International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 FRAMING THE ATTACKER IN ORGANIZED CYBERCRIME Sarumi, J. A (PhD)1, IBRAHEEM Abdul-Raheem.(PhD)2 jerrytechnologies@yahoo.co.uk1, ibraheem.a@npmcn.edu.ng 2 Lagos State University of Science & Technology Ikorodu, Lagos State1, Lagos State University of Science & Technology Ikorodu, Lagos State2. ABSTRACT When large values are at stake, the attacker and the attacker’s motives cannot be easily modeled, since both the organization at stake and the possible attackers are unique and have complex motives. Hence, rather than using stereotypical attacker models, recent work proposes realistic profiling of the opponent by the use of usercentered design principles in form of the persona methodology. Today, cybercrime is often organized, i.e., attacks are planned and executed by an organization that has put together a tailor- made team consisting of the necessary skills for the task. The actual individuals taking part in the attack might not be aware of or interested in the overall organizational motives. Rather, taking motives behind espionage, fraud, etc., into account requires consideration of the attacking organization rather than the individuals. In this paper, based on interviews with IT security experts, we build on the attacker persona methodology and extend it with methodology to also handle organizational motives in order to tackle organized cybercrime. The resulting framework presented in the paper extends the attacker persona methodology by also using narratives in order to assess the own organization’s security. These narratives give rise to intrigue sketches involving any number of attacker personas, which hence, make it possible to take organized cybercrime into account. Keywords: organization, attacker models, espionage, fraud, cybercrime, security experts, framework, persona methodology. I. I NTRODUCTION How does one assess an organization’s level of security? This can be discussed both in terms of a technical perspective, i.e., considering IT infrastructure, and from a user perspective incorporating more soft issues such as how people protect their information, usage patterns, etc. Ultimately, a high level of security with regard to all forms of intrusions is desirable, but this high level needs to be contrasted to users’ needs: a high level of security may be perceived as a hassle resulting in the use of workarounds that are insecure. Another user issue to be considered is that different stakeholders and actors within an organization can have different perception and awareness when it comes to security, which can present security gaps for the security at large. 1 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 From a technical viewpoint, one is often focused on making technology as proof and secure as possible. A comprehensive effort has been made to achieve security through such technical means over the years. Mathematically sound cryptographic systems/protocols providing the most basic security services is an example, but when used by humans’ the resulting level of security ranges from high to low depending on how it is being used in practice (password management, etc.) In this paper, we emphasize the human aspect of IT security as the most important and dictating feature to be considered in order for a system to provide good enough security. If a user is able to apply a security mechanism in an effective manner, then the mechanism can be considered to be more secure. Similarly, a very strong security policy may become cumbersome for users, which lead Saltzer and Schroeder [1] to propose the principle of being “psychologically acceptable” since then the usercentered design philosophy is gaining momentum. In 1996, the term user-centered security was introduced, which focuses on the need for security mechanisms, models and software to be usable [2]. For the user to be able to apply security in their day-to-day activities, they need to understand security in their own context of use. In [3] the author points to the need to understand user behavior in terms of security in order to improve the security of a system. Further, the author argues that phrasing the system security requirements in terms of user mental models can be beneficial, but that there is no framework that could be applied to achieve such goals. Moreover, Platt [4] emphasizes that every user has a “security budget” and when this budget is exceeded the end result is no security at all. Referring to the principle of least privileges, which suggest that the user should be given sufficient access to perform their day-to-day activities in a secure way, there is also a need for the user to be able to understand the implication of bypassing a security mechanism. The problem is twofold: lack of usability in the security mechanism itself and lack of user engagement due to not understanding the implications of bypassing a security mechanism. From a user-centered perspective, one often reason about the problems people have with protecting information. Such problems can either be of the mundane kind, such as being unable to remember passwords and as a result writing them down or the users might be unaware of presenting information to the wrong persons. The lack of user involvement can lead to false assumptions about the security mechanism which could eventually lead to compromised/inadequate security, no matter how sophisticated the security mechanism is. As an example, Whitten and Tygar [5] highlighted how users were unable to understand the security mechanism (PGP 5.0) which eventu- ally lead to confidential data being sent in the clear. Similarly, social engineering attacks aim to target the weakest link in the security chain: the users. Since the users are unable to understand the risk of disclosing 2 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 certain information, this leads to failure of the security mechanism. In fact, emphasizing the human aspects it turns out that users are in most cases not well aware about the consequences of their actions which can lead to devastating results [6], [7]. Consequently, there is a need for a framework to be used for enlightening the user/defender about the attacker perspective, and enable them to specify security-centric requirements in their context of use. However, in order to do this one must have some representation of the threats and the actual actors who might pose the threat. Still, such criminal actors are hard to find, harder to interview, and even harder to reveal. In this paper we follow-up on recent work [8] and propose a solution based on a methodology being highly appreciated within the practical usercentered design community—the persona methodology. The remainder of this paper is structured as follows. In Section II, relevant background regarding the persona method- ology is given. Then, Section III discusses organizational security assessment in general and the organized cybercrime threat in particular. The undertaken methodology is then described in Section IV, followed by a presentation of the resulting personas in Section V. Section VI then proposes and defines a persona-inspired framework which ultimately serves to estimate the overall cybercrime threat. Lastly, Section VII wraps up the paper with some concluding remarks. II. P ERSONAS AS A WAY TO P RESENT U SERS TO S ECURITY D ESIGNERS Personas is a method for highlighting end users and their needs of a system [9]. A persona is an aggregated character description representing a group of users with similar usage patterns and goals. It is meant to hinder an elastic notion of the end user and help the systems design team to focus on a particular user who, in turn, represents a cluster of consumer needs. It is common to describe several personas for a project, where one persona is the primary persona with goals that should never be compromised. Each persona described as a short description of a fictive person with name, photo/sketch, age, slogan, a usage scenario, goals, and needs. All descriptive aspects should be coherent and not contest general conceptions of the actual or prospective users. The method is supposed to be based on thorough research of actual usage, and is used to understand and focus on user requirements to communicate these requirements among different stakeholders in a design project. In essence, it is a tool that can be used to capture the user behavior, goals, motivations, and attitude towards a given software product. In the area of humancomputer interaction this methodology has been used to aid designers to design towards end users when actual or prospective users are absent. Also, Pruitt and Grudin [10] argue that personas are remark- able in terms of creating a common 3 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 ground for communication within the organization or the systems development project. Moreover, personas can be used as a tool for educational purposes, especially from the organizational perspective [11]. The use of personas as a methodology has, however, not been thoroughly researched. In addition, it has been rejected by some people since it can be used to replace direct user participation [12], [13]. Others argue that this is its actual strength since actual user involvement in the design work can be perceived as a hinder rather than as a help due to real users might having idiosyncratic demands which is not always shared within a larger group of users [9], [10], [12], [14], [15]. In other cases it might be impossible to involve users because they are unknown or do not have the required time to engage whole-heartily in the project. For this paper, personas are relevant as attackers are generally not known at a personal basis and do not lend themselves to be involved in designing systems which will prevent attacks. When designing against intruders or attackers it might be relevant to have a shared and clear idea of the prospect of the user one is designing against. By representing the attackers as personas we can get an understanding of the complex ways attackers might work. This introduces problems as we cannot interview actual attackers. In [8] this has been dealt with by developing personas by using assumptions of their character. In this paper we introduce the concept of narratives, or storytelling, which puts personas in a general context where motives and goals are based on the situation and surrounding, rather than solely on individual goals. This is in line with Quesenbery who claims that, “the power of storytelling may be the single most important reason why personas work” [15]. According to her, storytelling is an intrinsic part of being human, and we are prone to listen to and learn from narratives. Also, [12] theorize that the underlying psychological reason for the success of personas is a theory of mind in terms of being alert to stories. A. Assumption and Attacker Personas Empirical data collection to develop personas is a critical factor. Cooper’s [9] persona methodology focuses on acquiring first hand data by observing users though workshops, focus groups and interviews, whereas Pruitt and Grudin [10] argue that developing persona in such a manner is time-consuming and sometimes not feasible. The alternative to this approach is the assumption personas, in which expert opinions regarding a targeted group of users are used rather than observing groups of users. Assumption personas are developed at the start prior to the design phase. The hypothetical perception of the target group of users is captured in the assumption personas. The idea of using assumption personas has been perceived 4 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 as a quick way to develop and present one’s assumption about a specific group of users. Atzeni et al. [8] have presented attacker personas. They argue that the notions of anti-persona and assumption persona can be used to depict users for whom the system is not being developed for. In the case of attacker personas, Atzeni et al. [8] argue that empirical data collection directly from the user is not feasible. Instead, existing data sources such as taxonomies, profiling and knowledge elicitation workshops about the targeted group of users can act as an alternative. Considering IT security from an attack versus defend view- point is a common way to study threats [16], [17], and can provide insightful information about the attackers such as how they carry out attacks, which weaknesses they target the most, the skill of the attacker in terms of the way an attack is carried out, etc. Such data concerning different categories of attackers can be acquired from IT security professionals using quantitative and/or qualitative means. The obtained behavioral characteristics can then be further incorporated into attacker personas. The assumption personas presented by Atzeni et al. [8] are context bound. Using such context specific attacker personas means that one needs to develop multiple personas for a single context and for the case of multiple contexts then for each context one should have multiple personas. The problem is that security is not a single context problem: in fact, each security issue has multiple contexts, especially in terms of organizations. It is critical to develop context specific personas when the aim is to design the system for the user but here we are developing personas to design against the general intruders who actually would be able to attack any system. Deattaching the context from the attacker personas gives us the flexibility to use our attacker personas in multiple contexts. That is, we do not argue against a context bound framework but we argue against an attacker persona that is bound to specific contexts or specific systems. Rather, we perceive attacker personas as a collection of threats to an organization, and in this paper we, in line with [15], present attacker personas in a dynamic and narrative structure. Still, before we can develop a general framework methodology for this effort we need to have an idea of organized cybercrime as a second possible caveat with regard to the persona methodology, which is usually focused on individual needs and behaviors rather than organized team behavior. III. S ECURITY A SSESSMENT IN O RGANIZATIONS The elastic nature of the general and routine-like use of the term user as identified by Cooper [9] is being acknowledged by many researchers and forms the basis for the use of person as in systems development. However, we argue that problems, 5 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 and explicitly security problems, can be as elastic, especially in terms of assessing the organizational security. To further elaborate on the idea, let us consider an example where an employee in an organization somehow downloads a malicious file/code. This activity points towards a number of factors which could eventually have resulted in the download of that file. Such factors typically represent inadequacies with regard to, e.g., the security policy, the security mechanism, the user awareness, and so forth. The security problem in itself is complex and depends not only on a single factor, but rather upon multiple factors. In this paper, the gathering of narratives serves to provide basic data for understanding such underlying factors. A. The Narrative Property In order to further elaborate on the narrative property, let us consider the known analogy of the elephant and the six blind men. The blind men come across an elephant; by feeling different parts of the elephant each individual tries to describe what they perceive: they will all describe the elephant in various, and probably different, ways depending on if they have encountered the tail, the ears, the legs, the proboscis, or any other part of the elephant. This situation highlights that any complex and large problem being immediately perceived by an individual may elicit many different descriptions. In terms of an organization, the elephant represents the security- critical issues/problems and the blind men denote the different stakeholders in the organization. The perceptions of these stakeholders are the narratives, and each stakeholder might be able to describe an event or activity using a number of narratives. The narrative provides us with potential causes of an event, and with multiple people providing their narratives it becomes easier to identify overall security holes. Of course, the most predominant cause of the security issue will have an overlapping effect among the collected narratives. This over- lapping between narratives will identify the major loop holes, and the collection of narratives will incorporate factors which one individual was unable to identify. Thus, the collection of narratives encompasses multiple factors and provides insight into the cause of the security problem from different angles. A major issue is, however, how one should connect different narratives with actual attackers. This is where persona becomes a resource. B. Organized Cybercrime and Personas Recent trends in the IT security landscape suggest that organized cybercrime has become a part of the everyday cyber landscape with conventional criminal groups 6 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 using cybercrime to achieve their goals [18]. Choo and Smith [19] categorize organized cybercriminals into three categories: 1) Conventional organized criminals who want to improve their criminal activities using cyberspace, 2) Online cybercrime groups that mainly do their activities online, and 3) ideologically/politically motivated individuals that want to make use of the cyberspace for their particular interest. Moreover, McCombie and Pieprzyk [20] suggest that the cyber landscape provides ample opportunity for organized criminals. Further, the case studies and the references pro- vided in their article emphasize that there are cases where groups of cybercriminals have used extortion, blackmailing, and online fraud to achieve their desired goal. Hence, we assume that there exist groups of IT criminals operating on the Internet where the attackers are specialized and need to be described using a specific set of motivations, skills and goals. To map such an organization into a persona is a challenge due to the inadequacy of observable data about organizational culture, environment, hierarchal structure, communication, etc. Furthermore, the persona methodology is designed towards convergence of a group of individuals with more or less similar motivations, goals, skills, behavior, etc., into a single personification. To overcome these issues, the persona methodology needs to be extended to provide insight into such critical issues. However, there has been work carried out to capture the group or organizational aspect of persona [21], [22], but personification of a group of attackers has its limitation mainly due to the secret nature of such organizations. To acquire good enough security it is critical that organizational security issues are not looked upon as a single-factor problem rather than being multidimensional by nature. The persona methodology, contrary to its typical usage, can be used to design systems against the attacker by incorporating the attacker perspective. The narratives are a way to provide a multidimensional perspective on the security issues in an organization whereas the attacker personas are a way to relate different narratives with each other from an attacker perspective. The attacker personas will provide a different perspective on the narratives, aiding in identifying overlapping narratives and providing a mechanism to understand the motives and the goals behind a security problem or an attack. However, to achieve such benefits from the personas there is a need to develop attacker personas that are generic in nature, and thus can be applied in several contexts. In the following we present the development of a framework for eliciting narratives and connecting to general attacker personas. The framework and the 7 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 methodological procedure is intended to help organizations to become better equipped to assess and be prepared to act against perceived threats. The framework is based on both theoretical argumentation and a minor empirical survey. IV. METHODOLOGY In order to collect empirical data and insight about the multi- dimensional aspect of security and using narratives/storytelling as communication medium to propagate security issues we conducted a short exploratory survey in which we asked the respondents about their point of view on IT security. The questions had two parts. First, a question was asked in order to point out differences between the higher management Vis-à-Vis IT system designers/developers with regard to understanding of IT security issues within an organization, aiming towards the multidimensional perspective of security issues. The second part dealt with storytelling, i.e., the respondents’ thoughts about storytelling and whether it can be used as a communication medium for fostering consistent understanding of the IT security challenges and issues across the organization. We asked these questions to a total of six individuals. The questions were e-mailed to the respondents, and 5 out of 6 respondents sent their responses via e-mail while one chose to answer through a telephonic conversation. The targeted group consisted of IT professionals having a background in IT security. Three of them were working in the organization as software developers/designers, one was working in software testing, and two were providing security consultancy. The respondents were mainly working in large organizations having more than 100 employees. The next methodological step focused on the representation of the attackers in the form of personas. To accomplish this, identifying resources for acquiring data was the first thing to do. In a related article, Faily and Fléchais [23] use threat taxonomies as the major source of information, which is relevant for their context of use. However, we argue that there are multiple sources of data that can be used to develop attacker personas. Especially, there exists a comprehensive body of knowledge with regard to understanding the attacker perspective, and during our literature review we came across multiple multidisciplinary sources of attacker data. The data collected for the development of attacker personas has been taken from a combination of ethnographic studies, psychological studies of attackers, and IT security literature. The multidisciplinary nature of the literature shed light on the attackers from different perspectives such as attackers’ behavior, motivation, social and cultural aspects and goals, etc. Furthermore, there are several accounts of attackers which have been documented within IT security literature, mostly 8 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 regarding the convicted attackers, which provide information about profiling of attackers and their skills [24], [25], [26], [27], [28]. The categorization of the attackers was carried out based on their motivations. There is plenty of IT security literature available that sheds light on this aspect and provides a comprehensive classification of attackers [29], [30], [31]. The classification of attackers within the security literature consists of a rather stereotypical technical skill description, and differ only in that an attacker with similar skills is described using different names in different sources, e.g., an attacker who has the very basic skills is referred to as a script kiddie, novice, newbie, etc., depending on the source. The identified sources were used to develop sketched personas of the attacker. The personas created provided a brief history of the attacker’s goals, motivations, and relevant skills. To further refine the persona we developed scenarios to highlight inconsistencies. Additionally, we used hypothetical scenarios to test the personas in different conditions, and to understand how these generic personas can be used in a given context. V. R ESULTS This section summarizes the results that were collected as part of our exploratory survey with the aim of understanding the elastic nature of IT security problems in an organization. Moreover, we present the attacker personas which are used to represent the attackers in a narrative structure. The attacker personas are currently six in number and have been made as a proof of concept for the case of developing attacker personas that are context independent. A. Survey Analyzing the survey responses, the respondents agreed to the fact that there is a difference when it comes to understanding IT security. They highlighted that sometimes the higher management in the organization considers security from a more abstract perspective while the developer or the system designer have a more technical understanding of IT security. The first question, “Do you think there is a gap between the higher management understanding of the IT security (in general) and your thinking of IT security while de- signing/developing the system?,” was aimed at understanding the difference between the higher management and the system developers. One of the respondents did not agree that there is such a difference and meant that everyone has a more or less similar understanding, but due to lack of communication the understanding of IT security is different with regard to one’s viewpoints: 9 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 I do not think there is gap between management and the developer to understand IT security. Managers need to describe in detail to their developers how they want the system should work. It’s up to the developers how they implement it. Similarly, one respondent argued that this difference in understanding is natural since both the higher management and the software developers have different roles in the organization. There is a definite gap of understanding. The higher management decisions are driven by business goals. If designing security becomes a hurdle, security is often appended in the end giving a sense of security. As a designer of a system, our goals of incorporating security are purely technical and are driven by overall application security. Hence, the feedback from the survey re-enforce the idea described in Section III regarding several perceptions of the same issue due to the organization being a complex entity and every user in the organization having a different perception. The higher management in the organization has a different understanding of the security problems whereas the designers have a more technical understanding of security. This difference in understanding mainly stems from the particular role of an individual in the organization. With regard to the second question, “What do you think of using techniques such as storytelling to communicate IT security problems across the organization?,” the survey responses were varying. According to one respondent the idea is interesting but should be used in combination with other methods to increase its effectiveness: Storytelling is good technique in which user can tell his needs, problems etc. in a simple language. And the expert can draw design on based on story. However this is one of the technique and is not sufficient to communicate security related problems across organization. Different techniques can be merged along with storytelling. In another case the respondent argued that newspapers can be an alternative mechanism which could be used to create awareness during the weekly meeting where recent threats and issues of concern to the organization are discussed: Recent news about IT-Security problems in Meetings, Seminars. Yet another respondent argued that this technique could be useful in terms of known security threats or attacks but would not be effective in case of new types of threats. The remaining respondents were positive to the use of storytelling and 10 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 suggested that this method could be used to create awareness as well as during the design and development phase of a product. 11 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 Fig. 1. Each attacker persona contains goals, motivations, skills, and a scenario that are specific for the persona in question. B. Presentation of Personas Based on the acquired data, we have developed a total of six attacker personas according to Figure 1, namely the ideologically motivated, the botnet developer, the bragger, the insider, the spy, and the financially motivated attacker. The personas are developed to represent the most common set of motivations of an attacker according to IT security literature such as ideological, financial, political, revenge, and so on. One could develop any number of attacker personas based on their specific requirements but for a proof of concept, we have developed six attacker personas and to exemplify, we will briefly present three of these below. Each persona has been given a distinct name and picture, representing the fictional character. Moreover, each persona has been associated with goals, motivations, attitudes and skills. The personas are developed to depict the generic perception of the attackers and are not designed to serve any specific organization or context. The skills and attitudes are high-level in nature and are based on literature. This collection of personas depicts several threats to an organization. Relevance of these personas in terms of organizational context can be judged based on their motivations and high level goals described within the personas. The skill sections in each persona represent the capability of an attacker, and how these skills can be used to carry out an attack is presented in the persona-specific scenario. To further elaborate on the scenarios that are part of each persona, these are part of the persona methodology and are used to describe the sequential activities that a user undertakes to reach a specific goal. The aim of the scenarios is to aid the system designers in understanding the user activities and requirements while 12 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 developing a system. We have used the concept of scenarios, as discussed by Quesenbery [15], and applied it in terms of attacker activities, i.e., we have developed a set of small stories which emphasize how a specific attacker in the past has attacked several organizations to achieve their goal. However, these stories do not provide a detailed step by step approach to describe an attack, but rather provides a high-level description of the attack. This information is also derived from the IT security literature as discussed in Section II. The aim of using the scenarios is to provide a basic understanding of how an actual attacker could operate and which weaknesses that might be exploited by the attacker. This information is particularly helpful while analyzing the narratives and relating it with the attacker personas. Hence, the idea of presenting this information is to provide a guideline so that the narrative can be related to the personas and scenarios while developing intrigue sketches, which will be discussed further in Section VI. These personas act as a tool to question the existing security practices applied by the organization at a higher level, and provides a multidimensional view of threats that an organization can face. The scenarios coupled with the attacker personas provide a much detailed analysis of the attacker perspective, providing a generic understanding of how the attacker operates. Martin represents the set of attackers which are ideolog- ically motivated. The persona starts with a brief historical account of Martin, depicting how he started to develop his skills within the area of IT security and what motivated Martin to become an ideological attacker. Furthermore, a brief set of skills are also expressed in the persona to highlight high- level understanding of the type of attacks Martin can perform. Martin’s skills range from social engineering to developing specialized tools or scripts to infiltrate an organization. The Martin persona also includes the set of goals which he is trying to pursue and what he would achieve if a successful attack on the organization is carried out. The next attacker persona is Kevin, which represents the group of attackers who are financially motivated. The persona starts with a brief background, representing a brief world- view of the attacker. The attacker has chosen cybercrime as a way of living and finds criminal activities on the Internet very profitable. The persona also sheds some light on the underground hacking circle where he has contacts. From his large array of hacking skills, social engineering attacks are of most interest since he finds them easy to exploit. Kevin is represented in the persona as a “gun for hire” and can be used by anyone, e.g., the mafia, terrorist organizations, spies, and others. Thomas is the persona representing botnet developers, i.e., a persona performing non-targeted attacks. This persona rep- resents attackers who develop botnets by first 13 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 hacking into organizations and later using their infrastructure for attacking third party networks. The Thomas persona describes why the organization is of interest and how he can benefit from the organizational infrastructure without having a direct motivation for attacking the organization in itself. Thomas’s major motivation is financial and he works in collaboration with other attackers. The Thomas persona is specifically designed to address the non-targeted attacks on an organization, and how someone who might not be directly interested in hacking into critical assets of an organization still can pose an indirect threat. Fig. 2. The complete flow diagram of the framework starts with the collection of narratives which are derived from respondents in terms of critical assets and security related events. Narratives and attacker personas with scenarios are then used by a security analyst to develop intrigue sketches. These intrigue sketches are further related with each other and with existing security practices in order to develop a small number of plots to be considered for identifying the overall threat. VI. F RAMEWORK In this section we present our framework, which is an attempt to highlight the organizational security threats while extending the persona methodology. The framework comprises four parts, namely: 1) narratives, 2) attacker personas (including scenarios), 3) intrigue sketches, 4) plots. In the preceding sections, narratives and attacker personas have already been discussed. Henceforth, this section serves to describe intrigue sketches and plots. A. Intrigue Sketches 14 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 Before we define the intrigue sketch it is necessary to understand why we need intrigue sketches. As discussed in Section II, our personas/scenarios are context independent so in order to put them in an organizational context we need to relate them to organizational-specific narratives and therefore we have introduced the term intrigue sketch. The aim of the intrigue sketches is to provide a mapping such that the attacker and the IT security perspective can be related in a context specified by the user through the narrative. In practice, this process consists of a systematic interpretation of the narrative in terms of attacker personas. The interpretation can mainly be carried out by someone who has a good understanding of IT security and thus the security analyst is a part of the process. This interpretation of a narrative in terms of personas enables one to understand the problem identified by the narrative from an IT security viewpoint. Also, taking this attacker perspective could help determining the overall motivations and goals behind an attack, which can further lead to identifying organized cybercrime activity by looking at multiple intrigue sketches, which will be discussed further below. As shown in Figure 2, the intrigue sketches make use of narratives, security analysts and attacker personas with scenarios. Both the narrative and the attacker personas have some attributes in common which are mainly goals, motivations, and skills. The narrative incorporates these aspects from the respondent perspective, e.g., how a certain event took place, which critical asset was targeted, and so forth. Similarly, each persona contains a set of goals, motivations, and skills. When these attributes, derived from a narrative and the corresponding attacker personas, are related with each other by a security analyst/expert the result is an intrigue sketch. The intrigue sketch holds information about the relevant attacker or attackers, possible attack procedure (derived from the corresponding attacker persona scenario), motivations, and goals. As depicted in Figure 3, the intrigue sketch development process can be seen as a way to combine the attacker perspective (personas with scenarios), the respondent perspective (narrative) and the security perspective (the security analyst) in order to under- standing the multidimensional aspects of security. Moreover, new personas can be developed for the case when the existing personas do not tackle the problems identified by the narrative. For the development of the overall framework, it should also be emphasized that each intrigue sketch will contain at least one persona, but can of course contain more depending on the narrative. Similarly, each narrative will have at least a single corresponding intrigue sketch. To make sense of the intrigue sketches in terms of the organizational perspective, each intrigue sketch should be classified mainly on the basis of the attacker’s goals and in some cases the combination of both goals and motivations. As shall be seen, this classification of 15 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 the intrigue sketches will prove necessary in the next phase of the framework, which is the plot creation. Fig. 3. The intrigue sketch development process relates a narrative with one or several attacker personas. If the narratives cannot be described using the existing persona set, then new attacker personas must be developed so that a narrative has a minimum of one attacker persona assigned to it. B. Plots The plot is the last part of the framework, which describes the overall security of the organization by relating intrigue sketches with the existing security practices being used by the organization. Each intrigue sketch can be related with the existing security practices of the organization either individually or collectively to point out threats to the organization. However, using intrigue sketches individually may result in ignoring the multidimensional aspect of security. On the other hand, however, there could be a case where the intrigue sketch represents an isolated attacker’s activities. In such case, the plot will comprise of a single intrigue sketch related with the organizational practices to identify potential threats. A collective usage of the intrigue sketches will provide a holistic view of the organizational security. To 16 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 achieve this it is critical that the intrigue sketches are specified so that it is easy to identify the overlapping among them. This problem is solved by the specification of intrigue sketches in terms of goals and motivations, as mentioned earlier. The intrigue sketches can be related by using a combination of both goals and motivations, e.g., attackers who are trying to steal critical information and are ideologically motivated can be clustered together, etc. Once the intrigue sketches have been synthesized they can be related to existing organizational practices, which will result in an assessment of the existing security practices of the organization and eventually identify threats that the organization might face. However, it should be mentioned that the number of plots will depend upon the number of intrigue sketch syntheses, i.e., the intrigue sketches might result in one espionage synthesis and one mafia synthesis which, when related with the organizational practices, will yield two different plots since they represent two separate kinds of attacks. Moreover, each attack represents a threat to an organization and thus each plot will yield a single threat. To finally tackle the organized cybercrime threat, the attacker personas that were listed during the intrigue sketch development activity are used. The attacker personas can be related from an organized cybercrime perspective based on their goals and motivations to find out whether the attacker personas represent attackers which are individual actors or are part of an organized criminal activity. To summarize and to get an overview of the framework, see Figure 4 where the framework constituents have been put in perspective relative to each other. 17 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 Fig. 4. The complete framework consists of different narratives that are collected from the respondents in the organization, which are then being related with attacker personas with scenarios in order to develop intrigue sketches, which are finally brought together with existing organizational practices to develop the overall plot. VII. C ONCLUSIONS In this paper we have presented a framework which is to be used to understand the existing IT security environment in an organization. The framework highlights possible inconsistency in terms of understanding the IT security specific requirements and expectations from the organizational perspective. Also, the framework is an effort to assess the organizational security from multiple perspectives by extending the persona methodology. A small amount of empirical data was collected from individuals working as developers and designers within different organizations. Most agreed that using storytelling to communicate organizational-specific threats (in terms of IT security) is a good idea and some further suggested that these stories can be used as a tool to elicit security-specific requirements as well. We have also presented attacker personas such that they are context independent and are used to incorporate the organized cybercrime perspective. The major contribution is the intrigue sketch which is the combination of a respondent’s narrative, generic attacker personas and a security specialist’s assessment. The intrigue sketch sets a scene for the possibility to 18 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 frame one or several attackers in a specific situation. In the future, we aim at 1) assessing the validity of the framework by collecting empirical data from IT security specialists, and 2) applying the framework at a selected organization in order to evaluate its practical usefulness. R EFERENCES [1] J. H. Saltzer and M. D. Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE, vol. 63, no. 9, pp. 1278– 1308, Sep. 1975. [2] M. E. Zurko and R. T. Simon, “User-centered security,” in Proceedings of the 1996 workshop on New security paradigms, ser. NSPW’96. New York, NY: ACM, 1996, pp. 27– 33. [3] M. E. Zurko, “User-centered security: Stepping up to the grand chal- lenge,” in Proceedings of the 21st Annual Computer Security Applica- tions Conference, ser. ACSAC’05. Washington, DC: IEEE Computer Society, 2005, pp. 187–202. [4] D. S. Platt, Why Software Sucks. . . and what you can do about it. Boston, MA: Addison-Wesley, 2006. [5] A. Whitten and J. D. Tygar, “Why Johnny can’t encrypt: A usability evaluation of PGP 5.0,” in Proceedings of the 8th conference on USENIX Security Symposium, ser. SSYM’99. Berkeley, CA: USENIX Association, 1999. [6] A. Adams and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12, pp. 40–46, Dec. 1999. [7] I. Fle´chais and M. A. Sasse, “Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e- Science,” International Journal of Human-Computer Studies, vol. 67, no. 4, pp. 281–296, Apr. 2009. [8] A. Atzeni, C. Cameroni, S. Faily, J. Lyle, and I. Fle´chais, “Here’s Johnny: A methodology for developing attacker personas,” in Sixth In- ternational Conference on Availability, Reliability and Security (ARES), Aug. 2011, pp. 722–727. [9] A. Cooper, The Inmates Are Running the Asylum: Why High-Tech Products Drive Us Crazy and How to Restore the Sanity. Sams Publishing, 2004. [10] J. Pruitt and J. Grudin, “Personas: Practice and theory,” in Proceedings of the 2003 conference on Designing for user experiences, ser. DUX’03. New York, NY: ACM, 2003, pp. 1–15. [11] E. Markensten and H. Artman, “Procuring a usable system using unemployed personas,” in Proceedings of the third Nordic conference on Human-computer interaction, ser. NordiCHI’04. New York, NY: ACM, 2004, pp. 13–22. 19 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 [12] J. Grudin, “Why personas work: The psychological evidence,” in The Persona Lifecycle: Keeping People in Mind Throughout Product Design, J. Pruitt and T. Adlin, Eds. San Francisco, CA: Morgan Kaufmann, 2006, ch. 12, pp. 642–663. [13] S. Portigal, “True tales: Persona non grata,” interactions, vol. 15, no. 1, pp. 72–73, Jan.– Feb. 2008. [14] J. Grudin and J. Pruitt, “Personas, participatory design and product development: An infrastructure for engagement,” in Proceedings of the 7th Biennial Participatory Design Conference (PDC 2002), 2002, pp. 144–161. [15] W. Quesenbery, “Storytelling and narrative,” in The Persona Lifecycle: Keeping People in Mind Throughout Product Design, J. Pruitt and T. Adlin, Eds. San Francisco, CA: Morgan Kaufmann, 2006, ch. 9, pp. 520–554. [16] J. Brynielsson, “An information assurance curriculum for commanding officers using hands-on experiments,” ACM SIGCSE Bulletin, vol. 41, no. 1, pp. 236–240, Mar. 2009. [17] S. Cooper, C. Nickell, V. Piotrowski, B. Oldfield, A. Abdallah, M. Bishop, B. Caelli, M. Dark, E. K. Hawthorne, L. Hoffman, L. C. Pe´rez, C. Pfleeger, R. Raines, C. Schou, and J. Brynielsson, “An exploration of the current state of information assurance education,” ACM SIGCSE Bulletin, vol. 41, no. 4, pp. 109–125, Dec. 2009. [18] R. McCusker, “Transnational organised cyber crime: distinguishing threat from reality,” Crime, Law and Social Change, vol. 46, pp. 257– 273, 2006. [19] K.-K. R. Choo and R. G. Smith, “Criminal exploitation of online systems by organised crime groups,” Asian Journal of Criminology, vol. 3, pp. 37–59, 2008. [20] S. McCombie and J. Pieprzyk, “Winning the phishing war: A strategy for Australia,” in Second Cybercrime and Trustworthy Computing Workshop (CTC 2010), Jul. 2010, pp. 79– 86. [21] M. Kuniavsky, “Extending a Technique: Group Personas,” http://www. boxesandarrows.com/view/extending a technique group personas/, 2004, [Online; accessed 10-April-2012]. [22] A. Giboin, “From individual personas to collective personas,” in Proceedings of the Fourth International Conference on Advances in Computer-Human Interactions (ACHI 2011), Feb. 2011, pp. 132–135. [23] S. Faily and I. Fle´chais, “Barry is not the weakest link: Eliciting secure system requirements with personas,” in Proceedings of the 24th BCS Conference on Human Computer Interaction (HCI 2010), ser. BCS’10. Swinton, UK: British Computer Society, 2010, pp. 124–132. [24] P. Shachaf and N. Hara, “Beyond vandalism: Wikipedia trolls,” Journal of Information Science, vol. 36, no. 3, pp. 357–370, Jun. 2010. 20 International Journal of Scientific Engineering and Technology (Engineering Collection-Innovative Research Publication Journals) https://dx.doi.org/10.22624/AIMS-824454 [25] M. Kilger, O. Arkin, and J. Stutzman, “Profiling,” in Know Your Enemy: Learning about Security Threats, 2nd ed., L. Spitzner, Ed. San Francisco, CA: Addison-Wesley, 2004, ch. 16, pp. 505–556. [26] R. Barber, “Hackers profiled—who are they and what are their motiva- tions?” Computer Fraud & Security, vol. 2001, no. 2, pp. 14–17, Feb. 2001. [27] E. D. Shaw, “The role of behavioral research and profiling in malicious cyber insider investigations,” Digital Investigation, vol. 3, no. 1, pp. 20–31, Mar. 2006. [28] I. Enrici, M. Ancilli, and A. Lioy, “A psychological approach to information technology security,” in Proceedings of the 3rd International Conference on Human System Interaction, May 2010, pp. 459–466. [29] M. Rounds and N. Pendgraft, “Diversity in network attacker motivation: A literature review,” in Proceedings of the 12th IEEE International Conference on Computational Science and Engineering (CSE’09), vol. 3, Aug. 2009, pp. 319–323. [30] M. K. Rogers, “A two-dimensional circumplex approach to the devel- opment of a hacker taxonomy,” Digital Investigation, vol. 3, no. 2, pp. 97–102, Jun. 2006. [31] D. E. Denning, Information Warfare and Security. Boston, MA: Addison-Wesley, 1999 . 21