Hacker: Crook or Crusader

so I'm Lauren thanks you run for having me here today it's a really big honor to be at this conference and talking on people who are really industry leaders in this area so I haven't committed my speech to memory so just be with me as I read my notes today I'm presenting a very short summary of my honours research that I've just finished so I'm currently doing my master's degree and information systems I'm here at Vic and I also work with a great group of people at PwC and the cyber team just in advance I apologize for the use of the word cyber especially given the previous talk but I do agree with that talk as

well so yeah so I'm Peter we see is a graduate security analyst now and I've been there since seize out of the year so thankfully the phenomena that I set out to prove and my research actually exists or at least albeit with a small sample that I took so are we taking my findings to a larger scale over summer for completion of my master's degree yeah so I apologize for the use of the word cyber my research has a few purposes so the overarching purpose being to prove what I was observing was actually taking place so I've noticed people and you guys for the hem as well typically non security specialists or non techies in general like in a broader

sense they tend to hold some really specific thoughts and opinions of who or what a heck it might be I cringed at the use of the word hacker so I didn't attempt to define the word but I just let it be so I feel like pop culture news media and generally speaking the sensitive nature of security or factorization would contribute to those perceptions so a way that I like to explain this explain this in short to people it's by asking the simple questions so oh sorry oh my goodness sorry just be with me okay so by asking a simple question so how do you picture what do you picture when you might when someone sees hacker generally

this explains the existence of the phenomena that I set out to prove but if I were to ask this audience right here I'd probably get a totally different response or at least I hope I'd get a really different response so nonetheless if you picture a teenager in a dark room awake all night hacking whatever that might be then you're not alone so my research sample thanks the same with some interesting findings so to investigate this phenomena I crafted two research questions as a starting point what stereotypes if any does the general public associate with terms including hacker hacking cybercrime or computer computer hacker and what are the characteristics of these perceptions so be honest what are the social

governmental and business implications for how these perceived hackers are portrayed and public discourse so the problems caused by these perceptions developed as I conducted the research yes it's bad that people assume hackers to fit a certain mold but what's worse than this is the disconnect and lack of fear or awareness a lot of people have this reflex and their own security behaviors the lack of awareness was extremely apparent and what's worse is the company lack of care so to quote one of my interviewees my if postponed is the same as my phone pin haha actually probably change that which yeah you can make of that what you will so then I wondered what are the implications of

this beside really for security what does this mean for wider society let alone the security industry but also like why have I opened this can of worms so like most research I spend a lot of my time performing my literature review and at the side of my university career I never imagined I'd have to analyze Angelina Jolie's 90s classic hackers but here we are and as expected it didn't help me to define hacking but it did act as an integral influencer to society's perceptions of hacking so I mean about proving this problem through a qualitative assessment of my findings which were gathered through a series of ten interviews of teen people or confidential in nature these 10 people

were intended to represent society and to address the elephant in the room I realized that teen is a really small sample to conduct from but I wanted to use qualitative methods at least to begin with so I could gather data that I couldn't really measure with numbers however I plan to move to a quantitative for my next stage so I can like really have a broader scale for my research so the individuals who participated were from a range of professions some of which include a hairdresser a wine grower and electrician carpenters and importantly one security professional and other professions including some students so 19 questions were developed and of these questions were five topics and including

attitudes to attacking personal security behaviors hacktivism piracy and legal matters so now to get to the surprising and the unsurprising findings starting with awareness so important to note here as the asterisk which means that whatever is stated as excluding the security specialist who I interviewed thank god so he essentially ended up being a control of sorts so that was good so all interviewees excluding the specialist expressed confusion towards a topic of cyber crime a lot of arms and as we said as well as a lot of I don't knows relating to all five question topic areas again none of the interviewees apart from the security specialist knew what the suit was or what the function

may include people did make some reasonable assumptions though including cert being a fire brigade for computers and just important to note here when I was a sitting cert I wasn't assessing so indeed specifically but rather suits as a I guess global industrial construct so the next section being understanding nine out of ten interviewees were accepting or not concerned about piracy despite admitting to protecting in it and while I hold no no opinion about piracy I found it alarming that none of these individuals had heard of VPN so it appeared that a major disconnect existed with individual understandings of cybercrime and the lack of security measures that people had in place so if you were aware that cybercrime is a

problem but don't seem to really relate it to their lives it's like a dissonant message that they just don't act upon apart from the security specialist possibly the most important topic was influence which drew forth some alarming but not really surprising results so seven out of ten individuals solely reference external means for their reasoning such as online sources and news media and only three drew from internal reasoning such as comparison to other crimes or experience be it personal or otherwise so of the sample of ten nine people worst confusion frustration or general concern for the poor media portrayal of cyber security related events so I say cyber security really broadly because to some people that means to come calm but to some

people what it means like completely different things altogether but I deliberately didn't to define that sort of realm so I found it really concerning which raises another problem that people are consuming media from sources they consider unreliable but they're not really bothering to get to the truth so I don't know about you guys but I find that quite worrisome so I found some unexpected findings about perceived characteristics of hackers I'm sorry for the boring table but I think it's pretty good so sex people feel that heck is illogical technically smart or something along the lines of intelligent this was an unexpected finding as for the previous literature that Odysseus so an odd utilization or assumption

appeared so here we are and it's not targeted at anyone so four out of ten individuals mentioned participation and World of Warcraft to be an attribute of a hacker make of it what you will and I didn't remotely prompt people to mention World of Warcraft it was rather from participant made comments alone so I figured this might be a reference to like gaming and gaming culture in general and this was just how people kind of explained it because it might have stood out as like a prolific example but nonetheless that forms a notable trend so general nerdiness was mentioned as well as being awake all night I feel like my participants might know some pretty committed gamers or

what they deem to possibly be hackers so another boring table I'm sorry but I also measured the frequency and nature have sent out cyber related events their participants mentioned so broadly and the realm of cyber so the chemcam saga was mentioned by nine out of ten interviewees and I'll get to why shortly but you can probably imagine why so monochrome was mentioned either directly or indirectly three times as was snowed Edward or should I say it would Snowden and the American elections mentioned in a very broad sense so important to note here there were more characteristics that were mentioned but I'm just including the ones that had really high frequencies so people reiterated across the interviews their confusion about

these about these in other events so two admitted they tried to follow news headlines about these particular incidents but found it too difficult to follow and otherwise didn't know really like where to find out more so the coats the quite sunscreen demonstrate this but there are certainly more throughout my transcripts of the similar sorts of comments alluding to the same things all right so to long didn't read or what academics refer to is the conclusion what does this all mean so a high level of participation oh sorry a high level of intelligence participation in Wow and general nerdiness are characteristics of a hacker at least for the sample that I get it it seems a few of my friends

might be hackers after all based on this logic furthermore the chemcam saga for which I hold a neutral stance was a standout event related to cyber metas generally at least to non-specialists so most importantly and unexpectedly interviewees were mostly dissatisfied with media reporting on the topic of chem comm and wider security security and cyber crime related events so what do these mean for the widest cyber security industry I can assume from my findings that sorry that the perceptions were taken generally they may cause social government to and business implications whether we realize it or not importantly I think my findings are significant to policy development going forward and IT and security areas because individuals and organizations

may act according to these perceptions or at least their preconceived ideas or lack of care and awareness so distrust for news media has major repercussions what sources will people turn to if they don't know who to trust and of course security behaviors so if people think that hackers are just well players who have too much time they may be a little bit less inclined to improve their security practices and this definitely relates to an organizational level as well so just because the crime may be less tangible than a physical crime it doesn't really make it any less damaging and hopefully we're all aware of that so that pretty much wraps up my talk and thank you all for listening to my first

ever talk so if you want to find out more I definitely want to hear people's critiques constructive criticisms and this sort of thing along these lines so hit me up at my Twitter will talk to me after this you