The document discusses how the Cyber Self Defence Framework (CSDF) can help individuals prioritize cybersecurity efforts using Situational Crime Prevention (SCP) strategies. The CSDF identifies 101 unique safeguards across three priority levels to deter, deflect, and defend against cybercrime. It takes a holistic approach, focusing on practices like using unique passwords, antivirus software, firewalls, and backing up data. The CSDF aims to help overwhelmed users by stating clear actions and benefits. Future versions could tailor recommendations based on user profiles and provide time-bound or budget-bound "recipes" through distribution channels like the police or apps.

1. Save Yourself!
How the Cyber Self Defence Framework can help you prioritise and apply
defence in depth efforts using traditional Situational Crime Prevention strategies

2. The Problem

3. “$1 trillion
dollars!”

5. “more than half of
humanity is at risk of
falling victim to
cybercrime at any time”

6. “the primary key threat is
not state actors but
cybercriminals”

8. But why?

9. “cybercrime is safe and profitable,
occurs in an environment that is
constantly expanding and thrives in
vulnerable systems”
• Cybercrime pays and can be easy to commit
• Policing is (mostly) constrained to a pre-internet model
• Risk of detection, arrest, prosecution and jail time is low
• Connectivity is ubiquitous and more time is spent online

10. Stir in ingredients…
• Low interest rates
• Pandemic anxiety
• Isolation and loneliness
• Widespread loss of income
• Digital transformation to
WFA

12. Victorians had the highest reported losses - $49m, up 115% YoY
“likely attributable to the long lockdown periods the
population experienced in 2020, which created
opportunities for scammers as people were forced into
unusual economic and social situations that had the
potential to increase their susceptibility to scams”

13. Enforcement
Education
Wide
Focus
Narrow
Focus
NZ Police – Districts
- NZ jurisdiction
- Offshore limitations
NCSC
- CNI threats
- FVEY partnerships
NZ Police - NCCC
- Specialist
cybercrime unit
- Support
nationwide ops
Consumer Affairs
- Scamwatch owner
- Protection education
NetSafe
- Scamwatch triage
- HDCA education/response
DIA EMCU
- UEMA 2007 - Spam / 7726
- Txt, email, fax channels
IDCARE
- Identity theft and fraud
- Victim support across A/NZ
FMA
- Securities legislation
- Investment scams
Commerce Commission
- Fair Trading Act
Citizens Advice
- Advice and education
Domain Name Commission
- .nz domainspace
- Registry compliance
“the New Zealand landscape for
cybercrime is cluttered and
fragmented… unclear and
overlapping roles… multiple,
overlapping information sources
and entry points for members of
the public”
CERT NZ
- Cyber security focus
- COVID scams
OPC
- Data breaches (2020 Act)

14. Enforcement
Education
Wide
Focus
Narrow
Focus
NZ Police – Districts
- NZ jurisdiction
- Offshore limitations
NCSC
- CNI threats
- FVEY partnerships
NZ Police - NCCC
- Specialist
cybercrime unit
- Support
nationwide ops
Consumer Affairs
- Scamwatch owner
- Protection education
NetSafe
- Scamwatch triage
- HDCA education/response
DIA EMCU
- UEMA 2007 - Spam / 7726
- Txt, email, fax channels
IDCARE
- Identity theft and fraud
- Victim support across A/NZ
FMA
- Securities legislation
- Investment scams
Commerce Commission
- Fair Trading Act
Citizens Advice
- Advice and education
Domain Name Commission
- .nz domainspace
- Registry compliance
“the New Zealand landscape for
cybercrime is cluttered and
fragmented… unclear and
overlapping roles… multiple,
overlapping information sources
and entry points for members of
the public”
CERT NZ
- Cyber security focus
- COVID scams
OPC
- Data breaches (2020 Act)
2020:
$16.9m
4,740
reports
2020:
$19.23m
13,926
reports

17. NZ Police Stats
(NZCVS, 2019)
• Only 10% of fraud or cybercrime incidents reported to the Police
• The most common type of offence, more common than burglary
• Most commonly recognised by the victim as a crime
• Rated most ‘high seriousness’ (42%) but least reported
• Why such under-reporting?
32% reported to other authorities, 22% because “Police couldn’t
have done anything”

18. The Solution

19. Bruce Schneier
“Why are we trying to fix
the user instead of solving
the underlying security
problem?”

20. 4 models of crime prevention
Type Intent Effectiveness
Law enforcement Criminal justice system deters
and punishes offenders and
delivers rehabilitation
Poor
Developmental Early intervention addresses
the causes of criminality in
youth
Poor
Social Strengthening
neighbourhoods to build
community relationships
Poor
Situational prevention Reducing the opportunities for
crime through 5 mechanisms
Good

25. What is SCP?

26. “a package of measures that:
(1) are directed at highly specific forms of crime
(2) involve the management, design or
manipulation of the immediate environment in
as systematic and permanent a way as possible
(3) so as to reduce the opportunities for crime and
increase the risks as perceived by a wide range
of offenders”
Situational Crime Prevention is…

31. 5 mechanisms / 25 techniques

33. What is the Cyber Self
Defence Framework?

36. Internet users:
• Have limited ‘compliance budgets’
• Make time/benefit tradeoffs
• Struggle to understand and apply advice
• Lack ability to judge effectiveness
• Rates guidance based on cost, effort and
effectiveness
• States the action and the benefits
• Helps you navigate a sea of poorly
prioritised advice
The CSDF:

37. 101 Unique Safeguards
Priority 1: 57 Priority 2: 35 Priority 3: 9

38. Holistic techniques
• Identify your digital crown jewels - data and devices
• Use unique complex passwords
• Use trusted anti-virus/anti-malware software
• Use a supported OS on all connected devices
• Use a firewall
• Use secure networks
• Use HTTPS everywhere
• Use secure DNS
• Back up critical data and devices and test restoration
• Do not pay ransoms
• Use privacy and security enhancing browser add-ons
• Review privacy and terms of service statements
• Use services with good privacy protecting defaults
• Use a webcam cover
• Protect personal and financial information
• Use privacy settings on all platforms to limit sharing
• Protect phone numbers
• Avoid oversharing online
• Avoid high risk online activities when impaired
• Keep your clothes on
Privacy
Security

39. Foundational practices
to deter, deflect and
defend against cybercrime:
• Set clear online boundaries
• Avoid oversharing online
• Undertake security awareness training
• Communicate how and when to report incidents
• Communicate online policies/rules
• Do not provoke trolls/doxers
• Do not respond to trolls/doxers
• Do not support bullying and doxing behaviours
• Report abuse to service providers
• Report to law enforcement
• Use services with good security practices
• Use services with good privacy protecting defaults

40. Next steps…

41. CSDF v2
• Performance Shaping Factors:
Personality, Age, etc.
• Profile baselines: ‘Crypto Investor’
• Quick Starts:
• Time bound - 5 / 15 / 30 minute
‘recipes’
• Budget bound - $50 / $100 / $250
‘recipes’
• Devices owned, risk appetite

42. Distribution channels?
• Crime prevention guidance with NZ
Police
• Neighbourhood Support groups
• Partnership with Personal Cyber cover
providers
• SaaS / App-based subscription service:
 Task based checklists
 Set your own ‘nudge’ cadence -
DuoLingo
 Maturity pathway - Gamification
 Continuous monitoring and
improvement

43. Questions/Feedback?