Technology Identifying Users Vulnerable to Increasingly Sophisticated Cyber-Attacks

Damage from cyber-attacks spreading to public

A cyber-attack is an attempt to gain unauthorized access to a target computer or network via a computer system or the Internet with intent to defraud, destroy or alter data. According to a survey of National Institute of Information and Communications Technology, the number of cyber-attacks reported in Japan during 2014 totaled about 25.6 billion, nearly doubled from the previous year. Thus, there is concern about the escalation and advancement of cyber-attacks.

The following are methods used for cyber-attacks: breaking into a specific website and altering content; crashing a website through concentrated access; sending large amounts of E-mail containing computer viruses.

We often hear of cyber-attacks where user IDs and passwords are stolen and as a result damage caused by cyber-attacks has been spreading to the general public. Risk of exposure to a cyber-attack has increased both for companies and individuals.

Standardized security measures insufficient for targeted attacks and human error

In recent years, one mainstream cyber-attack technique is the targeted attack, focused on a specific organization. In a targeted attack, attackers attempt to break into organizations by exploiting psychological vulnerabilities. For example, sending an E-mail to the Customer Service Desk, pretending to be a customer, attaching viruses to files likely to be opened by recipients or tricking recipients into clicking malicious links. There have been an increasing number of attacks in which attackers find websites frequently accessed by the targeted organization’s users, hide viruses in the website, and wait for users to access the website.

As human errors, such as "carelessly clicking on malicious links," depend on individual traits or the nature of the job, there is a limit to the effectiveness of standardized security measures. Under these circumstances, it is all the more important to be able to quickly identify users most at risk of cyber-attacks and to develop protective security measures tailored to individuals or organizations.

Quickly identifying users likely to be victimized and developing protective security measures

Fujitsu has developed the ICT industry’s first technology for identifying users vulnerable to cyber-attacks based on the ways they use their computer, such as E-mail and web behavior. This will make it possible to implement security measures tailored to individuals and organizations.

Fujitsu surveyed 2,000 Japanese employees aged in their 20s through to 60s, concerning three kinds of attack (virus infections, scams, and data leakage), then analyzed the psychological traits of users vulnerable to those attacks. At the same time, Fujitsu calculated user risk for victimization based on behavioral and psychological characteristics based on the ways they use their computers.
From the results of the analysis, Fujitsu identified the following insights: "people who prioritize benefits over risks are more vulnerable to virus attacks," "people who are highly confident in their ability to use a computer are at higher risk of data leakage," and "people who spend little time reading privacy policies are at higher risk for virus infection."

This insight can be used to accurately tailor security measures: improving user literacy by displaying individualized warning messages to users who often click on URLs in suspicious E-mails without checking them carefully, or escalating the threat level of a suspicious E-mail sent from departments with virus-prone users.

Fujitsu hopes to commercially implement this technology in 2016, and is working to more accurately detect user vulnerability to attacks. Fujitsu aims for the realization of a safe and secure Internet by implementing effective security measures that align to user psychological and behavioral traits, reducing damage from vulnerabilities and human error.

(Part of this research was carried out under contract of the Ministry of Internal Affairs and Communications for a project called the "R&D of Detective and Analytical Technology against Advanced Cyber-attack.")