Tag: Summer school

Posted on

Summer School on The Human Aspects of Cyber-crime and Online Fraud

post by Neeshé Khan (2018 cohort)

This Summer School and workshop was hosted by the Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) and School of Computing at the University Kent, the Institute of Applied Economics and Social Value at De Montfort University and International Association for Research in Economic Psychology (IAREP). It took place at Canterbury between 15th to the 17th of July lead by Dr Jason RC Nurse.

As I’m working on accidental insider threat within cybersecurity to examine human factors that trigger this threat, I was keen to attend this event as it would provide an overview of the issues around social engineering and associated forms of crime in the virtual and physical world – broadly sitting within my own research interests. Recent media has highlighted many cases where fraud and cybercrime have resulted from a mixture of social engineering and human vulnerabilities to gain undesirable outcomes including encryption of data to hold at ransom on an organisational and individual level. Whilst there is literature on cyber-psychology linking to malicious insiders and cybercriminals, there is little literature available that takes an interdisciplinary approach to tackle this problem, especially examining this from a psychological, economics, and cybercrime perspective. So the aim of the summer school was to introduce these disciplines and their relevance to be able to better understand this challenge. This was particularly important to me as I believe that all the global challenges being faced by the world today require collective interdisciplinary action to resolve them.

One of the highlights of attending this school was meeting a diverse range of about 40 attendees, which included different career stages within academia, people from industry, diversity in research being pursued and interests as well as diversity in ethnicity, age and academic backgrounds. Whilst most of the projects weren’t similar, it was still cohesive in terms of disciplines and understanding of cybersecurity. This allowed a space where I shared and received ideas and insights about this issue over workshop discussions and group dinners. Presentations were a mixture of academics from various universities including the University of Bristol and the University of Cambridge as well as law enforcement. I hope my notes below are of interest to anyone from psychology, economics, and cybersecurity fields taking an interdisciplinary approach to exploring cybercriminal and victim behaviour and traits, especially those involving malicious or intentional insiders.

Discussions included how the definition of cybercrime is hard to settle on as it means many different things for researchers, businesses, and individual users. Technology evolving has meant that many of the devices aren’t seen to be within the remit of cybercrime by the general public, for example, cybercrimes that happen through mobile phones or smart wearable devices are seen to be separate from the same crimes that occur through a desktop or a laptop. A way of looking at cybercrime is by categorising attacks that are ‘computer dependent’ (DoD, ransomware, etc) and those that are ‘computer-enabled’ (online fraud, phishing, etc). This can also be categorised through Crime in Technology, Crime against Technology, and Crime through Technology.

Cybercrime is a big challenge being faced by society and whilst there are numerous different types of cybercrimes, currently, popular ones include social engineering, online harassment, identity-related, hacking, and denial of service (DoS) and/or information. Social engineering and phishing attacks are the biggest attacks that are currently taking place. Cybercriminals are getting better at replicating official documents (less spelling mistakes, logos, branding, etc) and use a mixture of techniques that include misdirection and pressurising recipients to take action. Most classifications of cybercriminals are through using early techniques developed by the FBI’s human behaviour department and include the Dark Triad and OCEAN personality traits. Techniques used to investigate crimes in real life such as ‘method of operation’ (MO) and copycats seem to transfer relevantly well to cybercrime investigations.

Law enforcement believes that in their experience there is a strong link between gender, age, and mental ability and cybercriminals. Children test out their coding skills from lessons in schools to attack websites or online gaming platforms. There also appeared to be a strong link between online gaming habits, mental disorders such as ADHD and hacking. Whilst there are more cybercrimes reported to the police than crimes in the physical world, the task force is still suited for ‘boots on the ground’ than cybercrime. All individual reports of cybercrime are done through Action Fraud and involved cybercrimes that came from someone they knew such as disgruntled ex-partners. Threats included a wide spectrum but the most popular ones included fraud, abuse, blackmail, harassment, and defamation of character.

In psychology, cybercriminals are classified in similar ways to that of criminal profiling in real-world crimes. There is also interest in exploring victim traits since individuals who are a victim to an online attack are likely to be a victim to another attack in the future. When looking at cybercriminal profiling psychological and emotional states are key factors. Various online forums are researched to create a cybercriminal’s profile mainly through the following categorization: language used, attitudes towards work (for example in the case of a malicious insider threat), family characteristics, criminal history, aggressiveness, and social skill problems including integrity and historical background. However, this is challenging as personality traits and characteristics are easier to change online especially for narcissistic personality traits. However there is never a 100% certainty of creating a psychological profile of a cybercriminal, with very little research and involves stereotypical profiles such as ‘white, male, geek, like maths, spends a lot of time alone, plays online games, anti-social traits, etc. Often personality traits associated with ‘openness’ of individuals links to individuals being susceptible online to phishing and other scams.

Most important models of profiling are ‘inductive’ and ‘deductive’ criminal profiling. Inductive is using existing data to identify patterns and deductive is starting from the evidence and building up to the profile (deductive cybercriminal profile model). Deductive method is very popular and is designed by Nykodym et al 2005 but there’s also geographical profiling (Canter and Hammond 2003) that is starting to become more popular as a result of social engineering attacks. Economists are applying ‘willingness to pay’ (WTP) and ‘willingness to accept’ (WTA) models and game theory to ransomware attacks.

Overall, the summer school provided a great platform to create a new network, reaffirmed my understanding of the current approaches being adopted, offered insights to some of the research being conducted, and provided a platform to promote my research. 

Posted on

Programming in Unity at the DEN Summer School

Post by Joe Strickland (2017 Cohort)

Back in the summer of 2018 I attended the DEN summer school in Bournemouth. One of the big draws of the summer school for me was the programming in Unity course that was being offered. Having come from a psychology background, I had no programming knowledge but it was becoming clearer and clearer that this was going to be something that held me back during my PhD, especially when it came to prototyping ideas for experiences. The course itself was pretty good, we ran through several different elements of using Unity including the basics of building scenes, game object physics, and exporting our scene onto a smartphone and viewing it with a cardboard header as a VR experience. We also started using Vuforia and making basic AR content. This workshop gave me a good basic understanding of Unity, but more importantly, it showed that what I wanted to learn and eventually make was well within my grasp. This was very important for motivating me to carry on learning how to build Unity experiences, as well as code in general.

Once the summer was over, my supervisors and I sat down and started discussing short-term goals to get me learning everything I’d need to learn in order to build interactive AR experiences myself. The first of these goals was to learn Python and C# in order to understand the logic of coding and be able to write my own Unity scripts to control different elements of the software. My supervisor ran me through all the basics in Unity that I might need for the specific things I was going to make, a welcome refresher after the summer school course, and I was sent off to learn my languages. Personally, I found Python quite easy to learn. The logic of the language made sense to me and the online resource I had been recommended taught it in a very hands on a practical way, with many small assignments to try out new coding knowledge and to keep old knowledge fresh and reinforced in your memory. Also, the course was broken up into bite size chunks and I found doing a lesson a day over the course of a month a very productive way of learning this language.

C# scripting was a little harder for me to grasp. I don’t know whether it was the difference between it and Python throwing me off or knowing that having to learn this was going to be more important for my PhD, but it took a lot more to try and figure out what I was doing with it. Learning this was done through some of the Unity provided tutorials, as well as other user generated tutorials on YouTube. I was also learning how to use Unity to specifically make the first short term goal project I had been assigned; making videos plays in Unity. The Unity video player isn’t completely user friendly and it took a lot of trial and error and searching Unity message boards and community sites to find out how to get it to work in the way I wanted it to. Having got it to work I moved on to controlling it a bit more and building an experience where the audience can press keys to trigger the playing of different video clips. I crafted a game object for each video clip we had and had them generated and destroyed whenever we needed that video playing, depending on the input of the audience. What I ended up with was a functional interactive film about a man trying to find his heart medication, where the audience could decide whether he moved left, right, or had a heart attack at various points in the film. When I showed my supervisors they liked it but found how I had made the film incredibly inefficient, so they tasked me with remaking it so that different videos played on the same game object and not on different ones. This next step proved challenging but eventually I managed to write a functioning Unity script which changed the state of the game object and, once a game object was of a certain state, it would play different videos with different audience responses. It would then change its stage again to allow the experience to progress. This experience pleased my supervisors, but they didn’t like how making decisions at the wrong times messed the game up, so I had to add delays into the script that stopped audiences making decisions at the wrong points in the experience. Fortunately, this wasn’t to difficult to do, although trying to use time as a function while coding with the video player in mind did prove confusing.

I was also asked to build a restaurant scene and fill it with moving virtual characters, but this was very similar to the summer school exercises and the Unity developer tutorials so this didn’t prove too tricky. Characters were downloaded from Adobe Maximo, so came with animation cycles attached and a few YouTube tutorials later I had people looking around and being furious at virtual restaurant tables.

Finally, I was asked to build an AR tester experience. I had to place a virtual character, like those from the restaurant scene, into a real world environment and have them occluded by a real world object, specifically sitting behind and hidden by a real world table. This is something that is surprisingly hard to find official Unity information for. There is lots of help for tracking markers and placing AR content in the real world but not so much for having that content blocked by real objects. I eventually found a YouTube tutorial which addressed a similar problem in a way which allowed me to figure out how to solve my own. They showed how there was a depth occluder material that you could use to create invisible game objects that would block the audience’s vision of the virtual content. Creating a cube the size of a table top and placing it over the lap of my sitting virtual character, then using a placemat as a tracking marker in the real world to position the avatar behind a real table allowed the virtual character to appear as if they were sitting in the real world. The illusion was particularly impressive when the character moved and there arms would disappear and reappear below and above the line of the back of the table. See attached photo for a snapshot of the experience.

If I had any advice to any other researchers looking to get into creating XR experiences, or even just learning to code, it is there’s no time like the present to start learning. There are plenty of great resources online for free that go through everything you’ll need to know step by step, while also allowing you to navigate through lessons to learn the specific things that you need for whatever project you might be working on. Though getting an understanding of the basics is fundamental you can pick or choose what of the more specific stuff to learn to suit your needs fairly easily. Also, just like any skill, you’ll need to keep practising. Find some little challenges to work towards, like I had set out for me. There were a few times I’d not focus on coding for a few weeks and then notice that I had forgotten something I definitely knew before and had to go back over previous lessons or code that I had written to find it. Don’t fall for this like I did, keep it up at a steady pace and you’ll be writing code in no time.