Mitigating Security Threats Through Forensic Psychology

Sunday, February 06, 2011

Jonathan Dudek


Mitigating Internet Security and Intellectual Property Threats Through the Lens of Forensic Psychology:  Lessons from the Dark Side of Human Behavior

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles...if you do not know your enemies nor yourself, you will be imperiled in every single battle.Sun Tzu, The Art of War (6th Century B.C.)

The Consumer Electronics Show, by nature, is a showcase and celebration of the latest technologies, be they in electronics, hardware, software, mobile broadband, social media, and the like. 

Significant capital - both financial and human - has been invested in the development of the sophisticated technologies underlying these cutting edge products and services as well as in bringing them to market - and to the CES "party." 

However, in any large social gathering there lurks a spoiler to pop balloons, stick a finger in the cake, and, in the case of novel technologies, to steal, sabotage, and/or pirate intellectual property; to make terroristic threats; to engage in blackmail; and/or to profiteer from the proprietary work of others. 

The actions of these spoilers - be they malicious hackers, organized criminal groups, foreign governments or their agents, or loose associations of individuals with a common sinister objective - can be devastating to companies of all sizes.  The list of carnage they may cause a business is endless, to include loss of market share, decreased revenues, public embarrassment, loss of investor confidence, low employee morale, strained diplomatic relations, human harm, and corporate collapse.   

As a forensic psychologist with a national security and law enforcement background and expertise in risk assessment and mitigation, companies must heed Sun Tzu's warning. The motto to "know thy enemy" rings just as true on today's cyber battlefield as it did thousands of years ago on terra firma. 

In today's rapid fire technology space, it is understandable that many tech companies focus on the technology itself; arguably, however, ongoing incidents of piracy, the theft of IP and confidential data, cyber-espionage, and acts of sabotage, for instance, suggest that these companies fail to understand people - especially the party spoilers - often at a significant cost. 

Having a thorough understanding of one's enemies, their underlying motivations, their unique criminal behaviors, as well as related cultural and political factors are critical first steps toward mitigating the carnage listed above.  Turning over these "behavioral stones," examining what is underneath, and digging deeper comprise a forensic psychologist's playground. 

This forensic examination will raise questions; generate hypotheses for testing; identify unique behaviors, characteristics, and trends; and, yes, reveal further questions.  Who is presently exploiting and/or stealing your technology?  Who has exploited your technology in the past?  Why?  Was the attack conducted by an individual; sponsored by a foreign government; initiated from within the company, etc.?  Has there been a pattern to actual or attempted attacks?  Is this behavior state-sponsored or condoned?  Are there political, diplomatic, and/or cultural issues that help explain the behavior in question?  What security measures have been taken? 

Using Tzu's lesson, it would behoove tech companies to carefully consider the "dark side" of human behavior when conceptualizing new technologies and to implement their own "behavioral counterintelligence operations" against threats.   

As I have written elsewhere, by developing a thorough understanding of this "dark side," tech companies may gain valuable insight into the actual and potential behavior of criminal groups and others seeking to target and exploit vulnerabilities in their products and services.   Using this knowledge at the conceptualization phase of technology development, companies may then develop appropriate risk mitigation strategies, countermeasures, and other safeguards. 

For instance, how might this technology be exploited or misused by criminals?  Are there any red flags that have been neglected?  Could a malintentioned individual within the company, perhaps with the aid of an outside party, be a spoiler, causing irrevocable damage?  The best defense is a good offense, period.   This proactive strategy would seemingly be cost effective over the longer term with companies mitigating the likelihood of retrofitting technologies (e.g., in the case of an intrusion or data tampering) or even abandoning them (e.g., pursuant to the theft of IP and piracy). 

To further elaborate, some behavioral and forensic-related areas to assess include the characteristics and behaviors of various criminals and groups (e.g., organized criminal networks, hostile foreign governments, terrorists, white collar criminals, and hackers); their motives and objectives (e.g., financial gain, sabotage, cyberespionage, blackmail, etc.); and identifying how their behavior may be manifested with respect to a given technology (e.g., a stealth attack via the internet, an insider threat from a so-called "lone wolf," corporate espionage utilizing foreign intelligence personnel or agents, etc.).

In the latter regard, properly and thoroughly vetting personnel (to possibly include a psychological screening) who not only have access to sensitive technologies and/or information - but also the designers themselves - is paramount.  One need only examine the recent WikiLeaks scandal to witness the carnage allegedly stemming from the actions of a U.S. Army private with access to sensitive intelligence data. 

The example of cloud computing illustrates this proactive, forensic psychological approach to risk mitigation.  In light of the various facets of cloud computing, encompassing applications, platforms, and infrastructure, there exist numerous opportunities for exploitation of these technologies by criminals, ranging from so-called "insider threats from a "lone wolf" (e.g., a rogue programmer); an insider collaborating with an "external threat" (e.g., an agent stealing information or committing fraud on behalf of an outside party); hostile governments (e.g., pariah nations engaging in illicit technology transfer or defrauding insurance companies to obtain needed hard currency); and other organized, international criminal groups organized along ideological, ethnic, or faith-based lines (e.g., gangs operating in the Eastern European region, militant groups, etc.). 

Identifying the nature of known threats; the motives and modi operandi of these criminal groups; and other critical factors contributing to their behavior, such as underlying cultural and political beliefs, will foster the development of appropriate risk mitigation strategies and safeguards at each level of the cloud. 

For instance, countermeasure development might probe how the behavior of hostile parties would interface both at the desktop (e.g., by targeting someone's computer through the cloud or within the workplace setting) and the mainframe (e.g., writing code to prevent intrusions and misuse of confidential data) levels.  It is important to underscore that the nature of the threats, as well as the motivations and objectives of the perpetrators, may differ considerably. 

Recent Asia-based cyber attacks against U.S. technology companies; attempts by pariah nations to acquire sensitive technology through illicit transfer or to obtain hard currency by defrauding Western reinsurance companies, respectively; and the intrusion and theft of millions of credit card numbers from U.S retailers that were dispersed in Europe evidence the inherent diversity, creativity, and scope of these threats.

In toto, technology companies may implement novel and proactive measures to mitigate internet security threats as well as to further protect intellectual property.  Before introducing a given technology, businesses would be well-advised to explore, rather than neglect or dismiss, the human element. 

Forensic behavioral science professionals, either embedded with the design team or on a consultatory basis at the conceptualization phase, will be able to assist with the analysis and nature of the above threats while also identifying related behavioral vulnerabilities.  It is best to not invite spoilers to the party and, better yet, to not let them take a byte.

Jonathan A. Dudek, Ph.D. is a forensic psychologist with a national security and law enforcement background. As the founder of Dudek Global Partners, he maintains an international consulting practice assisting developing countries, corporations, and other public and private sector entities with business and program development; human capital and systems-based risk management, risk mitigation, and problem-solving; identifying strategic opportunities as well as human and cultural barriers to entry; and forensic and investigative consultation. Dr. Dudek may be contacted at

Possibly Related Articles:
Enterprise Security
Security Strategy Forensics Development Threats hackers Psychology
Post Rating I Like this!
Lee Mangold A huge problem, indeed. I've been to many-many DoD trade shows, and it's stunning how much information you can get from vendors if you just ask. Sometimes the engineers are just so proud of what they've done that they want to explain how difficult it detail...

While obviously this isn't an intentional spillage, it's nonetheless relevant to know the enemy...
Jonathan Dudek Thank you for your most helpful comments, Lee. You raise an excellent point about open source intelligence. Indeed, hostile governments and their agents undoubtedly exploit this vulnerability, too!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.