Stories of cyber security breaches have become are a regular occurrence in the media. Companies have banks have been scammed out of money; customer details have been stolen from phone companies and credit agencies; the NHS was forced to cancel and postpone procedures following the Wannacry incident. Even the largest and most capable technology companies such as Google and Facebook have fallen victim to hackers. There has been a corresponding response from academia and law enforcement, with the creation of the National Cyber Security Centre in 2016 and the growing number of cyber security courses offered by universities and industry. These real-life events have been mirrored in an increasing public interest in the hacking and hackers, illustrated by the popularity of such TV shows as Mr Robot.
Given the technological nature of cyber security it can be easy to forget the role of people in cyber security, but every cyber security only occurs because of a serious of decisions and actions by individuals. Many cyber security attacks rely on tricking a target in some way; such as through opening a malicious link or divulging sensitive information. The attackers themselves may have complex motives for selecting and pursuing targets – the stereotype of the hoodie wearing hacker seeking to steal credit card numbers is an over-simplification. In case of hacktivism individuals may make use of hacking skills to challenge social injustice or oppressive regimes. Many of those who may be labelled hackers work for the benefit of society by identifying vulnerabilities in computer system and reporting these problems to the organisations and companies involved.
Dr John McAlaney, Associate Professor Jacqui Taylor and PhD researcher Helen Thackray of the Department of Psychology work alongside colleagues in the Bournemouth University Cyber Security Research Group to understand the people behind the computer screens. This aims to include all of those who have a stake in cyber security – the public, the cyber security practitioners and those who seek to identify, and in some cases exploit, the weaknesses in computer systems. An example of this is the work currently being undertaken in researching the social identity and group dynamics of hackers and hacktivists. This is done through spending time with on relevant web forums, conducting interview online and visiting events such as the DEF CON hacking conference, attended every year by approximately 20,000 people in Las Vegas. This work has already produced some novel insights into how people involved in hacking communities share knowledge and skills to overcome substantial technological and societal challenges.
Dr John McAlaney and colleagues work together to bring these research ideas to the public, industry and government. In November 2017 he spoke about the role of psychology in cyber security at an event hosted by the Foreign and Commonwealth Office at the University of Manchester, which was attended by industry and government officials from several Gulf countries. This was followed by a trip in December 2017 to speak at the ‘Realigning Cyber Security Education’ event hosted by the Australian Defence Force Academy to discuss how to incorporate psychology into the education of the next generation of cyber security practitioners. Future work will continue to explore how psychology can be used to address the challenges in cyber security that technology alone cannot.