Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions

Man-At-The-End (MATE) attacks and fortifications are difficult to analyze, model, and evaluate predominantly for three reasons: firstly, the attacker is human and, therefore, utilizes motivation, creativity, and ingenuity. Secondly, the attacker has limitless and authorized access to the target. Thirdly, all major protections stand up to a determined attacker till a certain period of time. Digital assets range from business to personal use, from consumer devices to home networks, the public Internet, the cloud, and the Internet of Things - where traditional computer and network security are inadequate to address MATE attacks. MATE is fundamentally a hard problem. Much of the extant focus to deal with MATE attacks is purely technical; though security is more than just a technical issue. The main objective of the paper is to mitigate the consequences of MATE attacks through the human element of security and highlight the need for this element to form a part of a holistic security strategy alongside the necessary techniques and technologies. This paper contributes by taking software protection (SP) research to a new realm of challenges. Moreover, the paper elaborates the concept of MATE attacks, the different forms, and the analysis of MATE versus insider threats to present a thematic taxonomy of a MATE attack. The ensuing paper also highlights the fundamental concept of digital assets, and the core protection mechanisms and their qualitative comparison against MATE attacks. Finally, we present state-of-the-art trends and cutting-edge future research directions by taking into account only the human aspects for young researchers and professionals.

[1]  Matthew L. Jensen,et al.  Technology Dominance in Complex Decision Making: The Case of Aided Credibility Assessment , 2010, J. Manag. Inf. Syst..

[2]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[3]  Steven Furnell,et al.  A preliminary model of end user sophistication for insider threat prediction in IT systems , 2005, Comput. Secur..

[4]  Kate Ehrlich,et al.  Empirical Studies of Programming Knowledge , 1984, IEEE Transactions on Software Engineering.

[5]  T. Levine,et al.  When the Alteration of Information Is Viewed as Deception: An Empirical Test of Information Manipulation Theory. , 1992 .

[6]  Andrea Everard,et al.  Privacy Concerns Versus Desire for Interpersonal Awareness in Driving the Use of Self-Disclosure Technologies: The Case of Instant Messaging in Two Cultures , 2011, J. Manag. Inf. Syst..

[7]  Eugene H. Spafford,et al.  Insider Behavior: An Analysis of Decision under Risk , 2009 .

[8]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[9]  Paul Benjamin Lowry,et al.  Issues, Limitations, and Opportunities in Cross-Cultural Research on Collaborative Software in Information Systems , 2008, J. Glob. Inf. Manag..

[10]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[11]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[12]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[13]  Ming Tang,et al.  Power analysis based reverse engineering on the secret round function of block ciphers , 2014, Concurr. Comput. Pract. Exp..

[14]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[15]  Christian S. Collberg,et al.  Toward Digital Asset Protection , 2011, IEEE Intelligent Systems.

[16]  D. Wall Enemies within: Redefining the insider threat in organizational security policy , 2012, Security Journal.

[17]  Qun Li,et al.  Defending against Unidentifiable Attacks in Electric Power Grids , 2013, IEEE Transactions on Parallel and Distributed Systems.

[18]  Detmar W. Straub,et al.  Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination , 2016, J. Assoc. Inf. Syst..

[19]  Jay F. Nunamaker,et al.  Identifying Insider Threats through Monitoring Mouse Movements in Concealed Information Tests , 2013 .

[20]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[21]  R. Bies,et al.  Organizational Citizenship Behavior: The Good Soldier Syndrome , 1989 .

[22]  Eugene H. Spafford,et al.  Understanding insiders: An analysis of risk-taking behavior , 2013, Inf. Syst. Frontiers.

[23]  Ashok Kumar,et al.  Advances in Computational Science, Engineering and Information Technology , 2013, ICCS 2013.

[24]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[25]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[26]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[27]  Stefan Fenz,et al.  FORISK: Formalizing information security risk and compliance management , 2013, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W).

[28]  Xiaolan Fu,et al.  The Impact of Individualism—Collectivism, Social Presence, and Group Diversity on Group Decision Making Under Majority Influence , 2007, J. Manag. Inf. Syst..

[29]  Roderic Broadhurst,et al.  Cybercrime in Asia: Trends and Challenges , 2012 .

[30]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[31]  Steven A. Mccornack Information manipulation theory , 1992 .

[32]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[33]  Matthew L. Jensen,et al.  Effects of Automated and Participative Decision Support in Computer-Aided Credibility Assessment , 2009, J. Manag. Inf. Syst..

[34]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[35]  Richard Baskerville,et al.  A longitudinal study of information system threat categories: the enduring problem of human error , 2005, DATB.

[36]  Yuan Xiang Gu,et al.  Software-Based Protection is Moving to the Mainstream , 2011 .

[37]  Brian Fitzgerald,et al.  Why Hackers Do What They Do: Understanding Motivation and Effort in Free/Open Source Software Projects , 2007 .

[38]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[39]  C. Anderson Software protection , 1991, Nature.

[40]  Angelika Dimoka,et al.  What Does the Brain Tell Us About Trust and Distrust? Evidence from a Functional Neuroimaging Study , 2010, MIS Q..

[41]  Julian Jang,et al.  A survey of emerging threats in cybersecurity , 2014, J. Comput. Syst. Sci..

[42]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[43]  Cong Yan,et al.  Enhancing and identifying cloning attacks in online social networks , 2013, ICUIMC '13.

[44]  K. J. Craik,et al.  The nature of explanation , 1944 .

[45]  Marco Torchiano,et al.  A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques , 2013, Empirical Software Engineering.

[46]  Lori Flynn,et al.  Best practices against insider threats for all nations , 2012, 2012 Third Worldwide Cybersecurity Summit (WCS).

[47]  Anabela Gomes,et al.  Learning to program - difficulties and solutions , 2007 .

[48]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[49]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[50]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[51]  André van Cleeff,et al.  The Precautionary Principle in a World of Digital Dependencies , 2009, Computer.

[52]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[53]  S. Kvale,et al.  InterViews: Learning the Craft of Qualitative Research Interviewing , 1996 .

[54]  Richard E. Mayer,et al.  The Psychology of How Novices Learn Computer Programming , 1981, CSUR.

[55]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[56]  Sholom Cohen,et al.  Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies , 2014, 2014 47th Hawaii International Conference on System Sciences.

[57]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[58]  Sumit Goyal,et al.  Public vs Private vs Hybrid vs Community - Cloud Computing: A Critical Review , 2014 .

[59]  Angelika Dimoka,et al.  On the Use of Neuropyhsiological Tools in IS Research: Developing a Research Agenda for NeuroIS , 2012, MIS Q..

[60]  Shukor Abd Razak,et al.  A Digital Forensic Investigation Model for Insider Misuse , 2013, CSE 2013.

[61]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[62]  Lakhmi C. Jain,et al.  Network and information security: A computational intelligence approach: Special Issue of Journal of Network and Computer Applications , 2007, J. Netw. Comput. Appl..

[63]  T. Jordan,et al.  A Sociology of Hackers , 1998 .

[64]  BratusSurgey What Hackers Learn that the Rest of Us Don't , 2007, S&P 2007.

[65]  Naresh K. Malhotra,et al.  A Longitudinal Model of Continued IS Use: An Integrative View of Four Mechanisms Underlying Postadoption Phenomena , 2005, Manag. Sci..

[66]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[67]  Mariki M. Eloff,et al.  Psychosocial risks: Can their effects on the security of information systems really be ignored? , 2013, Inf. Manag. Comput. Secur..

[68]  Sergey Bratus What Hackers Learn that the Rest of Us Don't: Notes on Hacker Curriculum , 2007, IEEE Security & Privacy.

[69]  Susan Wiedenbeck,et al.  What do novices learn during program comprehension? , 1991, Int. J. Hum. Comput. Interact..

[70]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[71]  Paolo Falcarin,et al.  Guest Editors' Introduction: Software Protection , 2011, IEEE Software.

[72]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[73]  Gustav Svensson Auditing the Human Factor as a Part of Setting up an Information Security Management System , 2013 .

[74]  Tom L. Roberts,et al.  Motivating the Insider to Protect Organizational Information Assets: Evidence from Protection Motivation Theory and Rival Explanations , 2011 .

[75]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[76]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[77]  KokolakisSpyros Privacy attitudes and privacy behaviour , 2017 .

[78]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[79]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[80]  Mark Srite,et al.  The Role of Espoused National Cultural Values in Technology Acceptance , 2006, MIS Q..

[81]  Timothy R. Levine,et al.  The relative impact of violation type and lie severity on judgments of message deceitfulness , 2003 .

[82]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[83]  Angelika Dimoka,et al.  How to Conduct a Functional Magnetic Resonance (fMRI) Study in Social Science Research , 2012, MIS Q..

[84]  David de Andrés,et al.  Analysis of results in dependability benchmarking: Can we do better? , 2013, 2013 IEEE International Workshop on Measurements & Networking (M&N).

[85]  Kathleen M. Eisenhardt,et al.  Theory Building From Cases: Opportunities And Challenges , 2007 .

[86]  S. Dreyfus,et al.  Peripheral Vision , 2005 .

[87]  Albert B. Jeng,et al.  A Study on Online Game Cheating and the Effective Defense , 2013, IEA/AIE.