Are previous breaches a factor?
What are the top solutions CIOs and IT managers need to know to educate the highly educated and defend against cybercrimes such as phishing? In our conclusion we find that the key may be in raising situational awareness through education.
As this chart shows there are serious cybercrime victimization rates nine times higher within the highly educated.
Why is there such a disparity between the book smart and the street smart? Could doctoral graduates have been put at risk by the tremendous concentration of successful data breach attacks focused on the dot-edu community?
In the first book smart article, we looked at the possibility of a simple invulnerability attitude contributing as a cause. In our second book smart article, we looked at the data behind the mobile lifestyle and even offered that the high number of social network connections in countries with new Internet access may be a factor.
As we conclude our three part series on book smart versus street smart, one final theory: What about previous data breaches?
Book smart: Are dot-edu data breaches responsible?
As San Diego State University President Stephen Weber related in 2009, universities hold the records of hundreds of thousands of past and present students. He also related that sometimes SDSU sees over 300,000 attacks per hour on a single system.
Could the common thread for highly educated doctoral graduates be that their risk factor is higher because their personal data has been held at multiple educational facilities which have been a higher priority target for cybercriminals? Worse, could the educational sector to be seen as an indicator species like the "spotted owl" with direct timeline relation to total records now breached? And finally, how do we solve all of this?
Hard numbers for a hard problem
There appears to be strong correlation to the amount of specific student records compromised, and perhaps the risks increase for those who have attended multiple educational facilities. One study performed in 2008 puts numbers on this theory:
Education-related organizations reported more than 12.4 million student and consumer profiles have been compromised in 324 breach incidents, which account for more than 25 percent of all profiles compromised through "typical" information security breaches.
Institutes of higher education account for 79 percent of all education-related breach incidents and for 78 percent of all of the compromised consumer profiles reported by education sector.
Basic criminology: Thieves go where the money is.
I have no doubt that there are massive cyberthreats – organized and directed against every digital bit and byte which holds intellectual property, classified, sensitive, or even simply identity-rich information. As one FBI agent in Cyber Crimes has put it, "we have lost the war [in cyber-espionage] and need to gain back ground."
Today we have examined evidence which suggests that broader cybercrime efforts result in increased success with higher education levels. This does not necessarily mean that doctoral graduates are targeted because of their education, rather they may have become more vulnerable because of where they studied – combined with earlier successful data breaches.
If data breaches are, in fact, the true reason behind the disparity, then it can be somewhat seen as the harbinger of doom for all data breach victims (900 million records lost as of 2010) and education against this threat must be taken much more seriously.
Three theories for increased book smart cybercrime vulnerability
The three main reasons we see for book smart victimization being nine times higher than a high school dropout:
- The bulletproof monk attitude of invulnerability listed in our first part.
- Increased computer interactions due to a mobile lifestyle and the growth of Internet Communication Technology (ICT) in developing nations.
- Previous educational sector data breaches.
Any or all of these three factors contribute towards a perfect storm scenario for the book smart.
How do we answer this challenge? The most effective methods include public-private partnerships, known as the P3, and are what form the backbone of Securing Our eCity which recently tied for a win for the best community plan in the 2010 DHS Nationwide Cybersecurity Awareness Challenge.
One part of this partnership is business-related and involves education of the enterprise.
The CIO's hardest task: Raising organizational situational awareness
For now, IT managers and CIOs should become well aware of the risk factors and that no level of formal education provides immunization from phishing or other head games the cybercriminals may try.
The irony of our time is that the most vulnerable in our society at this moment are the most learned.
Situational awareness, not education, has been defined as the primary determining factor in whether or not someone becomes a preventable victim of cybercrime. In fact, that single factor is a standout phrase (Sec. 301) within new legislation such as the tri-partisan Senate Bill 3480 introduced in June. Situational awareness...
"involves being aware of what is happening around you to understand how information, events, and your own actions will impact your goals and objectives both now and in the near future."
Providing metrics in how situational awareness has accurately been affected through educational initiatives will require CIO and HR/training interaction, and we provide solutions for IT managers and CIOs to consider at the end of this article.
The other side of P3, the public sector assistance, has also been rallied toward finding solutions. In this case, legislation has been hard-pressed for proactive solutions. Some of the 40 acts are listed here in summary.
Your government: Here to help
Recent legislation such as House Resolution 4061, Senate Bill 773 (aka the Rockefeller-Snowe Bill) and Senate Bill 3480 (aka the Kill Switch Bill) attempt to address this gap in cyber-education with oversight from K-12 curriculum upwards through all levels of academia and encompassing every single federal agency employee top to bottom. One such legislative attempt comes from SB 3480 Sec. 406(b)3(a):
The secretary of education, in coordination with the [director being proposed under the same SB 3480] director of the National Center for Cybersecurity and Communications, shall develop curriculum standards and guidelines to address cyber safety, cybersecurity, and cyber ethics for all students enrolled in undergraduate, graduate, vocational, and technical institutions in the United States"
This approach would provide a standardized cyber-educational approach and hopefully address this gap now found in higher education strata. It would also lay a framework of protection for those who may be right behind the highly educated in the "to-do" list of cybercriminals holding nearly one billion breached records.
Finally: Solutions for book smart vulnerability
- Fact: these three book smart causal factors are outside the control of any CIO.
- Theory: The key is using education to raise the situational awareness.
- Challenge: Proving the effectiveness of your user education approach through some sort of metrics.
One example of effective user education in situational awareness comes from the APWG's Public Education Initiative:
Phishing and crimes that leverage it exploit a small number of transactional exposures, the most obvious being the capture (and criminal abuse) of online user credentials. PEI seeks to provide focused and most exposure-relevant instruction wherever and whenever possible to help consumers and enterprise users protect themselves and minimize the number of vulnerabilities that electronic crime gangs can count on being able to abuse.
As ESET became more involved in cybercrime research, Ponnurangam Kumaraguru, one of APWG's key anti-phishing educational researchers, visited ESET in 2009. His words to me about the effectiveness of the teachable moment in anti-phishing education echoed what my mom and dad, both lifelong teachers in California, have told me about educating people – if learners have been emotionally tied to an experience, right then is the best time for them to learn. The educators eternal challenge is always to provide that experience.
One of Kumaraguru's projects, which captures the teachable moment and provides metrics around anti-phishing education, is PhishGuru:
PhishGuru's simulated phishing emails create a unique teachable moment where employees that fall for the attack are provided with immediate training. The training is presented in the form of a fun and effective cartoon that teaches employees how to avoid falling victim to similar phishing attacks in the future.
Taking a closer look at the raw data of the ESET study located here and using the SOeC resources for your own company's cyber-education plan can aid you in beating the knowing/doing gap which victimizes your company's greatest knowledge resources. Building the effective partnerships between the IT department, the HR department and the training departments of your company will provide an effective and consistent model for moving forward.