Building Attacker Personas in Practice — a Digital Banking Example

In this short paper, a framework for building attacker personas based on a 10-step process model borrowed from user-centred design is proposed and applied to digital banking. In line with conventional personas, attacker personas are archetypical attackers to a system and ideally characterise the full threat landscape to a system. Benefits of attacker personas are currently seen in the context of generic security awareness programmes, usage by security experts alongside other threat modelling techniques and to ‘make threats real’ for non-experts in an organisation. However, attacker personas are by no means a mature method in information security—the largest drawback is currently a lack of their integration into threat modelling and the wider security management environment. The research report presented here covers the chosen methodology including data sources as well as the seven attacker personas proposed for digital banking systems. This work is primarily viewed as a basis for discussion to help foster methodological advancement for building better attacker personas in the future. Current limitations as well as potential future research directions are therefore given in the last part of this paper to promote discussion and collaboration with others in academia and industry.

Content

Author and article information

Contributors

Caroline Moeckel

Conference

Publication date: July 2018

Publication date (Print): July 2018

Pages: 1-5

Affiliations

[0001]Royal Holloway, University of London

Egham Hill, Egham TW20 0EX, UK

Article

DOI: 10.14236/ewic/HCI2018.147

SO-VID: 3b149b00-1bca-4242-acae-28d4c3de3cc0

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: Proceedings of the 32nd International BCS Human Computer Interaction Conference

Conference acronym: HCI

Conference number: 32

Conference location: Belfast, UK

Conference date: 4 - 6 July 2018

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: Human Computer Interaction Conference

History

Product

1477-9358 BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/HCI2018.147

Self URI (journal page): https://ewic.bcs.org/

References

T. AdlinJ. Pruitt 2010 The essential persona lifecycle: your guide to building and using personas. Elsevier
A. AtzeniC. CameroniS. FailyJ. LyleI. Flechais 2011 Here’s Johnny: a methodology for developing attacker personas 2011 Sixth International Conference on Availability, Reliability & Security Vienna 2011 722 727
S. BødkerE. Christiansen 1997 Scenarios as springboard in CSCW design S. S. G. BowkerW. TurnerL. Gasser (Eds.) Social science, technical systems and cooperative work 217 234 London Lawrence Erlbaum
BCS - British Computer Society 2014 Cybercrime Forensics Specialist Group Brieﬁngs. Compiled by Denis Edgar-Nevill (Canterbury Christ Church University), available via group distribution list 2010 2014
CCCD - Cambridge Computer Crime Database - Hutchings A 2018 http://www.cl.cam.ac.uk/~ah793/cccd.html (16 April 2018)
J. M. Carroll 2000 Making Use: scenario-based design of human-computer interactions Cambridge, Mass MIT Press
R. ChiesaS. Ducci 2009 Profiling Hackers CRC Press, Taylor & Francis
A. Cooper 1999 The inmates are running the asylum SAMS
A. CooperR. Reimann 2007 About Face 3.0: The essentials of interaction design Wiley
FBI - Federal Bureau Investigation 2018 Cyber’s Most Wanted http://www.fbi.gov/wanted/cyber (16 April 2018)
Images Getty – iStock database 2018 Source for attacker persona images – IDs for purchased images: 82011555, 247519731, 249380561, 125323949, 125705417, 117226075, 249461806, 249461806 http://www.istockphoto.com (16 April 2018)
K. Goodwin 2009 Designing for the digital age: how to create human-centred products and services Wiley
J. GrudinJ. Pruitt 2002 Personas, participatory design and product development: An infrastructure for engagement PDA
Times Gulf 2014 80 detained in global cyber-crime takedown http://www.gulf-times.com/story/392708/80-detained-in-global-cyber-crime-takedown (16 April 2018)
D. Ki-AriesS. Faily 2017 Persona-centred information security awareness Computers & Security 70 Sept. 2017 663 674 Elsevier
L. Nielsen 2007 10 steps to personas http://personas.dk/wp-content/LOWRES-Personas-english-version-oktober-200821.pdf (16 April 2018)
L. Nielsen 2013 Personas - user focused design Springer
A. Shostack 2014 Threat modelling: designing for security John Wiley & Sons
A. SteeleX. Jia 2008 Adversary-centred design: threat modelling using anti-scenarios, anti-use cases and anti-personas International Conference on Information and Knowledge Engineering (IKE 2008) Las Vegas, Nevada, USA July 14-17, 2008 CSREA Press

Comments

Comment on this article

[1] T. AdlinJ. Pruitt 2010 The essential persona lifecycle: your guide to building and using personas. Elsevier

[2] A. AtzeniC. CameroniS. FailyJ. LyleI. Flechais 2011 Here’s Johnny: a methodology for developing attacker personas 2011 Sixth International Conference on Availability, Reliability & Security Vienna 2011 722 727

[3] S. BødkerE. Christiansen 1997 Scenarios as springboard in CSCW design S. S. G. BowkerW. TurnerL. Gasser (Eds.) Social science, technical systems and cooperative work 217 234 London Lawrence Erlbaum

[4] BCS - British Computer Society 2014 Cybercrime Forensics Specialist Group Brieﬁngs. Compiled by Denis Edgar-Nevill (Canterbury Christ Church University), available via group distribution list 2010 2014

[5] CCCD - Cambridge Computer Crime Database - Hutchings A 2018 http://www.cl.cam.ac.uk/~ah793/cccd.html (16 April 2018)

[6] J. M. Carroll 2000 Making Use: scenario-based design of human-computer interactions Cambridge, Mass MIT Press

[7] R. ChiesaS. Ducci 2009 Profiling Hackers CRC Press, Taylor & Francis

[8] A. Cooper 1999 The inmates are running the asylum SAMS

[9] A. CooperR. Reimann 2007 About Face 3.0: The essentials of interaction design Wiley

[10] FBI - Federal Bureau Investigation 2018 Cyber’s Most Wanted http://www.fbi.gov/wanted/cyber (16 April 2018)

[11] Images Getty – iStock database 2018 Source for attacker persona images – IDs for purchased images: 82011555, 247519731, 249380561, 125323949, 125705417, 117226075, 249461806, 249461806 http://www.istockphoto.com (16 April 2018)

[12] K. Goodwin 2009 Designing for the digital age: how to create human-centred products and services Wiley

[13] J. GrudinJ. Pruitt 2002 Personas, participatory design and product development: An infrastructure for engagement PDA

[14] Times Gulf 2014 80 detained in global cyber-crime takedown http://www.gulf-times.com/story/392708/80-detained-in-global-cyber-crime-takedown (16 April 2018)

[15] D. Ki-AriesS. Faily 2017 Persona-centred information security awareness Computers & Security 70 Sept. 2017 663 674 Elsevier

[16] L. Nielsen 2007 10 steps to personas http://personas.dk/wp-content/LOWRES-Personas-english-version-oktober-200821.pdf (16 April 2018)

[17] L. Nielsen 2013 Personas - user focused design Springer

[18] A. Shostack 2014 Threat modelling: designing for security John Wiley & Sons

[19] A. SteeleX. Jia 2008 Adversary-centred design: threat modelling using anti-scenarios, anti-use cases and anti-personas International Conference on Information and Knowledge Engineering (IKE 2008) Las Vegas, Nevada, USA July 14-17, 2008 CSREA Press

Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65