A Psychological Approach to Information Security
Information Systems are composed in four main portions, people, information, appliance and facilities. These four portions are called information assets. Information security protects information assets and keeps safe them from the view point of Confidentiality, Integrity and Availability (CIA).
Recently, cyber-attacks to people in specific organizations are called advanced persistent threat (APT) or targeted attacks. APT attacks are attacks using psychological and behavioral science weakness of people, are not technical attacks.
Kevin Mitnick, the most competent and the most famous attacker for people says “Security is not a technology problem. It is a human and management problems” in his book.
By using the knowledge of psychology, behavioral science and criminology, the attackers attack people, and achieve the purposes. Targets of the attacks are not only the direct objects that are theft or destruction of information, but also the indirect objects that obtain the information necessary to achieve the goal.
Sun Tzu, a Chinese military general, strategist and philosopher said “If you know your enemies and know yourself, you can win a hundred battles without a single loss”.
Attackers and victims are classified into people, appliance (hardware and software) and hybrid (people and appliance).
The methods of attackers for each attack and cases of attacks are classified in this paper.
Some organizations are beginning to use the elements of games and competitions to motivate employees, and customers. This is known as gamification which is the application of game elements and digital game design techniques to non-game problems, such as business and social impact challenges.
Gamification is very useful for awareness training of information security, I believe.
This paper attempts to classify and systematize attackers, victims and the methods of attacks, as by psychology, behavioral science, criminal psychology, and cognitive psychology I have proposed some ideas for education, training and awareness for information security using the findings of psychology and behavioral science.
KeywordsInformation security psychology Social engineering Deception
This research of the Information Security Psychology study group has been granted by the Japanese Psychological Association from 2011.
- 1.Caralli, R.A. et al.: CERT Resilience Management Model, version 1.0, pp. 4–5. Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2010)Google Scholar
- 2.Wikipedia: Social engineering (security). http://en.wikipedia.org/wiki/Social_engineering_(security)
- 3.Hadnagy, R.: Social Engineering: The Art of Human Hacking. Wiley, New York (2010)Google Scholar
- 4.DARPA: DARPA’s shredder challenge (2011). http://archive.darpa.mil/shredderchallenge/
- 5.Japan Times: Stalking victim info leak laid to tax man (2013). http://www.japantimes.co.jp/news/2013/11/08/national/crime-legal/stalking-victim-info-leak-laid-to-tax-man/#.VOC3g-_9n9Q
- 6.Cialdini, R.: Influence: Science and Practice. Prentice Hall, Needham (2008)Google Scholar
- 7.FBI: Elicitation techniques (2011). http://www.fbi.gov/about-us/investigate/counterintelligence/elicitation-techniques
- 8.Werbach, K., et al.: For the Win: How Game Thinking Can Revolutionize Your Business. Wharton Digital Press, Philadelphia (2012)Google Scholar
- 9.Thornton, D., et al.: Gamification of information systems and security training: issues and case studies. Inf. Secur. Educ. J. 1(1), 16–24 (2014)Google Scholar