One of the central problems of a society steeped with technology is that every innocent software bug potentially opens a malicious backdoor into software. In recent years, this has enabled a new class of criminal behaviour. In criminal thinking, we try to show the many aspects of criminal creativity when looking at technology. The goal is to provoke an understanding of the importance of security and privacy by design in the sense of Bruce Schneiers perspective. He describes security as a complex affair best characterised through an interplay of technological and psychological factors. Students learn to see that creating secure technology for real-life situations necessitates looking beyond the technology itself and consider context, people, social dynamics, etc.
The bulk of this chapter is offered by a security researcher from secure business austria, a TU Wien spin-off research center. They show how usability has become a core subject of security in recent years, explain the importance of usable security (cf. Krombholz et al 2017), and how security problems have reached a new level with the internet of things.
The remainder of the chapter is spent talking about the emerging business models of criminal thinking in informatics: herding botnets, ransomware, DDoS-blackmail, etc. While discussing these nefarious uses of technology, we introduce a number of technical concepts associated with security like vulnerability, exploit, zero-day, internet background radiation, and discuss the conditions that enable social engineering.
Next: policy thinking
Calls for discussion
Where do you think we could improve this chapter? Are we missing essential bits?
Do you think there should be exercises that enable students to understand criminal thinking/security by design/privacy by design? How could such exercises look like, given that most students have little or no coding expertise?