The Institute co-sponsored this summer school alongside the Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) and International Association for Research in Economic Psychology. The summer school took place in July 2019 at the University of Kent in Canterbury with around 30 participants from academia, law enforcement, policy making and business attending. The school was organised by Jason Nurse, Edward Cartwright and Anna Cartwright.

Background: Most instances of fraud and cyber-crime result from a combination of social engineering and human ‘vulnerability’. Criminals use a range of techniques, from intimidation to friendliness, in order to engage with, and ‘game’ victims, ultimately for the purpose of defrauding them. These techniques are arguably best understood through the lens of psychology. But we should also recognise that the manipulation revolves around money and so behavioural economics and the economics of crime can provide important additional insight.

While there is a burgeoning literature on cyber-psychology there is relatively little work on the interplay between economics, psychology and cyber-crime. This summer school and workshop has the intention of exposing junior researchers to the background knowledge they would need to work in this area. In doing so it can help to build a cross-disciplinary network of collaboration and stimulate future research in this area. We welcome a number of guest speakers from academia, law enforcement and business to help create vibrant and diverse environment.

The objectives of the summer school were to: (1) Provide PhD students, post-docs and early career professionals with a good overview of the issues around social engineering (including phishing, smishing etc.) and associated forms of fraud and cyber-crime. (2) Review the current literature, research methods and findings in the topic space. This includes both quantitative and qualitative methods. (3) Provoke discussion on how we can improve academic understanding of fraud and cyber-crime, particularly with a view to protect individuals and organisations. (4) Expose participants to a cross-disciplinary environment which can hopefully ignite future collaborative research.

Programme

Monday 15th July 12:00 – 17:30

Back to basics: Understanding cyber-crime, social engineering (phishing, smishing, vishing) and fraud. This session led by Jason R.C. Nurse evidenced the prevalence of these crimes and the range of subsequent crimes/cyber-crimes that can follow it (e.g., fraud, ransomware, sextortion). It also explored solutions for cyber-crime, social engineering and fraud, particularly, what exists and what may still be missing? Common topics are campaigns to counter against social engineering crimes and their drawbacks.

Profiling cyber-criminals: The purpose of the session led by guest speaker Maria Bada (Cambridge Cybercrime Centre, University of Cambridge) was to consider the perspective of the cybercriminal and reflect on the background and different models of inductive and deductive criminal profiling. This narrows our focus on cybercrime to examine the perpetrators themselves, including their motivation, their characteristics and the types of cybercrimes certain attackers may be likely to engage in.

From the front lines: A law enforcement perspective. This session led by guest speaker, Aimee Payne, a Cyber Protect and Prevent Officer for Kent Police. It provided an overview of how cyber-crime is impacting on local communities and business. The session also allowed discussion on the initatives police forces are taking, and the challenges they face, in combatting and dealing with cyber-crime.

Tuesday 16th July 9:30 – 17:30

Are cyber-criminals psychologists? This session, led by Jason R.C. Nurse, explored and engaged in a critical discussion about the psychological mechanisms that criminals exploit to commit fraud and cyber-crime. Through a number of case examples it showed how criminals craft attacks based on how humans think and act. Furthermore, the session review the literature on victims of fraud.

The psychology behind (in)secure behaviour in the workplace: This session was led by guest speaker Emma Williams (School of Psychological Science, University of Bristol) and explored the context of employees in organisations, and individuals at home, in order to consider potential mechanisms that could be put in place to reduce the incidence of fraud and cyber-crime.

£27 billion or £1.2 million: Measuring the costs of cyber-crime and fraud in the UK. This session, led by Edward Cartwright, reviewed attempts to quantify the costs of cyber-crime. It looked at the difficulties and challenges in measuring the cost of cyber crime, as outlined in the 2018 review by the Costs of Cyber Crime Working Group. It also contrasted the costs of cyber-crime with that of fraud enabled by cyber-crime, using the Talk Talk hack as an interesting example.

To pay or not: The economics and game theory behind ransomware and crimes of extortion. This session, led by Anna Cartwright, with input from Darren-Hurley Smith, focused on financially motivated crimes of extortion. It reviewed evidence on the profits of criminals, estimated by tracking bitcoin payments, and the willingness of victims to pay ransoms, estimated from surveys. The session also introduced basic techniques of game theory and showed how they can be used to study ransowmare and its likely future evolution.

Busy entrepreneurs: Cyber security of small traders and small business. This session, led by Edward Cartwright looked at the incentives and barriers facing small businesses in becoming cyber safe. The session looked at Cyber Essentials and the NCSC Small Business Guide, both in terms of the technical controls they suggest and the challenges businesses face in implementing them. The session also discussed the role of cyber insurance.

Wednesday 17th July 9:30 – 14:00

This day was intended for a general discussion on the human aspects of cyber-crime and online fraud. Participants of the summer school had chance to talk about the work they are doing on cyber-security. We heard about a large range of topics from the online wildlife trade, local initiatives with law enforcement, and interesting new experiment and survey results.

The summer school finished with a networking lunch with the chance to interact with core and associate members of the Kent Interdisciplinary Research Center in Cyber Security.