How digital footprints can make us vulnerable to cyber crime

www.nccgroup.com

RESEARCH REPORT

Paul VlissidisCo-founder of NCC Group’s Technical Security Consulting division, Senior Advisor, NCC Group

Matt LewisCommercial Research Director, NCC Group

Dr. John Blythe, CPsycholHead of Behavioural Science, CybSafe

Research series: Personality and digital footprints in cyber security | Part 2

2

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

// CONTENTS

Introduction 3

Personal digital footprint 4

The four core digital footprint domains 6

Public domain footprint 7Private footprint 8Internet of things (IoT) footprint 8Powers of the state footprint 9

Cross-domain factors 10

Digital footprints through a behavioural science lens 11

Conclusion 13

3

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

IntroductionIn collaboration with CybSafe, NCC Group has been exploring personality traits and digital footprints. Within the series “Personality and digital footprints in cyber security”, we have explored how these factors might play a part in a person’s susceptibility to becoming a victim of cyber crime.

In CybSafe’s paper “Does personality enhance susceptibility to cyber attacks?”, we looked at the role of personality traits that could influence the types of cyber crime people are more vulnerable to. Also, we discussed the role of ethics in personality profiling and the future of harnessing personality in cyber security field. This paper directs the focus on digital footprints.

We do this with the belief that there is further research to be done in this domain to support our understanding of how best to personalise interventions and training regarding digital footprints for different individuals. As such, this paper is merely introductory and aims to introduce the topic at a high level, supporting the bridging of technical security and behavioural science disciplines to help minimise risks associated with digital footprints.

4

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Personal digital footprintPersonal digital footprints are a presence of online data relating to ourselves. It accumulates over time, as and when we use the Internet and other digital services. Many of our actions in cyberspace are logged, often unknowingly to us. For example, websites record the pages that we visited, keywords we searched and text fields we might have filled on these sites. Our personal digital footprints are also generated from information that we willingly provide to online services – from status updates and photos posted to social media, to credit card details for online purchases on e-commerce sites.

Our personal digital footprints can provide a rich picture of our personalities and habits. These can be extremely useful to cyber criminals seeking to exploit us for some gain.

“Our digital footprint may be of more interest to those with malicious intent. Criminals, violent protest groups, foreign intelligence services and terrorist groups can all benefit from gaining access to information about us, our work and who we associate with. The information can be exploited causing harm to us, our families, our organisation, our communities and the wider public.”1

1  https://www.cpni.gov.uk/system/files/documents/d3/e8/28-February-2017-Edited-In-house-My-Digital-Footprint-booklet.pdf

5

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Related to digital footprints is the concept of personal privacy debt. This debt reflects the implied cost to an individual’s privacy and security caused by their own historical digital footprint that typically increases over time.

Figure 1 : Increased digital footprint over time increases privacy debt and risk exposure.

Digital nativeness is also intertwined with digital footprints. There exists a spectrum of different types of technology users, from luddites and non-tech savvy users through to digital natives such as generation Z2, who live and work online.

A fascinating field of research exists on whether different behavioural and psychological traits correlate with different levels of digital footprint and personal privacy debt. Additionally, it explores whether personalised approaches can raise awareness of digital footprints, and if associated mechanisms can help minimise a person’s risk of falling victim to cyber crime.

2  https://www.pewresearch.org/fact-tank/2019/01/17/where-millennials-end-and-generation-z-begins/

6

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

The four core digital footprint domainsTo understand where and how personalised interventions could be introduced to reduce digital footprints, it is worth exploring the four core digital footprint domains3.

Figure 2 : The four core digital footprint domains, with cross-domain factors.

3 https://howtosurvivetheinternet.co.uk/

7

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Our public domain footprints are those that we voluntarily generate, such as posting to public websites or social media. However, we may not consciously think about the aggregate value of our public domain footprints, and what advantage it could yield for cyber criminals.

Social media is a particularly rich source of public domain footprints. We might overlook sensitive information in the photos that we share4, or be unaware of underlying metadata in images and documents, such as GPS location coordinates and email addresses5.

Text that we publish online can be combined with methods such as Natural Language Processing (NLP) to extract sentiments, keywords and profiles based on psychological traits6. Simple data points such as social media ‘Likes’ can help to profile what people are interested in, their hobbies, political views and so on. Cyber criminals might leverage this information to tailor various forms of phishing attacks.

It is particularly interesting to explore patterns of public domain footprints and associated personality traits. Hinds and Joinson (2019) explore this area with examples of platforms and digital footprints associated with the Big Five personality traits. They then examine how those aspects might be measured to support scientific methods of exploring digital footprints and personality types, in ways that do not rely solely on self-reporting methods7.

4  https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram

5 https://www.elevenpaths.com/labstools/foca/index.html

6  https://research.nccgroup.com/2019/06/07/project-ava-on-the-matter-of-using-machine-learning-for-web-application-security-testing-part-2-going-off-on-a-tangent-ai-ml-applications-in-social-engineering/

7  Hinds, J. & Joinson, A. (2019) Human and computer personality prediction from digital footprints. Current Directions in Psychological Science, 28(2) 204–211

8

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Aggregation of large amounts of private data (e.g. cloud backups of photos and files) also present a big risk in relation to cyber crime. A cyber criminal might seek to use ransomware or the threat of data deletion to elicit money from victims. Important to note here is that the modern threat landscape concerning digital footprints is not just about the threat of data exposure, but is equally about the threat of data loss and the negative impact that can have on individuals and entire organisations.

There exists a vast array of domestic IoT appliances that can interoperate and be controlled via digital assistants and apps on our mobile devices. These complicated interconnectivities create an IoT footprint, which then moves us more into the cyber-physical space where IoT devices can control access to our homes (e.g. through door locks and home CCTV cameras).

As IoT works through wireless interfaces (e.g. Wi-Fi and Bluetooth), it means that there is an increased risk of the devices revealing information about us and our personal spaces in the process. Many IoT devices with sensors (e.g. cameras and microphones) can invade our privacy by making recordings and sending them to remote web services. These extend our IoT footprints beyond our home domain. A number of mechanisms exist through which offenders may exploit consumer IoT devices and the digital footprints they produce. These include profiling, physical access control and the ability to control audio and visual outputs of the device8.

8  Blythe, J. M., & Johnson, S. D. (2019). A systematic review of crime facilitated by the consumer Internet of Things. Security Journal, 1-29. 

9

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Our daily lives, both online and in the physical world, are logged and searchable by the state through various procedures (e.g. law enforcement warrants and state investigatory powers). State-interest footprints include mobile phone usage and location tracking data, Automatic Number Plate Recognition (ANPR), Internet usage metadata from the Internet Service Providers (ISPs), CCTV footage and our banking transactions.

We commonly think of powers of the state in the context of helping to stop or catch criminal behaviour. Indeed digital footprints of criminals can assist law enforcement in this endeavour. However, we note that there are examples where non-criminals might want to legitimately reduce their powers of state footprint, such as journalists, whistle-blowers, informants, undercover police and agents.

10

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Along with the four distinct digital footprint domains, there exists a number of cross-domain factors, which can facilitate cyber criminal actions. Examples include:

Password reuse – people reuse the same password across multiple online services (including leaked passwords)9. Different personality traits will likely dictate different approaches to both password choices in terms of strength and complexity, and levels of password reuse. Blurred home and work life – the ever-increasing blurring of home and work through remote working, and mixed personal and work IT bridges public, private and IoT footprint domains. This raises interesting questions on how different personality traits might treat a mixed use of home and work IT, in addition to whether individuals exhibit different security behaviours between home and work life (e.g. corporate policies requiring more stringent process), and what security outcomes might arise from combined, yet different, security behaviours around the same underlying IT. Excessive privacy policies – many online sites and services require us to agree to certain terms and conditions on data capture, privacy and security. Commonly, these policies are long and use formal legalese, rendering their readership difficult for the average user10. The result is often a user’s default acceptance of the terms without reading them, potentially consenting to undesired digital footprint creation. Will different personalities approach privacy policies differently, or does the onerous nature of privacy policies mean we need new and accessible methods of presenting privacy policies, in different ways for different people?11

Readily-available harvesting tools – there exists a myriad of free and easily-available ‘cyber stalking’ tooling12 on the Internet to facilitate cyber crime and exploitation of people through their digital footprints. These tools can provide cyber criminals with quick and easy methods of compiling lists of target victims for tailored cyber criminal campaigns, such as phishing or ransomware attacks. Does raising awareness of these types of tools, and the ease with which they are accessible inform on how to best provide actionable intelligence to different people?

9 https://haveibeenpwned.com/

10  https://www.bbc.co.uk/news/technology-5483897811 https://pribot.org/

12 https://www.bbc.co.uk/news/technology-54838978

11

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Digital footprints through a behavioural science lensThe extent to which individuals produce digital footprints will be determined by a range of individual differences that cover not only personality but also social, psychological, environmental and behavioural factors. Understanding and pinpointing such factors is important because it allows us to identify what influences both digital footprints in themselves but also the preventative behaviours to protect oneself and data.

Such factors will differ depending on the digital footprint context. The context is important because people’s mental models of security do not match those of security experts13. So whilst people have mental models of how to protect their computers, these will differ from how they protect newer smart home technologies14. Even then, they prioritise security for those products that are traditionally associated with security of physical space (e.g. smart locks)15. This has resulted in ineffective awareness approaches that rely on the mental models of experts but do not translate to how people think and feel about security at home.

Research to date has supported the role of situational factors like the compliance budget16 that argues that engaging with security is a fine balance between the benefits and costs of security (in terms of time and loss of productivity). The more that security does not align with people’s primary goals, whether completing work or personal tasks online, the less likely they are to comply.

13  Camp, L. J. (2009). Mental models of privacy and security. IEEE Technology and society magazine, 28(3), 37-46.

14  Blythe, J.M., Johnson, S.D. & Manning, M, (2020). What is security worth to consumers? Investigating willingness to pay for secure Internet of Things devices. Crime Sci 9, 1.

15  https://crestresearch.ac.uk/resources/individual-differences-in-the-adoption-secure-use-and-exploitation-of-smart-home-technology/

16  Beautement, A., Sasse, M. A., & Wonham, M, (2008). The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 New Security Paradigms Workshop (pp. 47-58).

12

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

Other factors focus more on what motivates protection. The role of confidence in determining a person’s cyber hygiene is consistently supported. Yet, most of the research continues to explore people’s risk perception but it has found to be inconsistent in its role in determining security behaviour17. This may account for the focus on scaring people into security (often through a risk perception lens) that continues to fail in translating into behaviour change.

As discussed in our previous research paper, personality is another area that may determine digital footprints and cyber hygiene. In this paper, we outlined the five factor model of personality and how that may link to different cyber security vulnerabilities and behaviours. We concluded that further research is required to understand how best to personalise to such individual differences.

There is a wealth of research that has explored the behavioural determinants of subsets of digital footprints and cyber hygiene. We welcome research that explores how these factors are associated with the four core digital footprints. With greater internetconnectedness our digital footprints increase and, with a wider use of smart devices, so does our need to protect our data. For the average person, it seems overwhelming. We need more personalised approaches that account for individual differences and empower protective action.

17  ENISA. (2018). Cybersecurity Culture Guidelines : Behavioural Aspects of Cybersecurity (Issue December).

13

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

ConclusionWe have briefly touched on the four core digital footprint domains and cross-domain factors that when combined, present different levels of digital footprint for people depending on their respective digital nativeness and personal privacy debt.

While there are of course technical measures, including operational security, that people can follow to minimise their digital footprints and personal privacy debts, this requires knowledge on their part of what those measures are, and how they should be implemented. There is a strong behavioural factor at play here – the willingness and openness of someone to learn potentially new skills and increase their self-awareness of their digital footprints could depend on their personality and other psychological and behaviour factors, thus warranting potentially different approaches to security training and awareness around digital footprints.

The famous line “If security doesn’t work for people, it just doesn’t work”18 is important to emphasise here. We have focused on the psychological and behavioural factors that may influence digital footprints at an individual-level. But our increasingly widespread digital footprint makes it more difficult for people to manage. A systems-based approach requires a focus on what is needed from a governance perspective and the roles and responsibilities of citizens, organisations and government in protecting people.

We believe there is much valuable research ahead, bridging behavioural science and technical security domains to understand what personalisations and interventions can be best produced for different people, to minimise their respective digital footprints and susceptibilities to cyber crime victimhood.

18 https://www.ncsc.gov.uk/collection/you-shape-security

14

HOW DIGITAL FOOTPRINTS CAN MAKE US VULNERABLE TO CYBER CRIME

AboutWe are CybSafe. A British cyber security and data analytics company. We make it easy to manage human cyber risk.

Our software gets people engaged in security. It empowers them to make the best everyday-security decisions possible. We use behavioural science, data and reporting metrics to help security professionals do their jobs better. And see their impact on people-related cyber risk.

Our customers report improved security habits and fewer people-related security incidents.

About NCC Group exists to make the world safer and more secure. As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.

With the company’s knowledge, experience and global footprint, it is best placed to help organisations assess, develop and manage their cyber resilience posture.

To support its mission, NCC Group continually invests in research and innovation, and is passionate about developing the next generation of cyber scientists.

With circa 2,000 colleagues in 12 countries, NCC Group has a significant market presence in North America, Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia, Japan and Singapore.