Socionomics and Information Security

Author: Virgil Vanduva

July 2008

Generally speaking, the Information Security world lacks the metrics necessary to generate awareness about potential security incidents or perhaps forecast incidents based on social human behavior.  Metrics in this field would help us determine trends, and would even help us visualize progress or regress based on both herding behaviors experienced in the business world and also waves of past successful attacks.  An understanding of the socionomic aspects of Information Security could also help our organizations become more efficient by not allowing herding behaviors to dictate spending on information security and reaction to security events.

In the 1930s, Ralph Elliott developed the Elliott Wave Principle, a technical analysis method attempting to forecast trends in stock markets.  Elliott ultimately posited that a collective crowd psychology is largely responsible for swings from optimism to pessimism in the markets, swings which can potentially created patterns that can be measured, visualized and ultimately forecasted.  Even more fascinating, it was observed that there is a strong relationship between the Fibonacci sequence and the wave structure proposed by Elliott – the Fibonacci sequence is a sequence of integers which starts with 0, then 1, with each following number equaling with the sum of the previous two numbers of the sequence itself: 0,1,1,2,3,5,8,13,21,34,55, etc.

While the space and scope here do not allow for getting into too much detail to discuss the Elliott wave or the Fibonacci sequence, it is extremely interesting to note that principles Elliott observed in the stock markets apply to other aspects of not just human existence, but nature in general.  For example, perhaps for efficiency reasons, seed pods inside sunflower heads are arranged in spirals of 34 and 55, with a Fibonacci number of spirals also.  Many flowers have a Fibonacci number of petals, and many trees and plants branches have a Fibonacci number of growing points.  Likewise, a head, branch and leaf of broccoli have a similar fractal relationship with each other.  Ultimately, there is a more-than-random relationship between the Fibonacci sequence and the fractal nature of life and human behavior, behavior which drives stock markets, financial forecasting, and even Information Security trends.

Socionomists like Robert Prechter, the author of The Wave Principle of Human Social Behavior and the New Science of Socionomics are successfully demonstrating how the observation, study and use of fractals and of herding behavior can help us better understand the rhythm of human activity and perhaps even develop forecasting methods for non-financial markets.  For example, in the context of determining objectives accurately in light of what others do, Prechter writes, “This is why social trend changes always come as a surprise… while generally a human does not consciously plan to herd or think he is herding, his unconscious mind may harbor a few simple rules relating to the behavior of others that tend to make him an unknowing participant in the herd.” (Robert Prechter, The Wave Principle, p. 164)

Interestingly, both information security professionals and “the bad guys” seem to be suffering from such behavior.  We have all seen various “technology epidemics” come and go; two years ago the rage was all about vulnerability assessments; last year PCI compliance swept through while this year e-Discovery seems to be picking up steam.  Yale economist Robert Schiller used the word “contagion” when describing the psychology behind some of those trends, especially in the financial markets.  A sort of social hysteria is characteristic of the herding tendencies of every profession, with Y2K being the most clear and recent example of inefficiencies and wasteful spending by organizations across the world.  We often allow crowd psychology to dictate our security posture, policies, reaction, and therefore spending.

In analyzing attack trends and herding by attackers, my metrics indicate a socionomic aspect to attackers’ behavior.  For example, my SPAM observations for the month of January, 2008, indicate a direct Fibonacci correlation between the amount of good E-mail, the number of SPAM attacks, and the day of the week.  As you notice below, the SPAM input varies pseudo-predictably, with Sunday being the least busy day of the week; the herding aspect again comes into play, but from a completely different perspective: perhaps spammers are taking weekends off to hang out with family or friends, or even more likely, many spam-sending-bots are being powered off during the weekends when the owners of the machines also are more likely to spend time interacting with other humans rather than using the computer, therefore impairing spam-sending operations.

The metrics used are as I already implied fractal in nature as well.  If we “zoom out” and look at the past 12 months of SPAM activity, we will observe similar Fibonacci behavior, with lower output in the summer, when humans spend less time in front of a computer, and higher SPAM output in the months of fall and winter.  SPAM attacks are also at their lowest during national holidays and natural disasters.