Cybersecurity Personas, Use Cases, and Access Patterns

80 min readJun 14, 2018

In order to properly put cybersecurity in context, it is important to understand the many use cases and access patterns of the many personas using modern connected digital systems.

This informal paper covers both cybersecurity professionals and all other individuals and groups whose daily lives have some cybersecurity aspect even if they themselves are not a cybersecurity professional. This includes technical workers, nontechnical workers, managers, executives, users, consumers, government workers, children, teenagers, the elderly — anybody who uses a computer or computing device and the Internet.

Introduction to personas, use cases and access patterns

A persona is simply a type of person who has a type of role. They may have a worker role, a consumer role, or maybe a management role, as just a few examples.

An access pattern is a type of operation, function, activity, or task that a person (persona) is performing. Sending or receiving an email message, posting on social media, or buying something online are examples of access patterns.

A use case is a type of larger context for the objectives or purpose for which a person (persona) is engaging in activities and tasks (access patterns.) Email, social media, ecommerce, business applications, and industrial process control are examples of use cases.

Personas are especially significant since different personas have different interests and needs in the cybersecurity domain. Consumers, employee end users, IT staff, security experts, and management all have very important roles in cybersecurity, but they are all approaching the same core problem from widely varying perspectives.

Cybersecurity is a multifaceted problem, each facet having unique even if overlapping requirements.

For example, training. Everybody needs it, and even though there is indeed overlap, each facet or persona needs its own special focus. There is not and cannot be a single, one-size-fits-all training program for cybersecurity. Some people have deeper needs and stronger interests, while others have lesser needs and interests or more limited attention spans. To each his own.

Different personas have different degrees of focus on cybersecurity. For some, it is a full-time job. For others, it is a part-time job but a very significant portion of their time. While for others, it is only a modest fraction of their time. And for many, it is a relatively insignificant portion of their time, energy, and attention and focus. At least until something goes horribly wrong.

Similar for use cases. Yes, there is overlap, but email, identity management, social media, network security, endpoint management, physical machine security, and remote command access are all fairly distinct cases.

Similar for access patterns, the specific operations, activities, and tasks that the many personas perform when using connected digital systems. There can be significant overlap for access patterns between personas and use cases, but there are many distinctive access patterns peculiar to specific personas or use cases.

Audience — baseline foundation reference

This paper, as informal as it is, is still much too dense for casual readers.

It is intended as a baseline foundation reference for anybody seeking a deep foundation upon which to build a strategy for dealing with cybersecurity.

It is not the only reference needed, but one of the references.

For example, the NIST frameworks, among others, are essential baseline references as well:

They are good, but focus more on the specific needs of cybersecurity professionals, while this paper covers all other roles as well.

Relation to NIST NICE Cybersecurity Workforce Framework

The National Institute of Standards and Technology (NIST) has a framework called the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, or NICE Framework or just NICE for short, which categorizes and describes cybersecurity work.

A key difference between the focus of NICE and this paper is that NICE is limited to only workers in the field of cybersecurity, cybersecurity professionals, whereas this paper also focuses on all other workers outside of cybersecurity per se but who are even tangentially or remotely involved or even merely impacted by cybersecurity.

As per NIST,

The NICE Cybersecurity Workforce Framework (aka the NICE Framework)(link is external) NIST Special Publication 800–181, is a national focused resource that categorizes and describes cybersecurity work. The NICE Framework, establishes a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors.
The NICE Framework is comprised of the following components:
1. Categories (7) — A high-level grouping of common cybersecurity functions.
2. Specialty Areas (33) — Distinct areas of cybersecurity work.
3. Work Roles (52) — The most detailed groupings cybersecurity work comprised of specific knowledge(link is external), skills(link is external), and abilities(link is external) required to perform tasks(link is external) in a work role.

For a general overview of NICE, see:

https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework

For the actual NICE Framework, see:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

This paper includes the NICE concept of work roles within personas, and the concept of tasks under access patterns.

Some of the categories of common cybersecurity functions and specialty areas of cybersecurity work from NICE are covered by use cases and access patterns in this paper. Many others are simply beyond the scope of this paper and amply covered by NICE anyway.

The knowledge, skills, and abilities areas of NICE, as well as most tasks of NICE are specific only to cybersecurity professionals and are thus beyond the scope of this paper.

An accurate statement would be that NICE and this paper intersect or overlap.

Another way of putting it is that NICE and this paper complement each other.

Again, the majority of personas, use cases, and access patterns of this paper are beyond the scope of NICE since they involve workers and non-workers who are not dedicated cybersecurity professionals.

Beyond the scope of this paper

There are very important aspects of cybersecurity which are beyond the limited scope of this paper. Many of them are adequately covered elsewhere already, and many are deserving of better coverage eventually, just not here and now. They include:

Vulnerabilities, exploits, and threats. This paper does not attempt to catalog all vulnerabilities, exploits, and threats per se. The focus is on people and activities which could be threatened or attacked. Use cases and access patterns will include some but not all vulnerabilities. The goal here is to summarize legitimate activities and actions which can be compromised and are in need of being protected from attack.
Defense. The many methods and mechanisms for defending against cyberattacks.
Response. The various responses to cyberattacks.
Recovery. The various methods and processes for restoring normal operation after a cyberattack.
Best practices. Specific and general technical and management methods and processes.
Frameworks. General guidance on approaches to cybersecurity.
Standards. Codified best practices.
Certification. Testing and validation of knowledge and expertise of practitioners.
Job titles.
Competencies.
Degree of knowledge and expertise.
Awareness level.
Knowledge level.
Skill level.
Ability level.
Experience level.
Competence level.
Competence span.
Confidence level.
Attention level.
Career development.
Specific training. Beyond highlighting need to uniquely train each specific persona.

Some of these aspects will frequently appear in personas, use cases, and access patterns, but only to a limited degree, designed to illustrate rather than to offer comprehensive coverage.

Also see the NIST Frameworks for coverage of some of these aspects of cybersecurity:

Cybersecurity affects everything for everyone in every way

Unlike most narrow, specialized domains where relatively short lists of personas, use cases, and access patterns can readily be identified, cybersecurity applies to everything, for everyone, in every way.

Everybody has data of some form. Or somebody has data about them.
Everybody has connected access to the Internet. Or patronizes some business or government service which is connected.
Every organization has data.
Every organization has services connected to the Internet.
Every organization is connected to the Internet.
Every form of access to every form of data, services, and code has cybersecurity vulnerabilities.

Okay, yes, sure, there are always exceptions to every general rule.

Yes, there are people who do not use the Internet, but how many of them don’t make use of businesses or government agencies which maintain data about them that might be on a computer — and could conceivably be compromised?

And, sure, there are some, few, very small businesses who don’t use the Internet in any way, but do they also refrain from using banks, which might keep some data on the Internet?

And, some older, legacy computers are not connected to the Internet.

Fine, yes, there will be exceptions, but the general rule remains intact and valid — virtually everyone and everything is affected by data and cybersecurity in at least some way.

In short, everyone belongs in one or more personas in the domain of cybersecurity.

Tale of two circles — the little circle and the big circle

As mentioned at the start, this paper covers both cybersecurity professionals and everybody else who uses a computer or computing device, or interacts with an organization which does so, directly or indirectly. The former can be referred to as the little circle and the latter as the big circle.

The little circle, cybersecurity professionals, is the more limited subset of all individuals and groups using computers and the Internet.

The big circle is everyone, but does include cybersecurity professionals as well.

The point is that there are times, situations, personas, use cases, and access patterns, where it makes sense to refer to only cybersecurity professionals, but generally we need to refer to everybody, whether a cybersecurity professional or not, as well.

What’s a computer?

We need to be a little careful with terminology here, especially since a lot of computing devices that access the Internet are not so clearly computers per se.

There are really three distinct terms:

Computer.
Computing device.
Non-computing device or object which contains an embedded computer or computing device.

This paper will refer to all three as a computer even though that might be technically a tad inaccurate.

Some obvious cases of computers:

Desktop computer.
Laptop computer.
Server computer.
Tablet computer.

Some less obvious cases of a computer:

Smart phone.
Smart refrigerator.
Driverless car.
Every motor vehicle.
Kiosks.
Speaking or active toys, dolls, and stuffed animals.
Robots.

Those lists are not meant to be exhaustive, merely illustrative.

Any of these objects or devices which can be connected to the Internet in some way are relevant to this paper.

Endpoints, servers, and routers

Not to oversimplify networking too much, but there are three basic components to a network:

Servers. The main computers where the real, heavy work gets done and data is stored.
Endpoints. Whatever device a user is using to access the network. Personal computers, tablets, smartphones. To be clear, endpoints are computers.
Routers. Specialized computers which direct traffic in the network.

Beyond those three primary components, a network also involves:

Cables. To connect all devices. Copper wire, coaxial cable, ethernet cable, optical fiber cable.
Power distribution.
Heating and air conditioning.
Facilities. Buildings. Data centers.

What is IT?

IT stands for Information Technology, which is basically any group which provides technical support for computing for an organization. That includes computer systems and other computing devices, networking, and software

It may be a separate group or division or may be subsidiary to a business unit.

The major components of IT are:

Technical staff.
Management.
Computer systems and computing devices. And any related hardware and software.
Applications development. May be embedded within IT or be separate group(s).
Networking and communications. Routers, cables, and connections to external communications networks.
Facilities to house, power, cool, and connect computing systems.

What is OT?

OT stands for Operational Technology, which is computer systems, software, and specialized hardware used to monitor and control physical systems and devices in the real world. IT is concerned with information alone while OT is concerned with effects in the physical environment.

Industrial control systems are the the primary example of OT. Monitoring and control of infrastructure is the general responsibility of OT.

See the Use case — Infrastructure, Use case — Internet of Things (IoT) Devices, and Use case — Vehicles sections for more detail.

What is a cyber service?

As used in this paper, a cyber service is an online, web, Internet service which provides some service(s) or set of online features to users.

Cyber services can include:

Basic web pages providing information and media.
Simple transactions.
E-commerce transactions.
Interactive applications. Either web-based or downloadable apps for smartphones and tablets.
APIs. Application Programming Interfaces which allow external or internal applications to interface with services running on servers within the organization or in the cloud.

In the context of this paper we are interested in both:

Organizations which provide cyber services.
Organizations which use cyber services. Either provided internally, or provided by external organizations.

Personas

Personas are more correctly referred to as archetypes, or also as roles, work roles, actors, stakeholders, or audiences.

Each persona represents a type of individual, group, or organization.

Each persona has its own interests, own needs, and own abilities to comprehend and deal with technical details.

A particular individual, group, or organization may belong to or be covered by any number of personas, each persona being a role. In other words, a particular individual, group, or organization may play any number of roles, possibly at different times or in different situations, or possibly at the same time and even in the same situation.

Since the list of personas effectively covers everyone, it makes sense to divide the full universe of personas into sensible categories.

Persona vs. work role

The term work role may seem especially appealing, but some of the personas, notably consumers, may not have a work role per se.

Employees vs. workers

It is tempting to use the term employee to refer to people working within an organization, but not everybody working within an organization is strictly speaking an employee, but they are all workers.

Workers within an organization include:

Full-time employees.
Part-time employees.
Contract workers.
Vendor employees (or workers.)
Temporary workers (temps.)
Visitors. May not be workers per se, but may have at least limited access to network services within the organization, such as Wi-Fi networks.

Workers vs. managers

It is also frequently useful to distinguish workers from managers:

Team leaders.
Technical managers.
Managers.
Senior managers and directors.
Junior executives.
Executives.
Senior executives.
Board of directors.
Advisors to management.

But in most contexts managers are workers or employees as well.

Users vs. consumers

Generally speaking, consumers are users, but workers within organizations are users but not with the role of consumers while they are performing tasks on behalf of the organization.

The term user will be used for either:

Workers using systems within an organization.
Individuals using web services.

The term consumer is used to draw attention to the fact that the requirements and training for a consumer are generally distinctly less than for a worker in an organization.

Children, the disabled, elderly, the incarcerated, etc. would generally be consumers and not workers.

Persona categories

Personas can be broadly classified into categories, and each persona category can be subdivided into particular personas, where each persona has its own distinctive qualities.

Users. Consumers, citizens, business workers, non-commercial organization workers, government workers, contractors, and consultants.
Non-IT workers. Having some cybersecurity role distinct from merely being a user, similar for business, government, and non-commercial organizations. Non-IT staff.
Non-IT management. May or may not have a direct cybersecurity role, similar for business, government, and non-commercial organizations. Non-IT staff.
Senior executives. May or may not have a direct cybersecurity role — set priorities, budgeting, and allocating resources, similar for business, government, and non-commercial organizations. Includes board of directors. Non-IT staff.
Executive assistants. Perform tasks on behalf of executives. May in fact be more savvy than their bosses in many cases when it comes to using technology.
Management for cyber services. Business units which offer cyber services to customers, or for internal use within the organization.
Senior executives for cyber services. Business units which offer cyber services to customers. Includes board of directors.
IT staff. Responsible for technical aspects of computing systems which a business, government agency, or non-commercial organization deploys, including cybersecurity. Management and executives as well.
IT technical staff. IT staff focused on technical expertise. Excludes IT management.
Cybersecurity technical staff. Subset of IT technical staff who have a dedicated or major cybersecurity role. Will be cybersecurity professionals.
Cybersecurity professionals. Synonym for cybersecurity staff, or anyone who has a significant cybersecurity role and appropriate level of cybersecurity training and possibly even formal certification.
IT management. All levels of management on the IT staff.
Cybersecurity management. All levels of management on the IT staff who are dedicated to cybersecurity roles and manage the cybersecurity technical staff.
Chief Cybersecurity Officer. The most senior cybersecurity professional (technical, management, or executive) in an organization.
Physical security staff. Staff responsible for ensuring that no one is permitted to improperly gain physical access to systems, which might permit them to bypass some or all software cybersecurity defenses.
Application software developers. IT staff or separate group(s) focused on developing and maintaining application software which will have some degree of cybersecurity impact, similar for business, government, non-commercial organizations, and application software vendors selling application software to other organizations.
Insider threats. Any worker with access to systems within the organization who seeks to attack or improperly exploit the organization in some way.
Consultants. Both technical and management.
Cybersecurity consultants.
Industries. Particular industries may face distinct or common cybersecurity issues.
Standard setting organizations. Plenty of opportunity for addressing aspects of cybersecurity.
Computing researchers. Need to be aware of cybersecurity aspects of their work.
Cybersecurity researchers. Computing researchers whose main focus is cybersecurity.
Cybersecurity product vendors. Firms which design, develop, manufacture, distribute, deploy, and support software or hardware products which provide cybersecurity features for organizations.
Cybersecurity service providers. Firms which provide cyber services which provide cybersecurity features for organizations.
Computer system vendors. Traditional computer companies. Or systems integrators. May or may not integrate and ship cybersecurity features with their systems.
Computing service providers. Cloud computing and utility computing. Such as Amazon Web Services, Microsoft Azure, or comparable services from Google, IBM, etc.
Software tool providers. May have some degree of cybersecurity impact.
Cybersecurity tool providers. May not be full products as with cybersecurity product vendors, but building blocks for organizations to put together their own cybersecurity solutions.
Application software vendors. Besides all of their internal cybersecurity issues, they also have a variety of obligations and liabilities to the organizations which acquire their application software.
Vendors. Any other firm which an organization is dependent upon but does not have any significant control over, but might have a cybersecurity vulnerability.
Customers and clients. Individuals and organizations with data, money, other property, or some vested interest in an organization.
Shareholders and investors. Anyone with an ownership stake and an interest in the value of the firm. And an interest in the risks and liabilities of the firm, including and especially cybersecurity.
Think tanks. With a policy interest in cybersecurity or even technology in general.
Educators and trainers. Academic and commercial focus on workforce development. Both general education and technology, including cybersecurity, either directly or use of computing technology that has aspects of cybersecurity.
Students.
Lawyers. Must understand law related to cybersecurity.
Regulators. Assure that regulated organizations address cybersecurity risks adequately.
Government leaders. National, state or regional, local — set priorities, budgeting, and allocating resources.
Government agencies. Generally the same interests and needs as users, workers, management, executives, and IT staff at any business, enterprise, or non-commercial organization.
Legislators. Creating and updating cyber-related law (what’s illegal, penalties, granting immunities to facilitate protection) and budgeting (protection of government services, regulation, and sponsoring research.)
Courts. Criminal and civil (business and personal.)
Law enforcement. Local, state, FBI, Homeland Security (education, monitoring, guidance, assistance) and international (INTERPOL, cooperation with other countries.)
Insurance. Nascent but great potential, especially as driver to quantify cybersecurity risk impact.
National security. Defense (force-protection, offensive) and Homeland Security (defensive measures, intelligence.)
International. All of the other personas, but at an international level, with nuances for each country (or the EU as a whole.)
Multilateral international intergovernmental organizations and institutions. Multilateral international institutions (UN, et al) having some interest in cybersecurity.
Media. Reporting on vulnerabilities, exploits, threats, advances in defenses, general awareness, and covering incidents and vulnerabilities.
Offensive threat actors. Hackers, et al. The people attacking connected digital systems, including individual hackers, criminal organizations, states, and transnational non-state actors, including terrorists and international criminal organizations.

Subsequent sections will detail subdivisions in each persona category.

Persona — User

This role is strictly as an end user, simply using applications, with no explicit cybersecurity role in an organization. If the user does indeed have a non-user cybersecurity role, see the Persona — Non-IT worker persona.

Users are not necessarily workers.

But all workers will be users.

Consumers.
Citizens. Taxpayers. Non-citizen residents. Consuming government services, frequently not by choice.
Business workers. Role solely as end user, no other cybersecurity role. If they have a non-user cybersecurity role, see the Persona — Worker persona.
Government workers. Role solely as end user, no other cybersecurity role. If they have a non-user cybersecurity role, see the Persona — Worker persona.
Organization workers. Role solely as end user, no other cybersecurity role. If they have a non-user cybersecurity role, see the Persona — Worker persona.

Persona — Consumers

Consumers are users as well, but strictly outside of any organization.

Mature adults.
Teenagers.
Children.
Parents. Mom and dad are the IT staff and security experts for the home. Okay, okay… all too commonly the kids are much more tech savvy than their parents, but the parents are responsible for what happens in the household.
College students.
Grandma and Aunt Sally. Proverbial relatives who are clueless about security and more likely to take actions that are counter to their own best interests, without realizing it.
Senior citizens. Still active.
Elderly citizens. Not so active.
Very elderly citizens. Not active. But their data may be active.
Disabled — mild.
Disabled — moderate.
Disabled — severe.
Mentally ill — mild.
Mentally ill — moderate.
Mentally ill — severe.
Incarcerated.
Tourists from abroad.

Persona — Citizen

The main reason for breaking citizens out as a distinct persona category is that there are use cases which are specific to citizens.

Otherwise treated as any other consumer.
Consumption of government services which are very different from most businesses and organizations. Government may maintain information or surveillance data on citizens.

There are some personas which have the same profile of citizens, but are not actual citizens:

Non-citizen residents.
Foreign tourists.
Foreign business people.
Temporary migrant workers.
Illegal immigrants. May access government services even if not legally entitled.

Persona — Non-IT workers

Having some cybersecurity role distinct from merely being a user.

Also, this persona category is for non-management workers. For management, see the Persona — Non-IT Management persona.

Business worker.
Government worker.
Organization worker.
Contract worker.
Consultant.
Clerical worker.
Technician.
Sales.
Customer service.
Janitorial worker. May have access to sensitive areas and equipment.

Persona — Non-IT Management

May or may not have any direct or indirect cybersecurity role, with the possible exceptions of setting priorities, budgeting, and allocation of resources, which may have cybersecurity implications.

Team or project leader.
Supervisor.
Manager.
Middle level manager
Senior manager
Director.
Junior executive. Must be aware both from non-executive and senior executive perspectives.

Beyond the level of a director or junior executive, see the Persona — Senior Executives persona.

Persona — Senior Executives

May or may not have any direct or indirect cybersecurity role, with the possible exceptions of setting priorities, budgeting, and allocation of resources, which may have cybersecurity implications.

Junior executive. Must be aware both from non-executive and senior executive perspectives.
Senior executive.
Head of business unit.
Head of division.
CEO. President. Chief Operating Officer.
Board of directors.

Persona — Executive Assistants

Executive assistants perform tasks on behalf of executives, and may be more tech-savvy than their bosses in many cases when it comes to using technology.

Strictly clerical assistant.
Operations assistant. Skilled using internal systems.
Technical assistant. Technology specialist.
General assistant.

Persona — Management for Cyber Services

Management in business units which offer cyber services to customers. Must be much more acutely aware of cybersecurity challenges than for business units which are not critically dependent on cyber services.

That said, it is growing increasingly rare for business units to not have some sort of involvement in cyber services, if for no other reasons than customer service.

Team or project leader.
Supervisor.
Manager.
Middle level manager
Senior manager
Director.
Junior executive. Must be aware both from non-executive and senior executive perspectives.

Persona — Senior Executives for Cyber Services

Executive management for business units and enterprises which offer cyber services to customers. Must be much more acutely aware of cybersecurity challenges than for business units and enterprises which are not critically dependent on cyber services.

That said, it is growing increasingly rare for business units and enterprises to not have some sort of involvement in cyber services, if for no other reasons than customer service.

Junior executive. Must be aware both from non-executive and senior executive perspectives.
Senior executive.
Head of business unit.
Head of division.
CEO. President. Chief Operating Officer.
Board of directors.

Persona — IT Staff

IT staff develop, acquire, deploy, and manage computer systems and software and are responsible for cybersecurity of the business, government agency, or non-commercial organization, but are typically not directly responsible for development of applications — see the Persona — Application Software Developers persona for the latter.

IT technical staff. Non-management. Technical responsibilities.
IT management. No day to day technical responsibilities, but supervise, manage, or direct technical staff, directly or indirectly.

Persona — IT Technical Staff

System architects.
Security architects.
Hardware IT technical staff.
Software IT technical staff.
Application software developers. May or may not be considered IT staff per se in some organizations. See the Persona — Application Software Developers persona.
Contract workers.
Consultants.

These persona categories have the same cybersecurity roles, but their use cases and access patterns may differ:

No cybersecurity role. But should still be well aware of cybersecurity in the enterprise.
Minor cybersecurity role.
Major cybersecurity role, but have non-cybersecurity role(s) as well.
Dedicated cybersecurity role.
Architect — must integrate all aspects of cybersecurity with rest of hardware and software architecture.
Insider threat. See Persona — Insider Threat.

This informal paper won’t drill down into specific technical roles, but details may be more apparent in use cases and access patterns.

For cybersecurity worker roles, see the NIST NICE Cybersecurity Workforce Framework.

Persona — Cybersecurity Technical Staff

The subset of IT technical staff who have a dedicated or major cybersecurity role.

For cybersecurity worker roles, see the NIST NICE Cybersecurity Workforce Framework.

Persona — Cybersecurity Professionals

Generally, anybody on the cybersecurity technical staff, including many but not necessarily all cybersecurity managers will be cybersecurity professionals.

For the field of cybersecurity they will have appropriate:

Education.
Training.
Experience.
Expertise.
Competence.
Certification, when appropriate.

Cybersecurity professionals will generally be on the IT staff, but may be elsewhere in the organization, such as on application development teams, in management, freelance consultants, etc.

For cybersecurity worker roles, see the NIST NICE Cybersecurity Workforce Framework.

Persona — IT Management

Although IT technical staff has primary responsibility for technical details, each level of IT management will need to have some degree of technical expertise, but the primary function of IT management in the cybersecurity realm is:

Setting objectives, especially for cybersecurity.
Set priorities.
Budgeting.
Allocation of resources.
Monitoring and managing progress towards objectives, especially cybersecurity.

Levels of persona in IT Management

Team or project leader.
Supervisor.
Manager.
Middle level manager
Senior manager
Director or executive, head of IT in the enterprise.

The level of expertise of management in cybersecurity will be commensurate with the technical assignments of IT technical staff who are being managed. For a given manager, that may vary from none or minimal to extensive when managing technical staff who are dedicated to cybersecurity. But some minimum level of expertise and training in cybersecurity would be required at all levels.

Persona — Cybersecurity Management

The subset of IT management who have a dedicated or major cybersecurity role.

Includes the Chief Cybersecurity Officer for the organization.

Persona — Chief Cybersecurity Officer

The most senior cybersecurity professional in an organization. The most senior individual whose sole job and role is cybersecurity. Responsible for all aspects of cybersecurity for the organization. The buck stops here when it comes to cybersecurity. Title may vary.

Typically an executive, but may be a non-executive manager in some smaller organizations, or even a non-manager in the smallest organizations.

Persona — Physical Security Staff

Physical security of computing resources is essential. Lax or corrupted security guards and other physical security staff might improperly permit unauthorized physical access to computing and networking systems, bypassing some or all software cybersecurity defenses.

Security guards.
Security supervisors.
Building management.
Data center managers.
All workers being aware of physical security and its importance.

Persona — Application Software Developers

Individuals and teams who develop application software which will have some degree of cybersecurity impact.

No cybersecurity impact. Should still have basic awareness training. Rare that there would be absolutely no cybersecurity impact.
Minimal cybersecurity impact.
Moderate cybersecurity impact.
Major cybersecurity impact.
Dedicated to cybersecurity impact.

Application software may be developed by IT staff or separate group(s) focused on developing and maintaining application software. These personas will be similar for business, government, non-commercial organizations, and application software vendors selling application software to other organizations.

Product management.
System architects.
Security architects.
Application software designers.
Application software architects.
Application software developers.
Technical assistants.
Team leaders.
Technical management.
Middle management.
Quality assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Training development.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Persona — Insider Threat

Any workers (employee, contractor, consultant, etc.) with access to systems within the organization who seeks to attack or exploit the organization in some way.

Not all insider threat actors are created equal:

Whistleblower. Doesn’t seek to harm the organization per se, but seeks to publicly disclose some illegal or dubious activity, in pursuit of a greater social good.
Financial theft. Seeks to personally profit. Not necessarily to the extent that it would constitute a significant material impact on the organization.
Personal vendetta. Has some grievance with the organization. Malevolent attempt to harm the organization. Disruption or destruction of operations or assets or reputation.
Agent for external criminal enterprise. May or may not gain significant personal benefit, but seeks to facilitate actions of an external actor which seeks to exploit the financial value of operations and assets.
Agent for an external social justice group. May not be motivated by money, but may intend to disrupt, destroy, or merely expose the organization and its activities.
Hacktivist. Isolated individual or part of a small group with similar intentions or affinities to social justice groups.
Agent for a foreign state. Either merely for industrial espionage or as a mole for disruption or destruction of operations or assets.
Agent for a non-state terrorist organization. Same for for a foreign state.
Testing. Legitimate and sincere but misguided effort by a worker to test a scenario that ends up causing a security vulnerability or actual harm.
Red team. Effectively looks like an insider threat, but working for the best interests of the organization to discover cybersecurity vulnerabilities.

Persona — Consultants

Consultants are individuals or teams that work with groups in an organization, bringing some special expertise that is not easily obtained by that group otherwise, or not easily or quickly enough for the group to meet its objectives.

Consultants can be:

Technical.
Non-technical.
Management. Such as organizational, culture, interaction with other groups, budgeting, planning.

Consultants can be:

Internal. A group with special expertise dedicated to helping other groups within the organization.
Outside. Consulting firms or individual, freelance consultants.

When working within an organization, consultants act to a significant degree asif they were workers and users within the organization and specific group they are working with, and possibly even management, but also as if they were outside vendors.

Persona — Cybersecurity Consultants

Consultants whose specialty is cybersecurity.

Persona — Industries

Particular industries may face distinct or common cybersecurity issues.

Industry technical staff.
Industry product managers.
Industry executives.
Industry associations.
Industry cooperatives.

Persona — Computing Researchers

Even non-cybersecurity researchers need to be aware of cybersecurity aspects of their work.

Academic.
Commercial.
Independent or freelance.
Government.

Persona — Standard Setting Organizations

Domestic standard setting organizations.
Industry-specific standard setting organizations.
International standard setting organizations.
Technical staff of organizations participating on standard development.
Cybersecurity staff of organizations participating on standard development.

Persona — Cybersecurity Researchers

Computing researchers whose main focus is cybersecurity.

Academic.
Commercial.
Independent or freelance. Public, known, and respected.
Quasi-professionals in the gray area between dubious hacking and legitimate research.
Journalists.
Activists.
Government.

Persona — Cybersecurity Product Vendors

Firms which focus on development, distribution, and support of cybersecurity products.

Product management.
System architects.
Security architects.
Software architects.
Software designers.
Software developers.
Team leaders.
Technical management.
Middle management.
Quality assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Training development.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Since the focus of the firm is cybersecurity, all levels of the firm should have a heightened sense of awareness, training, and expertise in cybersecurity.

Persona — Cybersecurity Service Providers

Firms which focus on delivery of services related to cybersecurity.

Can range from simple consulting to cloud-based services.

Product management.
System architects.
Security architects.
Software architects.
Software designers.
Software developers.
Team leaders.
Technical management.
Middle management.
Quality assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Training development.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Since the focus of the firm is cybersecurity, all levels of the firm should have a heightened sense of awareness, training, and expertise in cybersecurity.

Persona — Computer System Vendors

Firms designing, producing, distributing, and supporting computer systems, including operating system software and some degree of pre-installed software packages, possibly including cybersecurity software features as well.

Product management.
System architects.
Security architects.
Hardware architects.
Hardware engineers.
Software architects.
Software designers.
Software developers.
Team leaders.
Technical management.
Middle management.
Quality assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Training development.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Persona — Computing Service Providers

This would include cloud services and utility computing.

Internet Service Providers.
Cloud computing service providers.
Cloud provider technical staff.
Cloud provider technical managers.
Cloud provider non-technical management.
Cloud provider non-technical staff.
Cloud provider executive management.

Since customers do not have direct access to the machines or basic software, they are critically dependent on the vendors staff to assure that cybersecurity is completely addressed.

System architects.
Security architects.
Hardware staff.
Operating system staff.
Middleware staff.
Cybersecurity staff.
Team leaders.
Technical management.
Middle management.
Quality assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

See Access pattern — Cybersecurity Staff.

Persona — Software Tool Providers

Individuals involved with design, development, distribution, and support of software tools which have some degree of cybersecurity impact.

Product management.
System architects.
Security architects.
Software architects.
Software designers.
Software developers.
Team leaders.
Technical management.
Middle management.
Quality Assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Persona — Application Software Vendors

Besides all of their internal cybersecurity issues, firms which develop, distribute, and support application software also have a variety of obligations and liabilities to the organizations which acquire their application software.

Product management.
System architects.
Security architects.
Software architects.
Software designers.
Software developers.
Team leaders.
Technical management.
Middle management.
Quality Assurance (QA). Testing.
Documentation.
Marketing.
Sales.
Training.
Customer service.
Support.
Directors.
Executives.
Board of directors.
Advisers.

Persona — Vendors

A vendor is any other firm which an organization is dependent upon but does not have any significant control of, but might have a cybersecurity vulnerability.

Firms having a strong technology or cybersecurity focus have their own personas, reflecting that focus.

Sales.
Customer service contacts.
Technical contacts.
Technical staff.
Non-technical staff.
Cybersecurity staff.
Vendors of the vendor.
Technical management.
Non-technical management.
General management.
Executive management.
Board of directors.
Advisers.

Persona — Customers and Clients

Customers and clients may have data, money, or other property at an enterprise which may be at risk due to risk of cybersecurity incidents.

Consumers.
Small businesses.
Medium businesses.
Large businesses.
Non-commercial organizations.
Government agencies.
Foreign consumers.
Foreign businesses.
Foreign governments.

Persona — Shareholders and Investors

Individuals or organizations which have an ownership interest or other financial interest in the value of the firm which might be compromised due to a cybersecurity incident.

Individual shareholders.
Employees. Owning shares, such as in retirement accounts or stock options or grants.
Institutional shareholders.
Pension funds.
Venture capital funds.
Private equity funds.

Persona — Venture Capital Funds

VC in cybersecurity firms.
VC in non-cybersecurity firms.
VC in cyber service firms which have a high cyber risk profile.

Persona — Think Tanks

Public policy organizations which have a policy interest in cybersecurity or even technology in general.

Policy researchers — non-technical.
Policy researchers — technical.
Policy researchers — cybersecurity — non-technical.
Policy researchers — cybersecurity — technical.
Research assistants — non-technical.
Research assistants — technical.
Research assistants — cybersecurity — non-technical.
Research assistants — cybersecurity — technical.

Persona — Educators and Trainers

Academic and commercial educators and trainers related to cybersecurity. Includes workforce development.

Academic — non-technical — general awareness.
Academic — technical — greater awareness and skills.
Academic — cybersecurity — main focus.
Commercial training — non-technical — general awareness.
Commercial training — technical — greater awareness and skills.
Commercial training — cybersecurity — main focus.
Inhouse training — non-technical — general awareness.
Inhouse training — technical — greater awareness and skills.
Inhouse training — cybersecurity — main focus.
Management of cybersecurity workforce development programs — commercial efforts.
Management of cybersecurity workforce development programs — government efforts.
Management of cybersecurity workforce development programs — academic efforts.

Persona — Students

Students — non-technical — general awareness.
Students — technical — greater awareness and skills.
Students — cybersecurity — main focus.

Education level:

Elementary school. Very basic.
Junior high school, middle school.
High school.
Community college.
Baccalaureate degree.
Graduate degree.
Doctorate.
Post-doctorate.

Persona — Lawyers

Lawyers involved with any aspect of cybersecurity in an organization.

Lawyers helping clients understand the law.
Lawyers reviewing client organization and processes regarding the law.
Lawyers defending client against actions related to cybersecurity.
Lawyers initiating actions on behalf of clients related to cybersecurity.
Lawyers interacting with regulators on enforcement matters.
Lawyers commenting on proposed cybersecurity regulations.
Lawyers for business units which directly use cyber services.
Lawyers for business units which use outside services which may rely on cyber services.
Lawyers for business units which use outside cybersecurity services.
Lawyers for business units which develop, distribute, or support cyber services. Liability issues.
Lawyers — Patents — Registering.
Lawyers — Patents — Licensing.
Lawyers — Patents — Litigation — Pursuing.
Lawyers — Patents — Litigation — Defense.

Persona — Regulators

Government agencies responsible for promulgating and enforcing regulations related to cybersecurity.

May be federal, state, or local. Or international.

Lawyers writing regulations.
Lawyers reviewing proposed regulations.
Lawyers enforcing regulations.
Technical staff enforcing regulations.
Clerical staff enforcing regulations.
Management.
Senior management.
Executive leadership for agency.
Public outreach.
Communication and outreach.
Web services related to implementing regulations.
Web services related to enforcing regulations.

Persona — Government Leaders

Government leaders who set priorities and are involved in budgeting and allocation of resources related to cybersecurity.

National leaders. Executive branch.
State or regional leaders.
Local leaders.

Persona — Government Agencies

Government agencies generally have the same interests and needs as users, workers, management, executives, and IT staff at any business, enterprise, or non-commercial organization — see those persona categories, with the exception of agencies involved in national security — see Persona — National Security.

But there may be special needs when government is involved, in contrast to the private sector:

National government officials.
State government officials.
Municipal and local government officials.
Federal government IT staff.
Federal government IT cybersecurity staff.
Federal government non-IT staff.
State government IT staff.
State government IT cybersecurity staff.
State government non-IT staff.
Municipal and local IT staff.
Municipal and local IT cybersecurity staff.
Municipal and local non-IT staff.
Federal Reserve System. Including payment system.

Persona — Legislators

Legislator are responsible for creating and updating cyber-related law and regulation (what’s illegal, penalties, granting immunities to facilitate protection) and budgeting (protection of government services, regulation, sponsoring research.)

Elected legislators with a special focus on cybersecurity — national (Congress.)
Elected legislators without any special focus on cybersecurity — national (Congress.)
Legislative staff with a special focus on cybersecurity — national.
Legislative staff without any special focus on cybersecurity — national.
Legislative policy staff with a special focus on cybersecurity — national.
Legislative policy staff without any special focus on cybersecurity — national.
Legislative technical staff with a special focus on cybersecurity — national.
Legislative technical staff without any special focus on cybersecurity — national.
Committee staff with a special focus on cybersecurity — national.
Committee staff without any special focus on cybersecurity — national.
Committee technical staff with a special focus on cybersecurity — national.
Committee technical staff without any special focus on cybersecurity — national.
Research staff with a special focus on cybersecurity — national.
Research staff without any special focus on cybersecurity — national.
Research technical staff with a special focus on cybersecurity — national.
Research technical staff without any special focus on cybersecurity — national.
Elected legislators with a special focus on cybersecurity — state.
Elected legislators without any special focus on cybersecurity — state.
Legislative staff with a special focus on cybersecurity — state.
Legislative staff without any special focus on cybersecurity — state.
Legislative policy staff with a special focus on cybersecurity — state.
Legislative policy staff without any special focus on cybersecurity — state.
Legislative technical staff with a special focus on cybersecurity — state.
Legislative technical staff without any special focus on cybersecurity — state.
Committee staff with a special focus on cybersecurity — state.
Committee staff without any special focus on cybersecurity — state.
Committee technical staff with a special focus on cybersecurity — state.
Committee technical staff without any special focus on cybersecurity — state.
Elected officials and staff at the local or municipal level.

Persona — Courts

Judges.
Clerks.
Supreme court justices.
Supreme court clerks.
Criminal courts.
Civil courts — business and personal lawsuits.
Administrative courts.
Federal courts.
Federal appeals courts
State courts.
International courts.

Persona — Law Enforcement

Local law enforcement.
State.
FBI.
Homeland Security — education, monitoring, guidance, assistance.
Cooperation between the levels.
International. INTERPOL. Cooperation with law enforcement in other countries.

Persona — Insurance

Cybersecurity insurance is nascent but has great potential, especially as a key driver to quantify cybersecurity risk impact.

Staff creating insurance programs.
Staff assessing risks.
Staff writing insurance policies.
Staff servicing claims.
Management.
Executives. Deciding what lines of business to enter or exit.

In particular, insurance company executives must adequately understand the risks they are underwriting.

Persona — National Security

All government agencies involved with national security.

Defense — force-protection, cyberwarfare.
Military leaders, senior officers.
Military officers.
Military enlisted men.
Military bases and facilities.
Cyberwarriors.
Intelligence analysts.
Homeland Security — defensive measures, intelligence.
Homeland security cybersecurity professionals.
Homeland security — managers.
Homeland security — principals.
Defense contractors.
Counterterrorism activities.
Espionage.
Counterespionage.
Threat analysts.
Nuclear weapons complex. Including National Nuclear Security Administration.
National Laboratories (DOE.) Involved in cybersecurity research, and its own needs for cybersecurity.

Persona — International

All of the other personas, but at an international level, with nuances for each country (or the EU as a whole.)

Generally and more broadly:

Foreign consumers.
Domestic consumers accessing foreign cyber services.
Foreign consumers with data located domestically.
Domestic consumers accessing data stored in another country
Foreign businesses.
Foreign businesses accessing domestic cyber services.
Foreign businesses accessing data located domestically.
Domestic businesses accessing data stored in another country.
Domestic businesses operating in other countries.
Domestic businesses accessing foreign cyber services.
Foreign governments.
Foreign regulators.
Multilateral international intergovernmental organizations and institutions.

Persona — Multilateral International Intergovernmental Organizations and Institutions

Multilateral international institutions (UN, et al) having some interest in cybersecurity.

UN and its agencies.
Multinational organizations — transnational issues.
Countries party to treaties.
International institutions facilitating financial transactions.
International institutions related to law enforcement and courts.
Other international institutions.
Other intergovernmental organizations.

Multinational personas, use cases, and access patterns will generally be the same as at the national, subnational, and organizational level, but there may be nuances.

Persona — Media

Reporting on vulnerabilities, exploits, threats, advances in defenses, general awareness, and covering incidents.

Journalists — general reporting on vulnerabilities, exploits, threats, advances in defenses, general awareness, and covering incidents.
Journalists — in-depth investigations.
Journalists — reporting policy discussions and legislation.
Journalists — communicating cybersecurity issues to technical professionals.
Journalists — communicating cybersecurity issues to non-technical professionals.
Journalists — communicating cybersecurity issues to consumers.
Journalists — communicating cybersecurity issues to managers and executives.
Journalists — communicating cybersecurity issues to government leaders, officials, legislators, and staff.

Persona — Offensive Threat Actors

These are the people responsible for making cybersecurity necessary.

Amateur hackers. Thrill motive.
Security researchers. Discovery of vulnerabilities. Professional motive — in theory.
Criminal hackers. Cybercriminals. Profit motive.
International criminal hackers. Larger scale.
Commercial disruption. Interfere with the competition.
Industrial espionage. Information on the competition.
State-sponsored industrial espionage. Industrial espionage on a competitor country or adversary country.
Sociopolitical hackers. Disrupt commercial or governmental activities based on ideology and sociopolitical motives. May be individual hacktivists, small informal groups, or larger associations with many individuals providing moral support for a smaller number of actual hackers.
State hackers. Cyber espionage. After national security information of a competitor country or an adversary country.
Cyberwarfare. Interstate conflict. May be narrowly targeted or for mass disruption. Seek to disrupt national security apparatus.
State-sponsored hackers. States may outsource state hacking.
Non-state state hackers. Terrorist groups. International criminal gangs.
Red teams. Internally-sanctioned efforts seeking to challenge or compromise cyber operations in the name of discovering vulnerabilities needing to be rectified before true offensive threat actors attack.
Whistleblowers. Doesn’t seek to harm the organization per se, but seeks to publicly disclose some illegal or dubious activity, in pursuit of a greater social good.
Insider threats. See Persona — Insider Threat.
Botnets. User devices hijacked on a large scale to participate in cyberattacks.

Use Cases

A use case is a type of larger context for the objectives or purpose for which a person (persona) is engaging in activities and tasks (access patterns.)

A use case may simply be an application or a solution or an audience for the use of computing technology.

The point of discriminating distinct use cases is to highlight that there are technical or practical differences between the use cases.

Different use cases may have different personas for which they have special significance.

There may be any number of personas to which a given use case is significant.

Any number of use cases may have significance to a given persona.

Again, a use case is a context. The specific tasks or activities applicable to a particular use case are categorized under the access patterns for that use case, or under the access patterns for particular personas that have an interest in that use case.

Use case categories

There are many use cases relevant to cybersecurity. They can be grouped under a smaller number of categories of use cases.

Global cybersecurity. Relevant to all systems, all devices, and all users, everywhere.
Human nature. Global factors across all use cases which are inherent in human nature.
Identity. How a computer system or application knows who you are.
Real identity. How social, political, and legal systems know who you are in the real world.
Anonymous. Many applications do not need to know your real identity.
Privacy.
Civil liberties.
Accounts.
User-created data and content.
Transaction data.
Email.
Web browsing.
Social media. Each platform has its own issues.
E-commerce.
Instant messaging.
Encrypted messaging.
VPN — Virtual Private Network.
Voice calls — VOIP.
Video calls.
Government agencies dependent on cyber services.
E-government. Government agencies deploying cyber services to offer services to the public and vendors.
Online office documents.
Document repositories.
Online business applications.
Online HR and personnel data.
Online financial records.
Other online applications and their data.
Health and medical records.
Medical systems.
Medical devices.
Election systems.
Infrastructure.
Network design.
Data centers.
Servers.
Email servers.
Web servers.
Application servers.
Data collection.
Academic institutions.
Semi-public online services.
Consumer semi-public online services.
Network services. Ports, web services.
Remote access. Telnet, remote desktop access.
Code access. Accessing code as data (theft of IP), modification, destruction.
Personally-identifiable information (PII).
Sharing of user data — authorized.
Sharing of user data — implicitly authorized.
Sharing of user data — unauthorized.
Marketing of user data — authorized.
Marketing of user data — implicitly authorized.
Marketing of user data — unauthorized.
Operational Technology (OT).
Vehicles. Including autonomous (driverless), remote diagnostic access, and internal access.
Internet of Things (IoT) devices.
Non-Smart cell phones. Text messages stored in the cloud are vulnerable.
Smart phones.
Bluetooth devices.
Web cameras. On user’s computer.
Remote web cameras.
Video surveillance systems.
Live streaming video.
Unauthorized connected devices.
USB drives.
Wi-Fi.
Routers.
Firewalls.
Network connections.
Internet Service Providers (ISP).
Supply chain vulnerabilities.
Federal Reserve payment system.
Banks.
Credit card companies.
Bank accounts.
Credit cards.
Money laundering.
Credit bureaus.
Credit history. Credit history damage as a result of identity theft.
Databases.
Distributed databases.
Blockchain and distributed ledgers.
Cryptocurrencies. Currency itself, wallets, exchanges, attacks on value of currency.
Search engines.
Distributed search engines.
Cyber defense hardware.
Cyber defense software.
Cyber defense services.
Cyber defense teams.
Cyber warfare.
Insurance.
Targeting an individual.
Targeting a business of organization.
Targeting business and capitalism.
Targeting government.
Targeting political interests.
Physical asset security.
Undetected vulnerabilities.
Undetected incidents.
Legacy systems.
Future systems.

Subsequent sections will detail specific use case categories and any subdivisions, if needed.

Use case — Global Cybersecurity

Global cybersecurity covers all systems, all devices, and all users, everywhere.

This includes:

Global Internet governance.
International standards.
Technology in general. Knows no national boundaries.
Software in general. Knows no national boundaries.
Cybersecurity in general. Knows no national boundaries.
Human nature in general. Knows no national boundaries.
Users in general. Much of user needs, interests, and behavior transcends national boundaries.

Use case — Human Nature

Human nature can range from good to bad, from great to terrible. Especially when it comes to cybersecurity.

Even the best systems, developed with the best technology will crumble under cyberattack if they do not take the vagaries of human nature into account as they are conceived, specified, designed, developed, acquired, deployed, configured, managed, and used.

As the old saying goes, the best laid plans of mice and men often go awry.

Or to paraphrase Murphy, if something can go wrong, it will.

Technologies, designs, code, processes, methods, and best practices all need to take human nature into account. Even then, there are no strong assurances.

As buggy or error-prone as systems may be, cybersecurity itself can be just as buggy or error prone.

Ongoing diligence and vigilance are essential.

Use case — Identity

Computer systems and applications generally tailor their operations to particular uses, which requires that the software identify the user.

There are three general categories of identity:

Contrived. User makes up an identity. The software only needs to distinguish between users, not generally needing to know their true identity in the real world.
Real identity. A real person, real business, real governmental agency, or non-commercial organization.
Anonymous. May be contrived or completely blank. The user seeks to hide or shield their identity, either for benevolent or malevolent purposes.

There may or may not be a direct relationship between user identity and accounts. Generally, a software system will associate a user identity with an account, but the two concepts are technically distinct even though related.

Use case — Contrived Identity

The intention with a contrived identity is that the software only needs some way to distinguish between different users. Their real identity is generally not needed.

The user makes up an ID, user name, handle, or other identifier which may be real or may be fictitious. It may also be an email address, which itself may be (or usually is) contrived. The software doesn’t doesn’t care whether the user is real or contrived, just distinct from other users.

Identity may also be a hybrid, with a contrived identity plus elements of a real identity, such as billing and shipping names and addresses or bank account information.

There are several general use cases of contrived identity:

Intended as a surrogate for real identity. Used like a nickname. Primary use case.
Joke, parody, satire.
Testing.
Research. Experimentation.
Fraud.
Disinformation.
Fake. Intended to deceive, for some other purpose than listed above.

Use case — Real Identity

The intention here is that the computer system or application needs to know that it is connecting with a real person or real organizational entity.

See Access pattern — Real Identity for details on confirming real identity.

Use case — Anonymous

The intention here is that the user does not want the software or anybody else in the world to know their real identity.

They may have benign, benevolent reasons for shielding their identity, or they may have malevolent intentions. Generally, the computer cannot make a clear determination. So, the presumption is that the user’s intentions are strictly innocent.

The software or service provider may have some indirect or partial way of identifying the real person, such as their IP address.

Law enforcement and courts may be able to compel a service provider to assist in determining the real identify of a user who has sought to remain anonymous.

Use case — Accounts

Technically, accounts and identities are two distinct concepts, although in practice there may be a clear, one-to-one relationship, at least in some or even many cases.

Technically, a user could use the same identity for different accounts on different software systems, although that is discouraged to minimize the risk of theft of account information on any given system.

The user may or may not be aware of an internally assigned account name, number, or other identifier, since generally the user only needs to be aware of their identity credentials (user name or ID and password) to access any particular account.

In the case of a bank, credit card, or other financial institution the account number will be very important and prominently displayed both online and on statements, but the user will still know and use their account primarily from their user identity.

Use case — Transaction Data

Banking activity.
Credit card transactions.
E-commerce transactions.
Customer interaction history.
Enterprise transactions.

Use case — Web Browsing

Cookies.
History.
Encryption.
Incognito mode.
HTML script execution.
Download cache.
Web page cache.

Use case — Email

Email messaging.
Email attachments — media.
Email attachments — PDF and slide presentations.
Email attachments — office documents (word processing, spreadsheet, presentations).
Email attachments — ZIP files — expected (rarely)
Email attachments — ZIP files — unexpected, malevolent attack
Email attachments — executables — expected (very rarely)
Email attachments — executables — unexpected, malevolent attack

Use case — Email Server

An email server is responsible for managing email accounts and sending, receiving, and storing email messages.

Use case — Encrypted Messaging

Some messaging platforms, such as Telegram, permit heavily encrypted operation so that neither a random hacker, nor law enforcement armed with a legitimate warrant, nor a determined government can view the underlying messages.

In theory.

Use case — VPN — Virtual Private Network

A Virtual Private Network (VPN) is application software running on an endpoint, such as a personal computer, tablet, or smartphone, which allows a user to connect from or over a public network into a private network, an internal network of an organization, as if they were directly connected to that non-public network. All of the user’s command and data transmission traffic over the VPN is fully and securely encrypted so that no devices on the public network can eavesdrop.

In theory.

Use case — Online Office Documents

Highlighting that this is a key area where users create and manage a lot of data and can easily get careless about access control for sharing data, and are vulnerable if hackers gain access to the applications using compromised identity credentials or to the underlying databases and data files.

Use case — Document Repositories

Use case — Online Business Applications

Highlighting that this is a key area where users enter and update a lot of critical business data, and are vulnerable if hackers gain access to the applications using compromised identity credentials or to the underlying databases and data files.

Use case — Online HR and Personnel Data

Highlighting that this is a key area where very sensitive personal data is entered, updated, and stored in bulk, and organizations and individuals are vulnerable if hackers gain access to the applications using compromised identity credentials or to the underlying databases and data files.

Use case — Online Financial Records

Highlighting that this is a key area where businesses and individuals alike have valuable and sensitive financial data which is very vulnerable if hackers gain access to the applications using compromised identity credentials or to the underlying databases and data files.

Use case — Other Online Applications and Data

Highlighting that this is a key area where businesses and individuals alike have valuable and sensitive data which is very vulnerable if hackers gain access to the applications using compromised identity credentials or to the underlying databases and data files.

Use case — User-Initiated Sharing of Data

Users themselves can consciously decide to share data online, but the underlying systems manage the access controls for that sharing.

The cybersecurity challenge is twofold:

Assuring that user control over sharing is not compromised in the underlying system. For example, using elevated privilege to bypass user control.
Assuring that users are properly trained about their own responsibilities to share responsibly and to be aware of the consequences of their own decisions, especially when the consequences impact the organization they work with and any other individuals who are impacted by the data that they might choose to share.

Use case — Sharing of User Data

Sharing of user data — authorized, explicitly.
Sharing of user data — authorized, implicitly, not realized by the user.
Sharing of user data — unauthorized.

Use case — Marketing of User Data

Marketing of user data — authorized, explicitly.
Marketing of user data — authorized, implicitly, not realized by the user.
Marketing of user data — unauthorized.

Use case — Non-Smart Cell Phones

Cellular voice calls. No direct cybersecurity aspect. Or, is StingRay considered cybersecurity?
Cellular text message. No direct cybersecurity aspect, but text messages stored in cloud are vulnerable. Again, what about StingRay?

Use case — Smart Phones

Generally all use cases for computers as well.
Company phones.
Personal phones.
Wi-Fi connection.
Cellular voice calls. No direct cybersecurity aspect, except Stingray.
Cellular text message. No direct cybersecurity aspect, but text messages stored in cloud are vulnerable. And Stingray.
Carrier monitoring of user activity. Both in phone and in network.
Carrier databases of user activity and call records.
Vendor-added software which monitors and captures user data for carrier.
User-added apps which monitor and capture user data for the app provider.

Use case — Operational Technology (OT)

See:

Use case — Vehicles
Use case — Internet of Things (IoT) Devices
Use case — Infrastructure

Use case — Vehicles

Autonomous (driverless) vehicles.
Remote diagnostic access, both autonomous and human driver.
Internal access by a passenger.

Use case — Internet of Things (IoT) Devices

Internet of Things (IoT) devices — authorized access.
Internet of Things (IoT) devices — unauthorized access.
Internet of Things (IoT) devices — authorized access but with stolen credentials.

Use case — Infrastructure

Whether a given infrastructure system is to be deemed critical is beyond the scope of this paper.

Industrial process control systems in general.
SCADA systems.
Physical security systems. Security cameras, card readers, biometric scanners, door control, area access control, access permission records, access logging.
Manufacturing plants.
Chemical plants.
Power plants.
Power grids.
Power substations.
Fuel production plants.
Fuel storage facilities.
Fuel distribution facilities.
Communication facilities.
Communication grids.
Communication networks.
Data centers.
Food production. Farms and plants.
Food storage facilities.
Food distribution facilities.
Food safety. Cleaning, testing, temperature control for storage and transport.
Transportation systems.
Airports.
Ports.
Railroads.
Highways.
Transportation terminals and stations.
Pharmaceutical facilities. Design, production, testing, storage, security, distribution, trials, data, databases.
Warehouses.
Office parks.

Use case — Network Design

The design of a network for an organization is critical to its security.

Components include:

Internal. All connected systems within the organization.
Servers. And racks and blades.
Routers.
Firewalls.
Endpoints. Users. Personal computers.
Proprietary data centers.
Multiple facilities, connected.
Workers and computers and devices outside of facilities connecting to internal network.
Cloud. Use of cloud service providers.
Use of external web services.
Internal services.
Proprietary services made publicly available.
Software to manage network.
Cybersecurity software to monitor and defend the network and all endpoints connected to the network.

Use case — Data Centers

Network design. See Use case — Network Design.
Facility design.
Connection to global communication networks.
Significant cybersecurity challenge.

See Access pattern — Data Centers.

Use case — Servers

Types of servers:

Email servers.
Web servers.
Application servers.
Other.

Use case — Web Servers

These are the servers which retrieve web pages using the HTTP protocol.

Use case — Application Servers

These are the servers which execute application software.

Use case — Data Collection

Consumer data.
Business data.
Government data.
Authorized collection.
Implicitly authorized collection. Terms of service.
Expected collection.
Unexpected collection.
Collection of publicly available data. Scraping.
Surreptitious collection.
Illegal collection.

Use case — Medical systems

Operations of a health facility.
Patient records.
Control for medical devices within health facility.

Use case — Election Systems

Voter registration.
Voting machines.
Voting results.

Use case — Semi-public Online Services

In contrast to open cyber services which will be available to all members of the general public, semi-public online services will be available only to elite users, members of designated groups, business users, and government agencies who can pass required explicit vetting approval with strict requirements, so that any random user can’t instantly create an account or identity.

These online services may involve:

High-value finance.
Highly-qualified users.
Carefully-scoped contracts.
Government contracts.
Defense contracts.
Intelligence contracts.
Confidential data.
Classified data.

As such, their cybersecurity needs may be dramatically greater than open cyber services.

Consumers may also utilize semi-public online services, but that is considered a distinct use case here.

Use case — Consumer Semi-Public Online Services

Semi-public online services available to consumers.

Some examples:

Banks.
Credit cards.
Brokerage and other investment accounts.
Utility accounts.
Any business or non-commercial organization with real world accounts for real world services, which provides services online as well.

The point is that unlike a fully public online service where anyone can create an account anywhere, at any time, and for any reason, semi-public accounts tend to have a direct association with an account at a firm that is not solely an online cyber service.

Most aspects of the consumer semi-public online services use case and its access patterns will be similar if not identical to the main semi-public online services use case.

Use case — Targeting an Individual

The offensive threat actor harbors intense animosity towards a particular individual.

The goal is to harass, embarrass, bully, disrupt, harm, cripple, or even kill the target individual. Or even induce them to commit suicide.

There may be a financial motive as well, but generally the primary motive is some irrational animosity.

Access patterns will be the same as any individual, user, or consumer.

Use case — Targeting an Organization

The offensive threat actor harbors intense animosity towards a particular business or organization.

The goal is to harass, embarrass, bully, disrupt, harm, cripple, or even destroy the target business or organization.

There may be a financial motive as well, but generally the primary motive is some irrational animosity.

Access patterns will be the same as any business or organization.

Use case — Targeting Business and Capitalism

The offensive threat actor has no direct interest or even a direct financial interest in a target business, but is ethically and ideologically opposed to big business, the profit motive, and capitalism overall.

The goal is to harass, embarrass, disrupt, harm, cripple, or even destroy the target business.

Or any organization which operates in fairly direct support of such businesses, such as trade associations.

Access patterns will be the same as any business or organization.

Use case — Targeting Government

The offensive threat actor is opposed to the target government or the regime currently in control of the government, or a particular policy or policies.

If the target is a particular policy or policies, the goal is to force the government to change its policies.

If the target is not policy per se, the goal is to harass, embarrass, disrupt, harm, cripple, or even destroy the target government.

Or any organization, business, or other government which operates in fairly direct support of the target government.

Access patterns will be the same as any business or organization.

Use case — Targeting Political Interests

The offensive threat actor is opposed to the target political party, faction, or individual politician, or their policies in general, or a particular policy or policies.

If the target is a particular policy or policies, the goal is to force the political entity to change its policies.

If the target is not policy per se, but a political party, faction, or individual politician, the goal is to harass, embarrass, disrupt, harm, cripple, or even destroy the target political entity.

Or any organization, business, or governmental entity which operates in fairly direct support of the target political entity.

Access patterns will be the same as any business organization, or individual.

Use case — Physical Asset Security

All of the best cybersecurity software, processes, and best practices in the world will be for naught if malevolent actors can gain unauthorized physical access to systems, bypassing some or all software cybersecurity defenses.

Use case — Undetected Vulnerabilities

Systems, software, and services may have vulnerabilities which have not yet been detected.

It is a race to see who will discover the vulnerability first, the defender or the offensive threat actor.

The only real answer here is to escalate the level of research and auditing to evaluate systems, software, and services for vulnerabilities, and then to devise and deploy corrections or defenses.

Use case — Undetected Incidents

Not all cybersecurity attacks, events, or incidents are detected.

Sometimes systems can go for hours, days, weeks, months, or even years, before somebody finally assesses that an attack occurred.

In fact, some attacks are never detected. And maybe due to the nature of the vulnerability might never be detected.

The only real answer here is to escalate the level of research and auditing into detection of cyber events.

Use case — Legacy Systems

Systems and software that were designed, implemented, and deployed prior to development of modern cybersecurity technology, processes, methods, and best practices are a special concern.

In some cases such systems and software can feasibly be upgraded to modern cybersecurity, albeit at some potentially significant cost. But in many cases budgeting, logistical concerns, practical concerns, and organizational inertia preclude or slow such upgrades.

Some legacy systems and software are not connected in any way to the Internet, so are at no direct risk.

But, some unconnected legacy systems might be upgraded to permit at least limited connectivity, in which case they would be exposed to cybersecurity risks.

Also, a malevolent actor might surreptitiously modify an unconnected legacy system to connect it to the Internet in such a way to exploit its potential cybersecurity vulnerabilities.

Use case — Future Systems

New systems and software should of course be designed, developed, and deployed according to the latest and best cybersecurity technology and best practices.

That’s the theory.

Unfortunately organizations with limited resources or management or technical staff lacking proper cybersecurity training or simply suffering from organizational inertia might fail to adhere to preferred cybersecurity best practices.

Systems and software which might be expected to be developed and deployed a year or more in the future might adopt more leading or bleeding edge cybersecurity technology, processes, methods and better practices than new systems which must be deployed in the present day.

Use of bleeding edge technology and practices might involve beta or even alpha test versions of products, tools, and services which are not yet ready for deployment. This approach carries risk, but might more than compensate for that risk with greater benefits than products, tools, services, and practices which are currently available.

Access Patterns

An access pattern is a type of operation, function, activity, or task that a person (persona) is performing when using connected digital systems, or in support of using connected digital systems. Sending or receiving an email message, posting on social media, or buying something online are examples of access patterns.

There can be significant overlap for access patterns between personas and use cases, but there are many distinctive access patterns peculiar to specific personas or use cases.

Since access patterns may differ between use cases or even for personas within use cases, there are a variety of categories of access patterns.

Access pattern categories

NIST Cybersecurity Framework. Core functions.
Human nature.
Identity.
Accounts.
Applications, data, and users.
User-created data and content.
User-initiated sharing of data.
Personally-Identifiable Information (PII).
Collection of user data.
Sharing of user data.
Marketing of user data.
Financial transaction data.
Web browsing.
Email.
Email servers.
Social media.
Encrypted messaging.
VPN — Virtual Private Network.
Cyber services. Web services. Any networked service using Internet protocols.
Network design.
Data access.
Remote access.
IT staff.
Cybersecurity staff.
Management.
Executives.
Training.
Workers. Non-issue for consumers.
Bluetooth devices.
Web cameras.
Remote web cameras.
Video surveillance systems.
USB drives.
Wi-Fi.
Routers.
Firewalls.
Network connections.
Internet Service Providers (ISP.)
Supply chain vulnerabilities.
Law enforcement.
Cyber warfare.
Insurance.
Vulnerabilities and threats
Offensive threat actors.

Access pattern — NIST Cybersecurity Framework

See the NIST Cybersecurity Framework for much more detail, but for the record and for the convenience of readers, here are the major categories of access patterns in the NIST framework,which they refer to as core functions:

Identify — Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect — Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect — Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond — Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover — Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Cybersecurity events and incidents

The distinction between a cybersecurity event and a cybersecurity incident is somewhat nuanced, so that the two terms will frequently be used synonymously, but they are distinct, even though closely related.

The glossary (Appendix B) of the NIST Cybersecurity Framework tells us:

Cybersecurity Event — A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).
Cybersecurity Incident — A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.

Or in plainer language:

An event is simply something that happened. It may or may not be a big deal that requires a response.
An incident is an event which is considered problematic and requires a response.

For example, a failed attempt to log in to a known user ID but with an invalid password would be an event, but won’t require a response from the cybersecurity team, so it wouldn’t be an incident. But if a pattern of such events might be treated as an incident requiring a response.

Access pattern — Human Nature

If a user can make a mistake, they will.
If a user can misconfigure a system, they will.
If a user can bypass security and safety systems, they will.
If a user can get confused, they will.
If a developer can make a mistake, they will.
If a user, developer, or manager can forget to do something, they will.
If a user, developer, or manager can be tempted to cheat or steal, they will.
If a system has a vulnerability, someone will seek to exploit it.
If someone can profit from the mistakes of others, they will.
Select workers with appropriate education.
Give workers appropriate training.
Give workers appropriate assignments.
Give workers appropriate responsibility.
Manage workers properly.
Supervise workers properly.
Monitor workers as needed.
Review workers properly.
Coach workers properly.
Terminate workers when necessary.
Reassign workers when necessary.
Be prepared for the unexpected. Expect the unexpected.

Access pattern — Identity

These are general access patterns for identity, spanning contrived, real, and anonymous user identity use cases.

Creation of a new identity.
Creation of a fake identity for research purposes.
Creation of a fake identity for testing purposes.
Creation of a fake identity for training purposes.
Creation of a fake identity for fraudulent purposes.
Detect fraudulent fake identities and treat as an attack.
Detect bulk creation of fake identities from the same source. Block future identity creation from that source.
Assuming identity of a deceased person.
Creating a user name.
Creating a user ID.
Creating a password.
Creating a strong password.
Creating a weak password.
Disallowing creation of a weak password.
Storing passwords — safely. Hashed with a one-way hash.
Storing passwords — unsafely. Clear text. Or a reversible hash.
Creating two-factor authentication.
Providing security questions and responses.
Storing identities and related information. Maintaining a database.
Logging in using identity credentials. User name or id and password, etc.
Logging in using two-factor authentication. Email, cell phone text/call, landline call.
Logging of login attempts.
Failed login attempt.
Failed login attempt — retry.
Failed login attempt — potential cyberattack.
Identity credential theft or compromise.
Identity theft.
Writing password and user ID on a Post-it note placed on PC or desk. Bad idea, but it happens.
Logging in using credentials borrowed from another user. It happens, but is a bad idea and needs to be discouraged or somehow prevented.
Login while already logged in elsewhere. Looks suspicious, should be disallowed, and possibly treated as a possible attack with compromised credentials. Or, it could be innocent, like logged in at home and work.
Lock screen whenever leaving keyboard and screen unattended.
Unlock screen on return.
Login for servers. Warrants greater care and greater security. Credentials should be changed frequently, especially whenever anybody leaves the group responsible for a server.
Law enforcement or courts may request or demand access to user identity information and associated user data.

Access pattern — Contrived Identity

Covered by Access pattern — Identity.

Access pattern — Real Identity

Covered by Access pattern — Contrived Identity.
Provide proof of real identity.

Forms and elements of real identity include:

Full name.
Birth date.
Social security number.
Mother’s maiden name.
Driver’s license.
Birth certificate.
Passport.
Bill. Utility, etc.
Lease. Or mortgage.
Account statement.
Biometric scan — fingerprint, hand, eye, facial, voice.

Any of these elements may be real or forged/faked.

Access pattern — Anonymous Identity

Covered by Access pattern — Contrived Identity.
User may go to extra efforts to mask their identity, such as browsing in incognito or other anonymous browsing modes.
Law enforcement and courts may still gain access to user identity and user data, as the law and legitimate warrants might permit.
Some systems or software may in fact permit fully anonymous activity such that even a court warrant and expert technical skills cannot bypass the technical methods used to secure the account and identity.

Access pattern — Accounts

Create new account.
Associate identity with account. Contrived, real, or anonymous.
Associate online account with an offline account. Such as bank, brokerage or investment, credit card, utility.
Provide full name.
Provide address.
Provide email address.
Provide profile information.
Accept default options.
Selectively opt in.
Selectively opt out.
Update account.
View account details.
View account activity.
Create alerts to receive notifications on account activity and conditions.
Manage alerts.
Delete alert.
Close account.
Order products or services.
Provide billing information.
Provide shipping information.
Initiate transactions.
View statements.
Request assistance.

Access pattern — Applications, Data, and Users

Organizations and users critically depend on online applications perform a lot of functions, most of which require data, much of which is supplied by users, and all of which is a target for hackers.

Run an online application.
Supply credentials to gain access to the application.
Create new records.
Enter data.
Update existing records.
Delete records.
Search records.
Maintain data in databases and files.
Maintain access controls for data.
Optionally encrypt underlying data.

Access pattern — User-Created Data and Content

Create data or content.
Modify data or content.
Delete data or content.
Decide to share data or content — selectively.
Decide to share data or content — publicly.
Decide to unshare data or content.
Define licensing for shared data or content.
Encrypt data or content.
Decrypt data or content.
Unauthorized access — viewing.
Unauthorized access — modification, deletion.
Unauthorized access — creation of new data or content. Fake.

Access pattern — Financial Transaction Data

Banks, credit cards, and other financial institutions.

Deposits.
Withdrawals.
Transfers.
Wire transfers.
ACH transfers.
Legitimate transactions.
Fraudulent transactions.
Mistaken transactions.
Interest.
Loan payments.
Charges.
Fees.
Charges.
Reversed charges.
Payments.
Debits.
Address or other account change — authorized.
Address or other account change — unauthorized.
Access to user financial records — authorized.
Access to user financial records — unauthorized.
Access to user transaction data — authorized.
Access to user transaction data — unauthorized.
Bulk copy of user financial data — authorized. IT may have good reason, but it should be examined closely.
Bulk copy of user data — unauthorized. Theft.
Financial controls. Who can do what within a financial organization.
Financial control logging.
Financial control auditing.

Access pattern — Web Browsing

Browse with a valid and reasonable URL.
Browse with a mistaken URL which takes the user to a malevolent web page that seeks to disinform or defraud the user. Or possibly to download malware or otherwise expose the user to a cyberattack.
Browse in incognito mode. So that servers and web sites cannot track browsing with cookies or other means.
Enable cookies.
Disable cookies.
Access cookies — legitimate.
Access cookies — illegitimate.
Record history of web pages browsed.
Access web page history — legitimate.
Access web page history — illegitimate.
Access encrypted web page.
Decrypt web page.
Browse web pages in incognito mode.
HTML script execution. May trigger a virus.
Access download cache — legitimate.
Access download cache — illegitimate.
Access web page cache — legitimate.
Access web page cache — illegitimate.
View benevolent ads.
View malevolent ads. May trigger a virus.

Access pattern — Email

Creating new account. Creation of a new identity.
Login access. Credential validation.
Composing email.
Sending mail.
Receiving email.
Viewing email messages.
Replying to email.
Clicking on links in email messages.
Previewing link URLs for links in email messages.
Clicked link opens a legitimate web page.
Clicked link opens a malevolent web page — simple SPAM marketing.
Clicked link opens a malevolent web page — fraud, phishing.
Viewing email attachments.
Saving email attachments to files for access outside of email.
Archiving email.
Deleting messages
Managing archived email.
Creating folders for saving messages.
Saving messages to folders.
Moving messages between folders.
Deleting messages in folders.
Purging deleted messages.
Email retention policies.
Email attachments — media.
Email attachments — PDF and slide presentations.
Email attachments — office documents (word processing, spreadsheet, presentations).
Email attachments — ZIP files — expected (rarely).
Email attachments — executables — expected (very rarely).

Summary of possible cyberattacks for email:

Identity credential theft or compromise.
Spoofing. Falsified message header to mislead recipient about identity of sender.
Phishing. Tricking recipient into providing credentials or personal information by faking an authoritative sender and a request to supply login credentials on a fake but genuine-looking web page.
Spear phishing. Targeted phishing, targeting specific organizations or even specific individuals.
Whaling. Phishing of spear phishing for senior officials in organizations — the biggest fish.
Link manipulation. Looks like a reasonable link, but some subtle difference leads to an undesirable web page.
Email attachments — ZIP files — unexpected, malevolent attack.
Email attachments — executables — unexpected, malevolent attack.
SPAM. Generally more of an annoyance, but may be fraudulent as well.

Access pattern — Email Servers

The email access pattern is concerned with the activities of the user, on the user’s personal device (personal computer, tablet, smartphone), while the email server access pattern is concerned with what happens on the server ou in the network which actually sends and receives email.

Set up new email server.
Configure email server.
Manage accounts on email server.
Maintain database of email account credentials.
Create email account upon request.
Update email account upon request.
Delete email account upon request.
Send email message upon request. Actually, queue it up to be sent, try to send it to the destination email server, wait if unable to send, and timeout if still unable to send.
Receive email message.
Validate email address for incoming message.
Bounce or reject messages addressed to invalid email addresses.
Auto-respond to messages for a particular email address, as directed for that account.
Auto-forward messages for a particular email address, as directed for that account.
Perform anti-virus checks on incoming messages. Quarantine as needed.
Perform spam checks on incoming messages. Divert to Spam folder as configured.
Move message from inbox to a folder, as directed by the user.
Manage folders and archives of saved messages
Manage folder of sent messages.
Move messages between folders as directed by the user.
Delete saved messages as directed by the user.
Restart server.
Shut down server.
Potential for corruption of the underlying databases and files for the platform.
Potential for denial of service attacks on the platform.

Access pattern — Social media

There are many different social media platforms. The access patterns listed here are intended to be generic and reasonably representative, but specific platforms may have additional access patterns or nuances and differences.

Create new account. Creation of a new identity.
Create a new non-public account.
Login. Credential validation.
Create a new post.
Include links in posts.
Embed media in posts.
View posts.
Comment on the posts of others.
View comments on a post.
Examine identity of a poster.
Examine identity of a comment on a post.
Reply to a comment of others.
Edit a previous post.
Delete a previous post.
Browse old posts.
Search old posts.
Delete account.

Summary of possible cyberattacks for social media:

Identity credential theft or compromise.
Unintentional sharing of identity credentials.
Ill-advised sharing of identity credentials.
Posting by other than owner of identity.
Deleting post by other than owner of identity.
Direct access to underlying data files and databases. Can be read in bulk, edited, corrupted, or deleted.
Deleting account by other than owner of identity.
Potential for corruption of the underlying databases and files for the platform.
Potential for denial of service attacks on the platform.

Access pattern — Encrypted Messaging

Compose, encrypt, and send encrypted message.
Receive, decrypt, and view encrypted message.
Quickly and permanently erase and destroy an encrypted message.
Download encrypted messaging application — legitimate.
Download encrypted messaging application — illegitimate, fake. Designed to mislead user into believing that their messages are more secure than they really are.
Internet Service Provider or router may block access to traffic and protocols used by the encrypted messaging application.

Access pattern — VPN — Virtual Private Network

Connect to a remote, private, internal network.
Browse the web, use email, use social media, and all other Internet applications and protocols, as if directly connected to that remote network.
Disconnect from remote network.
Download VPN software — legitimate.
Download VPN software — illegitimate, fake. Designed to mislead user into believe that their VPN Internet access is more secure than it really is.
Internet service provider or router may block use of the VPN protocols.

Access pattern — Cyber Services

Web services. Any networked service using Internet protocol. Typically application software running on a networked server. Excludes the application software itself — see Access pattern — Application Software Development.

Specify requirements for servers.
Acquire servers.
Install application software on a server.
Test application software internally on a server, not connected to the outside world.
Connect a server to the Internet.
Disconnect a server from the Internet.
Specify requirements for routers.
Acquire routers
Deploy routers.
Configure routers.
Test routers.
Monitor routers.
Replace routers.
Specify firewalls.
Acquire firewalls
Deploy firewalls.
Configure firewalls.
Test firewalls.
Monitor firewalls.
Replace firewalls.
Capacity planning.
Configure redundant servers to handle load.
Create data centers to manage and distribute load.
Balance load between data centers.
Balance service requests between servers.
Throttle service requests.
Monitor network traffic.
Upgrade servers.
Upgrade operating system software.
Deploy cybersecurity software, products, and services.
Monitor cybersecurity software, products, and services.

Access pattern — Academic Institutions

Same cybersecurity exposures as any other enterprise.
Online course enrollment.
Online course status.
Online course database.
Technology courses. Cybersecurity aspects.
Cybersecurity courses.
Abstract concepts for cybersecurity.
Practical, vocational aspects of cybersecurity. Job skills.
Technology research. Cybersecurity aspects.
Cybersecurity research — theory.
Cybersecurity research — abstract concepts.
Cybersecurity research — applied, practical results.
Promoting awareness and skills for cybersecurity.

Access pattern — Internet of Things (IoT) Devices

Specify requirements for devices.
Acquire devices.
Test devices.
Deploy devices.
Device control — authorized.
Device control — unauthorized.
Manage devices.
Enable devices.
Disable devices.
Remove devices from service.
Monitoring device control.
Monitoring device data traffic.
Updating device data database — authorized.
Updating device data database — unauthorized.

Access pattern — Health and Medical Records

Viewing — authorized.
Viewing — unauthorized, but still within organization.
Viewing — unauthorized, from outside of organization.
Copying — authorized.
Copying — unauthorized.
Delivering copy of records to a patient — authorized.
Delivering copy of records to a patient — unauthorized. Attempted theft.
Receipt of transferred records — legitimate.
Receipt of transferred records — illegitimate. Shady, fraudulent.
Deletion. Never a good idea.
Modification — authorized.
Modification — unauthorized, but still within organization.
Modification — unauthorized, from outside organization.
Audit logging of all changes.
Copying of audit log — unauthorized. Still theft, possibly of value to someone.
Direct file modification. Bypassing application.
Bulk theft of records.
Bulk copy of underlying files or databases — authorized. IT staff moving application.
Bulk copy of underlying files or databases — unauthorized, but still within organization. Very dubious, should be investigated.
Bulk copy of underlying files or databases — unauthorized, from outside the organization.
Analysis — authorized.
Analysis — unauthorized, but still within organization.
Analysis — unauthorized, from outside of organization.
Sharing of anonymized data with legitimate research organizations.
Sharing of anonymized data — unauthorized, but still within organization.
Sharing of anonymized data — unauthorized, from outside of organization. Theft.
Authorizing who should have access to health and medical records.

Access pattern — Medical Systems

Equipment within a health care facility, or possibly in a patient’s residence. Distinct from medical devices implanted in patients.

Control operations of a health facility.
Disrupt operations of a health facility.
Access to patient records.
Access to medical devices within health facility.
Access to remote medical devices.
Access stored data from medical devices.
Telemedicine.

Access pattern — Medical Devices

Medical devices implanted in patients, as opposed to equipment used within a health care facility.

Access data from medical device — authorized.
Access data from medical device — unauthorized.
Store data from medical device — authorized.
Store data from medical device — unauthorized.
Control of device — authorized.
Control of device — unauthorized, but still within facility. May or may not be malevolent.
Control of device — unauthorized, from outside the facility. May or may not be malevolent.
Intent to cause patient discomfort.
Intent to harm patient.
Intent to kill patient.
Access to devices which have not yet been implanted.
Access to devices which have been removed from patients.

Access pattern — Election Systems

Registering a new voter — legitimate.
Registering a new voter — fraudulent.
Updating registration for a voter — legitimate.
Updating registration for a voter — fraudulent.
Purging registration of a voter — legitimate.
Purging registration of a voter — fraudulent.
Purging registration of a voter — inadvertent, mistake.
Checking in a voter.
Recording vote of a voter.
Storing vote of a voter.
Absentee ballots.
Early voting.
Online voting.
Tallying and tabulating votes.
Reporting of voting results.
Auditing voting results.
Auditing individual votes.
Challenging voting results.
Challenging individual votes.
Sharing of voter registration data — legitimate.
Sharing of voter registration data — fraudulent.
Sharing of voter registration data — inadvertent, mistake.
Design of voting machines.
Development of voting machines.
Manufacture of voting machines.
Testing of voting machines.
Maintenance of voting machines.
Auditing of voting machines.
Loading of ballots into voting machines.
Testing of ballots loaded into voting machines.
Electronic access to voting machines — legitimate.
Electronic access to voting machines — fraudulent..
Access to voter registration database — legitimate.
Access to voter registration database — illegitimate.

Access pattern — Network Design

Purpose of the network.
Name or otherwise identify the network.
Vision of the network.
Mission of the network.
Strategic objectives of the network.
Assessment of scope of the organization.
Technical architecture of the network.
General review of and commitment to vision, mission, scope, strategic objectives, and technical architecture of the network by all relevant stakeholders, including IT staff, cybersecurity staff, management, application development groups, senior management of business units, and executives.
Capacity planning.
Assessment of facilities to be connected by the network.
Assessment of needs for data centers and expected growth rates.
Assessment of types of endpoints, needs of users, total number of users, and expected growth rates.
Assessment of workers and computers and devices outside of facilities connecting to internal network and expected growth rates.
Assessment of forms of data, amounts of data, and expected growth rates.
Assessment of needs for servers, and expected growth rates.
Assessment of needs for routers, and expected growth rates.
Assessment of needs for firewalls, and expected growth rates.
Assessment of needs for external cloud services and expected growth rates.
Assessment of external demands for proprietary cyber services to be provided to the public and expected growth rates.
Assessment of use of external cloud service providers and expected growth rates.
Assessment of external web services required by the network and expected growth rates.
Assessment of software and services needed to manage the network.
Assessment of cybersecurity software and services needed to protect the network.
Assessment of physical facilities needed to house and support the network.
See also Access pattern — IT Staff.
See also Access pattern — Cybersecurity Staff.

Access pattern — Data Centers

Design of overall organization network. See Access pattern — Network Design.
Capacity planning.
How many data centers needed now?
Forecast future data center needs.
Design of network within a particular data center.
Cybersecurity considerations across global network for organization.
Cybersecurity considerations within each data center.
Cybersecurity staff who will be needed within each data center.
Cybersecurity staff who can service more than one data center.
Staff needed to bring up a new data center. No longer needed on-site after data center has gone operational.
Staff needed to operate a particular data center on an ongoing basis.
Planning for a data center.
Implementation of a data center.
Testing a new data center.
Acceptance testing for a new data center.
Transition of a new data center to full operations.
Evolution of a data center. Expansion. Upgrading systems. Decommissioning old systems.

Access pattern — Semi-public Online Services

Online services whose access is relatively tightly controlled, in contrast to completely open public cyber services.

Vision of the service.
Specification of criteria for providing access.
Specification of vetting process.
Specification of review of vetting process.
Accepting application for use of service.
Vetting application for use of service.
Approving application for use of service.
Rejecting application for use of service.
Defining personas for service and data access.
Defining scope of service and data access for each persona.
Monitoring service and data access.
Terminating access to service and data.
See also Access pattern — Cyber Services.

Access pattern — Data Access

This includes the databases and data files for online applications and user data, as well as configuration files which govern operation of the system, including security and access control.

Severely restrict data access.
Very selectively enable data access.
Carefully review requests for data access.
Restrict enabled data access.
Monitor data access.
Log data access.
Audit data access.
Read file.
Create file.
Copy file.
Modify file.
Delete file.
Rename file.
Query database.
Update database data.
Update database structure.
Delete data from database.
Delete database.
Read directory of files.
Elevate privileges to gain access to protected data — legitimate. Sometimes, rarely.
Elevate privileges to gain access to protected data — illegitimate.
Log all attempts to elevate privileges.
Log all data access using elevated privileges.
Require separate, manual second-party approval for elevating privileges.

Access pattern — Remote Access

Remote access includes any form of remote login or connection, such as Telnet and Remote Desktop Connection, which have potentially very severe cybersecurity risks.

Severely restrict remote access.
Very selectively enable remote access.
Carefully review requests for remote access.
Restrict enabled remote access.
Monitor remote access.
Log remote access.
Audit remote access.

Access pattern — IT Staff

Application development is covered under Access pattern — Application Software Development regardless of whether it is included under IT or is outside of IT proper.

Cybersecurity is covered under Access pattern — Cybersecurity Staff.

Advocate for budgets and priorities — general.
Advocate for budgets and priorities — cybersecurity.
Selection of vendors — hardware.
Selection of vendors — software.
Selection of vendors — cybersecurity software.
Acquisition — hardware.
Acquisition — software.
Acquisition — cybersecurity software.
Install software.
Installation of application software.
Place code files on server for execution — legitimate.
Place code files on server for execution — illegitimate.
Installation test of application software.
Deployment — hardware.
Deployment — software.
Deployment — cybersecurity software.
Physical access to servers.
Power supply for servers.
Network access for servers.
Provisioning to assure sufficient servers to handle normal load, peak load, and DOS attacks.
Configuration of cybersecurity software.
Change control of cybersecurity software.
Software updates.
Software updates — security patches.
Patch code files — legitimate.
Patch code files — illegitimate.
Testing — hardware.
Testing — software.
Testing — cybersecurity software.
Backup.
Restore from backup.
Security review on bug fixes and enhancements to software and services.
Asset management. See Access pattern — Asset Management.
Enable and support encryption. See Access pattern — Encryption.
Detect botnets.
Work with cybersecurity staff to disrupt botnets.
Reducing complexity to reduce vulnerabilities.
Managing and mitigating complexity to manage and mitigate vulnerabilities.
Compliance with government regulations on cybersecurity
Working with lawyers to ensure compliance with relevant law and regulation.
Retaining consultants for specialized tasks and issues.

Access pattern — Cybersecurity Staff

This section is a brief summary of activities and tasks for cybersecurity staff. For greater detail, see the NIST NICE Framework.

The National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, or NICE Framework or just NICE for short, categorizes and describes cybersecurity work.

For a general overview of NICE, see:

https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework

For the actual NICE Framework, see:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

This paper includes NICE work roles within personas, and tasks under access patterns.

NICE is a good start and has more detail for cybersecurity tasks, but this paper takes a somewhat broader view on the topic.

Training — cybersecurity staff — general background
Training — cybersecurity staff — internal operations and best practices
Training — IT staff — general background
Training — IT staff — internal operations and best practices
Training — non-cyber/IT staff
Outreach to rest of organization.
Outreach to IT staff.
Outreach to application developer staff.
Outreach campaigns.
Outreach reminders.
Raising awareness of cybersecurity issues throughout the organization.
Narratives — construction. Describing issues and scenarios in language that each persona can understand and relate to.
Narratives — promotion.
Education in general.
Exercises, table tops.
Communicate alerts on incidents.
Communicate ongoing status for incidents.
Communicate lessons learned for incidents.
Alert and train people to be alert for attempted phishing attacks.
Advocate for budgets and priorities.
Vendor selection — hardware.
Vendor selection — software in general.
Vendor selection — cybersecurity software.
Acquisition — hardware.
Acquisition — software in general.
Acquisition — cybersecurity software.
Deployment — hardware.
Deployment — software in general.
Deployment — cybersecurity software.
Provisioning to assure sufficient servers to handle normal load, peak load, and DOS attacks.
Configuration — hardware.
Configuration — software in general.
Configuration — cybersecurity software.
Testing — hardware.
Testing — software in general.
Testing — cybersecurity software.
Monitoring — hardware.
Monitoring — software in general.
Monitoring — cybersecurity software.
Monitoring authorized access.
Monitoring unauthorized access.
Monitoring access patterns.
Monitoring user behavior patterns. Analytics.
Monitoring for denial of service attacks.
Monitoring systems for cybersecurity.
Anonymizing data for sharing and analysis.
Sharing data with government and industry.
Monitoring shared cybersecurity data from government and industry.
Revising practices based on shared data from government and industry.
Attending conferences and workshops to keep up on latest technology, threats, and best practices.
Monitoring of monitoring — assuring that monitoring is effective.
Cybersecurity threat scanning.
Cybersecurity event detection.
Assessment of cybersecurity events.
Classification of a cybersecurity event as an incident.
Cybersecurity incident detection.
Cybersecurity incident response.
Cybersecurity incident recovery.
Cybersecurity process refinement. Lessons learned.
Develop and maintain security architectures.
Identify risks.
Address risks.
Mitigate risks.
Build, install, configure, and test dedicated cyber defense hardware.
Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.
Discover, deduce, and catalog entire attack surface area (vulnerabilities) for entire organization, including external services.
Plan, implement, and monitor cybersecurity defenses for the entire attack surface area for the organization.
Running a regular scan to check out for unpatched endpoints.
Assess coverage of cybersecurity defenses for the entire attack surface area for the organization.
Periodic review and assessment of all aspects of cybersecurity.
Auditing specific operational areas of the enterprise.
Auditing the entire organization for cybersecurity exposures.
Incident management.
Crisis management.
Root-cause analysis.
Lessons-learned review.
Development, publication, and promulgation of best-practice recommendations.
Assessment of cybersecurity risk.
Development of cybersecurity improvement program.
Continuous improvement.
Accessing external services which may incur cybersecurity risks.
Identifying other organizations which share similar cybersecurity concerns and sharing knowledge, policies, and practices with them, such as organizations in a particular sector such as banks, utility companies, manufacturing companies, chemical companies, etc.
Broad disclosure of vulnerabilities and information sharing, especially Coordinated Vulnerability Disclosure (CVD).
Compliance with government regulations on cybersecurity.
Recognizing patterns of suspicious activity.
Develop and facilitate data-gathering methods.
Collecting digital evidence.
Digital forensics.
Cyber forensics.
Network traffic analysis.
Packet analysis.
Detecting botnets.
Measures to disrupt botnets.
Crack encryption. When authorized, and legal.
Uncrackable encryption. Research topic. Ongoing efforts to advance technology. For example, quantum computing.
Asset management. See Access pattern — Asset Management.

Access pattern — Application Software Development

The specific software development process will vary between organizations, but the basic elements of any software development process are (or include):

Work with product management on all stages of the software development process.
Work with cybersecurity team at all stages of the process.
Simple statement of purpose of the software. One-liner.
Name the software.
Define vision, mission, and strategic objectives for the software.
Define functional architecture of the software.
Define general functions and features of the software.
Define specific functions and features of the software.
Define detailed functions and features of the software.
Define cybersecurity profile for the software.
Design overall technical architecture of software.
Design subsystem architecture of software.
Design subsystem modules of software.
Design individual modules of software.
Design the user experience (UX).
Develop test plan for software
Develop sequenced development plan for functions.
Develop sequenced development plan for modules and subsystems to support the sequencing of function development.
Iterate development incrementally. At each stage adding more functions and features and demonstrating them to all key stakeholders.
Code modules according to plan.
Code tests for modules and subsystems in parallel or in advance of corresponding code for modules.
Develop the user experience (UX).
Test module code.
Test subsystems.
Test user experience functions and features.
Integrate subsystems.
Documentation plan.
Overall documentation.
Major feature documentation.
Detailed feature documentation.
Integrate full software.
Demonstrate incremental progress to all relevant stakeholders, including management.
Package full software.
Test install full software.
Test full software.
Develop release criteria.
Produce and test a series of releases candidates (RC).
Release based on defined criteria.
Provide alpha and beta pre-releases.

Access pattern — Asset Management

Asset management is a joint responsibility of the IT staff and the cybersecurity staff.

The IT staff may have nominal responsibility for keeping track of their own assets, but the cybersecurity staff will need to provide a second set of eyes to assure that no asset falls through the cracks. And to assure that any new types of assets are thoroughly evaluated before being introduced into the inventory of systems.

Identify and catalog assets.
Track acquisition of new assets.
Assess vulnerabilities of each asset type.
Protect each asset.
Assess protection of each asset.
Monitor each asset.
Manage assets.
Assess proposed new types of assets.
Assure that decommissioned assets are thoroughly wiped clean so that a potential threat actor cannot discern any sensitive operational data or configuration information from the storage on that asset.

Access pattern — Encryption

Make encryption software available to users.
Make encryption options available to users.
Encryption of data in flight (network access).
Encryption of data at rest (on disk).
End-to-end encryption.
Encrypt data.
Decrypt data.
Respond to law enforcement requests to decrypt data.
Respond to court order to decrypt data.
Assessment of encryption alternatives and options.
Ongoing education, training, and consulting to stay abreast of the latest advances in encryption techniques, tools, and products.

Access pattern — Application Developers

The emphasis here is on assuring that cybersecurity factors be taken into account when designing and developing computer software applications.

See Access pattern — Application Software Development for actual software development.

Designing new applications.
Emphasize secure by design.
Securing recent applications.
Securing legacy applications.
Implementing code.
Testing code.
Testing all combinations of all security options.
Deploying applications.
Review of new application designs for cybersecurity factors.
Review of existing application designs for cybersecurity factors.
Review of legacy application designs for cybersecurity factors.
Review of application development process for cybersecurity factors.
Train entire application development staff on cybersecurity.
Periodically review training of staff for cybersecurity.
Ongoing training for staff on cybersecurity as technology and best practices advance.

Access pattern — Management

Training — General awareness and background for cybersecurity.
Training — Cybersecurity for management.
Training — Assure that subordinates are fully trained for cybersecurity.
Advocate for budgets and priorities for cybersecurity with senior managers and executives.
Assign sufficient priority to cybersecurity.
Budget sufficiently for cybersecurity.
Request periodic briefings on cybersecurity status with each subordinate.
Develop and review recruiting, hiring, and retention procedures for cybersecurity staff.
Develop and review recruiting, hiring, and retention procedures for non-cybersecurity staff with regard to cybersecurity awareness and skills needed for even non-cybersecurity staff positions.
Compliance with law government regulations on cybersecurity

Access pattern — Human Resources

Develop and review recruiting, hiring, and retention procedures for cybersecurity staff.
Develop and review recruiting, hiring, and retention procedures for non-cybersecurity staff with regard to cybersecurity awareness and skills needed for even non-cybersecurity staff positions.
Access to personnel information — including positions and locations, and organizational structure — authorized.
Access to personnel information — unauthorized.

Access pattern — Executives

Same as for management in general.
Advocate for budgets and priorities for cybersecurity with board of directors.

Access pattern — Training

Training would include:

What each persona needs to know about cybersecurity.
How much each persona needs to know about cybersecurity.

Categories of training:

General background. The nature of the problem. General awareness. Everybody, at all levels, both workers and management in organizations and consumers.
Cybersecurity staff.
IT staff.
Application development staff.
All users throughout organization. Literally, anybody who might have a user name and password, need to access an internal system, or work with an external vendor who might have potential cybersecurity vulnerabilities.
Management.
Executives.
Board of directors.
Management for cyber services.
Executives for cyber services.
Board of directors for firms focused on or heavily dependent on cyber services.
Customers.
Contractors.
Vendors.

Access pattern — Training — General background

New employee orientation/onboarding. What everyone in the organization needs to know before they can be granted any access to the computing systems of the organization.
New contractor/contractor orientation/onboarding. What every non-employee working in the organization needs to know before they can be granted any access to the computing systems of the organization. May be the same as for employees or more limited if less access is being granted.
General awareness and background for all.
Awareness and general background for consumers.
Awareness and general background for users.
Awareness and general background for workers.
Awareness and general background for technical staff.
Awareness and general background for technical team leaders.
Awareness and general background for non-technical team leaders.
Awareness and general background for technical managers.
Awareness and general background for non-technical managers.
Awareness and general background for application developers.
Awareness and general background for IT staff.
Awareness and general background for senior technical managers and executives.
Awareness and general background for senior non-technical managers and executives.
Awareness and general background for board of directors.
Awareness and general background for regulators.
Awareness and general background for policy makers.
Awareness and general background for lawyers.
Awareness and general background for judges.
Awareness and general background for legislators.
Awareness and general background for community leaders.
Awareness and general background for citizens.
More advanced general background when needed.
Even more advanced general background when needed.

The point is that everyone needs basic awareness and general background, plus material a little more tailored to their persona, plus possibly some level of more advanced but still general background if the individual or group has somewhat more intense interest or needs.

Access pattern — Training — Cybersecurity Staff

Technical staff. General.
Technical staff. Specialized areas of cybersecurity.
Training by vendors. Such as providers of cybersecurity products and services.
Technical management.
Senior and executive management.

Access pattern — Training — IT Staff

Technical staff. General.
Technical staff. Those with a focus on cybersecurity.
Training by vendors. Such as providers of cybersecurity products and services or products which have a high potential for cybersecurity issues.
Technical management.
Senior and executive management.

Access pattern — Training — All Users in Organization

Beyond universal awareness and general background, all users in an organization should be trained in the specific cybersecurity issues that apply to all users or workers in that particular organization.

Literally, anybody who might have a user name and password, need to access an internal system, or work with an external vendor who might have potential cybersecurity vulnerabilities.

Complete all required cybersecurity training.
Importance of keeping all identity and account credentials secure.
Importance of taking cybersecurity seriously.
Importance of completing all required and suggested cybersecurity training.
Importance of reporting any suspected cyberattacks.

Access pattern — Training — Management

Beyond universal awareness and general background, all managers in an organization should be trained in the specific cybersecurity issues that apply to all managers in that particular organization.

Complete all required cybersecurity training.
Assure that all subordinates receive required cybersecurity training.
Assure that all subordinates assure that their subordinates receive required cybersecurity training.
Appropriate priority for cybersecurity in their area of responsibility.
Appropriate budgeting for cybersecurity in their area of responsibility.
Cultivating a work culture of cybersecurity.

Access pattern — Training — Executives

Beyond universal awareness and general background, all executives in an organization should be trained in the specific cybersecurity issues that apply to all executives in that particular organization.

Complete all required cybersecurity training.
Assure that all subordinates receive required cybersecurity training.
Assure that all subordinates assure that their subordinates receive required cybersecurity training.
Appropriate priority for cybersecurity in their area of responsibility.
Appropriate budgeting for cybersecurity in their area of responsibility.
Cultivating an enterprise culture of cybersecurity.

Access pattern — Training — Board of Directors

Beyond universal awareness and general background, all members of the board of directors of the organization should be trained in the specific cybersecurity issues that apply to that particular organization.

Complete all required cybersecurity training.
Assure that all executives receive required cybersecurity training.
Assure that all executives are aware of the importance of assuring that their subordinates receive required cybersecurity training and fully understand its importance.
Appropriate priority for cybersecurity for the organization.
Appropriate budgeting for cybersecurity for the organization.
Cultivating an organizational and work culture of cybersecurity.

This training would be appropriate even for organizations which do not have a primary focus on cyber services.

Access pattern — Training — Management for Cyber Services

Beyond universal awareness and general background and cybersecurity training required for all managers in the organization, all managers in business units which provide or depend in some way on cyber services should be trained in the specific cybersecurity issues that apply to that particular business unit.

Complete all required cybersecurity training.
Periodic review of cybersecurity for the business unit.
Appropriate priority for cybersecurity in the business unit.
Appropriate budgeting for cybersecurity in the business unit.
Assure that all subordinate staff receive cybersecurity training required for that business unit.
Cultivating a work culture with a special priority on cybersecurity.

Access pattern — Training — Executives for Cyber Services

Beyond universal awareness and general background and cybersecurity training required for all executives in the organization, all executives in business units or divisions which provide or depend in some way on cyber services should be trained in the specific cybersecurity issues that apply to that particular business unit or division.

Complete all required cybersecurity training.
Periodic review of cybersecurity for the business unit or division.
Appropriate priority for cybersecurity in the business unit or division.
Appropriate budgeting for cybersecurity in the business unit or division.
Assure that all subordinate staff receive cybersecurity training required for that business unit or division.
Cultivating an organizational and work culture with a special priority on cybersecurity.

Access pattern — Training — Board of Directors for Cyber Services

Beyond universal awareness and general background and board of directors’ cybersecurity training that applies to all organization, all members of the board of directors of organizations which have a primary or significant focus on cyber services should be trained in the specific cybersecurity issues that apply to that particular organization’s cyber services.

Complete all required cybersecurity training.
Give cybersecurity a special priority in their thinking and discussion of all matters for the organization.
Assure that all executives receive required cybersecurity training.
Assure that all executives are aware of the importance of assuring that their subordinates receive required cybersecurity training and fully understand its importance.
Cultivating an organizational and work culture with a special priority on cybersecurity.

Access pattern — Training — Customers

Complete all required cybersecurity training.
Training for cybersecurity when interacting with the organization.
Training for cybersecurity considerations when working with products distributed and supported by the organization.
Training for cybersecurity considerations when working with services provided by and supported by the organization.

Access pattern — Training — Contractors

Beyond universal awareness and general background, all contractors in an organization should be trained in the specific cybersecurity issues which apply to all users or workers in that particular organization. They may not need the full training that all in-house users and workers require, but enough to permit them to properly complete their work within the organization.

Literally, anybody who might have a user name and password, need to access an internal system, or work with an external vendor who might have potential cybersecurity vulnerabilities.

Complete all required cybersecurity training.
Importance of keeping all identity and account credentials secure.
Importance of taking cybersecurity seriously.
Importance of completing all required and suggested cybersecurity training.
Importance of reporting any suspected cyberattacks.

Access pattern — Training — Vendors

Beyond universal awareness and general background, all vendor workers or contractors working in an organization should be trained in the specific cybersecurity issues that apply to all users or workers in that particular organization. They may not need the full training that all in-house users and workers require, but enough to permit them to properly complete their work within the organization.

Literally, anybody who might have a user name and password, need to access an internal system, or work with an external vendor who might have potential cybersecurity vulnerabilities.

Complete all required cybersecurity training.
Importance of keeping all identity and account credentials secure.
Importance of taking cybersecurity seriously.
Importance of completing all required and suggested cybersecurity training.
Importance of reporting any suspected cyberattacks.

Access pattern — Workers

Access issues peculiar to workers within an organization, including employees, contract workers, vendor workers, and temporary workers, which consumers would not tend to have.

Complete all required cybersecurity training.
Identity. See Access pattern — Identity.
Report lost security device or keys.
Report door or windows ajar or open.
Report suspicious behavior.
Report requests to provide or coerce access or share credentials.
Weak password, not updated frequently enough. Bad idea.
Strong password.
Change password if exposed or compromised.
Report any incidents where someone else appears to have accessed their accounts.
Change password frequently.
Obtaining Wi-Fi credentials.
Sharing Wi-Fi credentials — properly.
Sharing Wi-Fi credentials — improperly.
Using a USB drive — authorized.
Using a USB drive — unauthorized.
Visiting friends at office.
Termination of workers. Prompt elimination of access.

Access pattern — Bluetooth Devices

Monitoring data and media.
Interfering with proper use.
Mimicking a real device.
Mimicking a rel computer.

Access pattern — Web Cameras

Monitoring and capturing video from a user’s web camera. On their local computer or smart device.
Surreptitiously turning on user web camera and capturing video.
Disable web camera.
Enable web camera.

Access pattern — Remote Web Cameras

View live video stream — public, anyone.
View live video stream — authorized.
View live video stream — unauthorized.
View snapshot images — public, anyone.
View snapshot images — authorized.
View snapshot images — unauthorized.
Access metadata — public, anyone. Location, view, etc.
Access metadata — authorized. Location, view, etc.
Access metadata — unauthorized. Location, view, etc.
Remote control of camera — public, anyone. Zoom, pan, tilt.
Remote control of camera — authorized. Zoom, pan, tilt.
Remote control of camera — unauthorized. Zoom, pan, tilt.
Disable camera — authorized.
Disable camera — unauthorized.
Enable camera — authorized.
Enable camera — unauthorized.
Remotely configure camera — authorized.
Remotely configure camera — unauthorized.

Access pattern — Video Surveillance Systems

Same as remote web camera (see Access pattern — Remote Web Cameras), but likely without public access.
Image processing software to detect motion, read text such as license plates, record and possibly recognize facial images.

Access pattern — Live Streaming Video

Initiating a live stream — authorized.
Initiating a live stream — unauthorized.
Initiating a live stream — forbidden. May not be appropriate to live stream from some environments, such as secure areas. Visitors or new workers may be unaware of the policy or its importance.
Properly tagging the source of the video.
Falsely tagging the source of the video.

Access pattern — USB Drives

Generally, use of USB drives within organizations or on computers of the organization is frowned upon and to be discouraged.

Consumers use USB drives at their own risk.

Better to transfer data via the cloud or possibly email, and to update software via approved download methods.

Copying of data — authorized.
Copying of data — unauthorized.
Copying of data — forbidden.
Copying of code or software — authorized.
Copying of code or software — unauthorized.
Copying of code or software — forbidden.
Facilitating installation of malware on a target computer.
Installation of software — authorized.
Installation of software — unauthorized.
Installation of software — forbidden.

Access pattern — Wi-Fi

Offer Wi-Fi within an office.
Offer Wi-Fi within a public space of a business. Lobbies, conference facilities, et al.
Offer Wi-Fi within a publicly-accessible facility. Coffee shops, cafes, et al.
Offer Wi-Fi in non-commercial public spaces. Libraries, at al.
Offer Home Wi-Fi.
Configure Wi-Fi. Network name (SSID) and password.
Decide whether and how to share credentials for access.
Adequately provisioning an area for Wi-Fi service.
Decide whether and how much to charge for Wi-Fi service.

Access pattern — Unauthorized Connected Devices

Plug unauthorized device into protected network — unintentionally.
Plug unauthorized device into protected network — with bad intentions.
Unauthorized device accesses data.
Unauthorized device uses remote access.
Unauthorized device floods network with traffic.

Access pattern — Routers

Specify routers.
Acquire routers.
Deploy routers.
Configure routers.
Set name and password for secure access.
Monitoring data and media traffic.
Interfering with proper use.
Monitor load.
Normal load.
Unusual load — legitimate spikes.
Unusual load — attempted denial of service (DOS.)
Detect unusual load.
Respond to DOS attack.
Access credentials — proper use.
Access credentials — unauthorized use.

Access pattern — Firewalls

Monitoring data and media traffic.
Interfering with proper use.
Specify firewalls.
Acquire firewalls.
Deploy firewalls.
Configure firewalls.
Monitor and review configuration periodically.
Verify that permitted access is successful.
Verify that denied access fails.
Monitor load.
Normal load.
Unusual load — legitimate spikes.
Unusual load — attempted denial of service (DOS.)
Detect unusual load.
Respond to DOS attack.
Access credentials — proper use.
Access credentials — unauthorized use.

Access pattern — Network Connections

A dumb old cable may seem safe, but you never know what the other end of the cable really plugs into. Or what might be in the middle.

Insert a hub or switch — for good intentions.
Insert a hub or switch — for bad intentions.
Monitoring data and media traffic — for good intentions.
Monitoring data and media traffic — for bad intentions.
Interfering with proper use.
Redirect data and media.
Modify data and media.
Divert a copy of data and media.

Access pattern — Internet Service Providers (ISP)

Monitoring data and media traffic.
Interfering with proper use.
Access credentials — proper use.
Access credentials — unauthorized use.

Access pattern — Supply Chain Vulnerabilities

Analyze component requirements.
Evaluate alternative components.
Choose component.
Evaluate alternative vendors for a component.
Evaluate supply chain vulnerabilities for a vendor for a component.
Choose vendor.
Periodically re-review supply chain assessment.

Access pattern — Personally-Identifiable Information (PII)

User providing personally-identifiable information (PII).
User updating personally-identifiable information (PII).
User requesting personally-identifiable information (PII) to be forgotten.
Service provider obtaining personally-identifiable information (PII).
Service provider storing personally-identifiable information (PII).
Service provider accessing personally-identifiable information (PII) — legitimate.
Service provider sharing personally-identifiable information (PII) — explicitly authorized by user.
Service provider sharing personally-identifiable information (PII) — implicitly authorized by user. Terms of service.
Service provider sharing personally-identifiable information (PII) — unintentionally, negligently.
Service provider sharing personally-identifiable information (PII) — improperly. In violation of terms of service, law, and regulation.
Service provider sharing personally-identifiable information (PII) — with law enforcement.
Accessing personally-identifiable information (PII) — unauthorized.
Bulk theft of personally-identifiable information (PII).

Access pattern — Collection of User Data

Collection of data about a user. Mostly by tracking user activities in application software.
See also Access pattern — Sharing of User Data.
See also Access pattern — Marketing of User Data.

Access pattern — Sharing of User Data

Inform user that data may be shared as a result of accepting Terms of Service.
Offer user opportunity to opt out of sharing their data. Default to opt in.
Offer user opportunity to opt in to share their data. Default to opt out.
Collection of data about a user.
Share user data very selectively.
Share user data generally.
Share user data in bulk.
Share user data only to other business units in the same organization.
Share user data to other, commercial enterprises.
Share user data only to other, noncommercial organizations.
Share user data to research groups.
Share anonymized user data to research groups.
Share only anonymized user data to research groups.
Market user data — see Access pattern — Marketing of User Data.

Access pattern — Marketing of User Data

Inform user that data may be marketed and shared as a result of accepting Terms of Service.
Offer user opportunity to opt out of marketing and sharing their data. Default to opt in.
Offer user opportunity to opt in to market and share their data. Default to opt out.
Market and share user data very selectively.
Market and share user data generally.
Market and share user data in bulk.
Market and share user data only to other business units in the same organization.
Market and share user data only to other, commercial enterprises.
Market and share user data only to other, noncommercial organizations.

Access pattern — Law Enforcement

Roles of law enforcement in cybersecurity.

Education. Outreach.
Monitoring.
Guidance.
Assistance.
Access to encrypted devices.
Obtaining warrants for surveillance and access to encrypted data.
Enforcing law and regulations where violation is a crime.

Access pattern — Cyber Warfare

Defend military forces, military installations, and infrastructure against cyberattack, whether foreign state, terrorist, or criminal organization.
Defend computing and communication systems against physical attack.
Offensive cyber operations against adversary computing and communication systems.
Offensive cyber operations against adversary military forces and installations.
Offensive cyber operations against adversary infrastructure.
Disinformation campaigns.
Troll farms and other methods for psychological warfare.

Access pattern — Insurance

Write policies for liability for losses from cyberattacks.
Buy insurance policy for liability for losses from cyberattacks.
Payment for liability for losses from a cyberattack.
Payment of insurance premiums against losses from a cyberattack.

Access pattern — Vulnerabilities and Threats

Here is just a very brief summary of the major cybersecurity vulnerabilities and threats, at a high, abstract level, intended just to give a flavor and the overall scope.

For much greater detail and specificity for specific vulnerabilities, see the NIST National Vulnerability Database (NVD).

Privacy violation.
Violation of civil liberties.
Denial of service. And Distributed denial of service.
Data breach.
Financial theft.
Intellectual property (IP) theft.
Intellectual property (IP) tampering.
Intellectual property (IP) destruction.
Targeted data access, theft of targeted credentials.
Targeted data tampering.
Targeted data destruction.
Disruption of business (beyond network access DOS.)
Botnets.
Surveillance.
Industrial espionage.
Red team challenges.
Whistleblowers.
SPAM.
Malware.
Remote desktop connection — command execution — unauthorized.
Telnet remote login and command execution — unauthorized.
Privilege elevation to gain access to user data, system files, and system functions.
Buffer overrun.
Code injection.
SQL injection.
Ransomware.
Payment for ransomware attack.
Misleading domain name, file name, or file type which misleads user into accepting malevolent data.
Man in the middle attacks.
BIOS hacking.
Chip hacking.
Motherboard hacking.
Access to personnel information — unauthorized.
Cyber warfare.

See also the NIST National Vulnerability Database (NVD):

https://nvd.nist.gov/

Access pattern — Offensive Threat Actors

These are activities that offensive threat actors commonly engage in.

See Access pattern — Vulnerabilities and Threats for a sense of the range of vulnerabilities which offensive threat actors target.

Identify potential vulnerabilities.
Identify potential exploits.
Develop exploits.
Test potential exploits.
Upload exploits.
Advertise exploits.
Sell exploits.
Focus on zero-day exploits. Those for which target systems have no defense.
Design botnets.
Develop botnets.
Test botnets.
Deploy botnets.
Sell botnets.
Trigger attacks from botnets.
Design malware.
Develop malware.
Test malware.
Distribute malware.
Trigger malware attacks.
Domain name hijacking
Network and system scanning for open ports and applications
Identity theft.
Capturing and selling credit card data.
Capturing and selling personally-identifiable information (PII).
Money laundering.
Activities as black hats — malevolent cyberattacks.
Activities as white hats — assisting organizations to identify vulnerabilities and defend against cyberattacks.

Work in progress

This informal paper is a work in progress and will continue to be updated as I become aware of additional information or new ways of thinking about or organizing the information.

It may be incomplete, sketchy, or vague in some areas, which will be fleshed out more completely over time.

Consider it a draft, for now.

Future work

Consider closer alignment between the concepts of this paper and the NIST frameworks, especially NICE categories, work roles, and tasks.
Additional papers on aspects that were outlined as being beyond the scope of this paper.
Additional refinement of specific personas, use cases, and access patterns and their categories.
Addition of new or newly identified personas, use cases, and access patterns and their categories.
More refined terminology.
A glossary of relevant terms.