutions profile: https://insiderthreat.mitre.org/dr-caputo/ LinkedIn: https://www.linkedin.com/in/dr-deanna-d-caputoPapers or resources mentioned in this episode:Caputo, D. D. (2024). Employee risk recognition and reporting of malicious elicitations: Longitudinal improvement with new skills-based training. Frontiers in Psychology. https://www.frontiersin.org/journals/psychology/articles/10.3389/fpsyg.2024.1410426/full MITRE Insider Threat Research & Solutions. (2025). Suicide risk and insider-risk telemetry overview. https://insiderthreat.mitre.org/suicide-risk/ MITRE. (2024). Managing insider threats is a team sport. https://www.mitre.org/news-insights/impact-story/managing-insider-threats-team-sport MITRE Insider Threat Research & Solutions. (2024). Capability overview two-pager (PDF). https://insiderthreat.mitre.org/wp-content/uploads/2024/06/MITREInTResearchSolutions-CapabilityTwoPager-24-0659_2024-02-01.pdf MITRE Insider Threat Research & Solutions. (2024). Insider Threat Behavioural Risk Framework two-pager (PDF). https://insiderthreat.mitre.org/wp-content/uploads/2024/06/MITREInTResearchSolutions-InTFramework_TwoPager-24-0674_2024-03-18.pdf

  --------  

  44:11

  --------

  44:11
• Follow the Honey: Experiments in Cybercriminal Decision-Making

  Show Notes:Daniëlle began her academic path in psychology, later moving into criminology through her interest in decision making and online behaviour.Her PhD research at NSCR focuses on cybercriminal decision making, using honeypots and experiments in real online environments.Early experiments tested how different rewards affected access attempts on fake accounts.A major focus has been on the impact of Operation Cookie Monster (2023), which disrupted the Genesis Market. Danielle’s work examined how this law enforcement operation influenced behaviour and moderation practices on hacker forums.She emphasizes the value of experiments in the field, which allow researchers to test criminological theories with live offender behaviour, while balancing strict ethical and legal safeguards.About our guest:Danielle StibbeNSCR Profile Page: https://nscr.nl/en/medewerker/danielle-stibbe-msc/Google Scholar: https://scholar.google.com/citations?user=1fsHJEgAAAAJ&hl=enLinkedIn: https://www.linkedin.com/in/danielle-stibbe/?originalSubdomain=nlPapers or resources mentioned in this episode:Onaolapo, J., Mariconti, E., & Stringhini, G. (2016). What happens after you are pwnd: Understanding the use of leaked webmail credentials in the wild. Proceedings of the 2016 Internet Measurement Conference. https://doi.org/10.1145/2987443.2987475Europol (2023). Operation Cookie Monster: Genesis Market taken down in coordinated international action.https://www.europol.europa.eu/media-press/newsroom/news/operation-cookie-monster-genesis-market-taken-down-in-coordinated-international-actionOxford Handbook of Criminal Decision Making (2016). Eds. Bruinsma & Weisburd. Oxford University Press.Other:The open science framework https://osf.io 

  --------  

  30:54

  --------

  30:54
• Crime Online: Hashtag Like and Subscribe, or don't

  Episode NotesAbout our guest:Dr. Francesco Carlo CampisiPhD in Criminology, Université de MontréalResearcher, International Centre for Comparative Criminology🔗 https://www.cicc-iccc.org/fr/personnes/etudiants-supervises/carlo-campisi🔗 https://www.linkedin.com/in/francesco-carlo-campisi-aa3576125/Topics discussed in this episode:From street gangs to digital deviance: a research trajectoryWhy “recruitment” doesn’t fit how modern movements growHow groups like QAnon and Anonymous influence participation onlineUsing social media metrics to measure engagementEmotional capital, visibility, and symbolic participationUpdating resource mobilization theory for digital contextsHashtag hijacking and online visibility strategiesStochastic terrorism and the challenge of lone-wolf violencePapers or resources mentioned in this episode:Campisi, F. (2024). Unveiling the digital underworld – Exploring cyberbanging and recruitment of Canadian street gang members on social media. Canadian Journal of Criminology and Criminal Justice, 66. https://doi.org/10.3138/cjccj-2023-0033Campisi, F., Fortin, F., & Néron, M.-E. (2022). Hacktivists from the inside: Collective identity, target selection and tactical use of media during the Quebec Maple Spring protests. Presented at the ICCC Symposium. Available on ResearchGateCampisi, F., & Beauregard, E. (2025). QAnon’s use of hashtag hijacking on X and its impact on online engagement. SSRN preprint. LinkMcCarthy, J. D., & Zald, M. N. (1977). Resource mobilization and social movements: A partial theory. American Journal of Sociology, 82(6), 1212–1241.Vigil, J. D. (1988). Barrio gangs: Street life and identity in Southern California. University of Texas Press. https://www.ojp.gov/ncjrs/virtual-library/abstracts/barrio-gangs-street-life-and-identity-southern-california-0Other:If you are curious about the video that was taken down, you should watch this video.https://www.youtube.com/watch?v=PIyrzMThHq8

  --------  

  29:54

  --------

  29:54
• The Human in_security - deception, weapons, crime & culture

  About our guest:Dr. Iain ReidSenior Lecturer in CybercrimeUniversity of Portsmouthhttps://www.port.ac.uk/about-us/structure-and-governance/our-people/our-staff/iain-reid Topics discussed in this episode:How principles of military deception map onto cybersecurityWhy the phrase “the human is the weakest link” oversimplifies riskWhat it’s like to research developer perspectives on secure softwareThe psychology of decision-making in phishing attacksHow time pressure influences risky digital behaviourThe limits of “security culture” as an organizational solutionHow cyber deception fits within defence-in-depth Papers or resources mentioned:Reid, I., Okeke-Ramos, A., & Serafin, M. (2024). Exploring the ethics of cyber deception technologies for defensive cyber deception. In P. Bednar, J. Kävrestad, E. Bergström, M. Rajanen, H. V. Hult, A. M. Braccini, A. S. Islind, & F. Zaghloul (Eds.), Proceedings of the 10th International Conference on Socio-Technical Perspectives in Information Systems (STPIS 2024) (pp. 140-148). (CEUR Workshop Proceedings). https://ceur-ws.org/Vol-3857Whaley, B. (2007). Stratagem: deception and surprise in war. Artech.Rowe, N.C., Rrushi, J. (2016). Measuring Deception. In: Introduction to Cyberdeception. Springer, Cham. https://doi.org/10.1007/978-3-319-41187-3_11Ashenden, D., Ollis, G., & Reid, I. (2022, October). Dancing, not Wrestling: Moving from Compliance to Concordance for Secure Software Development. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (pp. 1-9).Paris Call for Trust and Security in Cyberspacehttps://pariscall.international OtherI would like to thank Dudley the French Bulldog for the invaluable (unavoidable) contribution to this episode.

  --------  

  27:37

  --------

  27:37

Meer Onderwijs podcasts

Trending Onderwijs -podcasts

Over Cybercrimeology