User Stories

The FORTIKA consortium put efforts to create a genuine collection of the so-called “User stories”. 

These are descriptions of threats and attacks that a user faces in the frame of everyday job. The user stories reflect real threat scenarios that appear in the business environment. They provide the views of non-expert end-users related to cyber security as conceived in the frame of their day-to-day business practice in the environment of an SME. 

The user stories help to align the goals of the project based on the needs of SMEs and the market. Moreover, the user stories provide an effective tool for fine-tuning of the FORTIKA pilots. Furthermore, they facilitate all stakeholders to understand the FORTIKA functionality and help to evaluate the FORTIKA outcomes.

So far, 50 user stories have been collected. The FORTIKA consortium elaborated the collected user stories to interpret them and to identify insights and trends. The results of this procedure published through the respective FORTIKA deliverables D3.6 and D6.3. 

Aggregated data & Insights stemming from the user stories 
Correlation of FORTIKA use cases to the user stories 
Requirements stemming from the user stories 

An indicative selection of user stories

We present below, a set of selected indicative user stories in the form of short narrations, to show the extent and diversity of threat scenarios in the real work environment of SMEs. Below we list 15 selected user stories where two of these refer to academic institutions. The reader can easily notice the different nature of threats in these two stories.


Selected user stories (15 indicative stories out of 50)  :

1. Spamming over mails, redirecting to untrusted pages

A user with advanced IT skills working in a software development company, experiences on a daily basis email spamming attacks and redirecting from a page to other untrusted pages. The typical activities of this user is development and testing of frontend and backend applications.
The attacks through spam intent to lead him in exposing personal data over the web, visit unencrypted webpages collecting data, leaking sensitive data. Usually redirection made in a way that the user is not aware of redirection, thus he may give personal data to the untrusted web applications and agree to the conditions of the visiting page without reading it. This scenario may endanger corporate data and has negative impact on the firm’s reputation. In order to solve the problem caused by the threat money and time should be spend.
Countermeasures so far include advanced firewall and antimalware means (Spamtitan). The firm also applies a total corporate security policy (ISO27001-compliant, nomination of a Chief Security Officer, etc.)


2. Phishing threats in the customer technical support department

A new employee in the customer technical support department of an SME offering automation services, reports that phishing attacks are shown up on a daily basis. This employee has basic IT skills and his typical tasks are customer support and consulting, as well as success management.
The attacks aim to lead the user to disclosure sensitive data through untrusted pages that are disguised to trustworthy ones. The disclosure of sensitive data may have disruptive effects on corporate and client’s data and on the corporate infrastructure. The firm is very sensitive to this kind of threats because they have very extended impact on the client confidence and company reputation. Such attacks, if succeed, may lead to loss of customers. Countermeasures in place include spam detection and prevention. Automation of the cyber protection mechanisms and an advanced antimalware infrastructure would improve protection significantly.


3. Compromised credentials in the sales department

A young staff member of the sales department of an SME offering technical services, reported that credentials are compromised as result of cyber-attacks. This employee has basic IT skills but he use IT for a long time. His everyday tasks in the work are sales management and marketing.
He experiences, on a normal basis, phishing attacks though emails, malware and phishing URLs. This leads to credentials compromise approximately one time per year. This type of attack puts in danger the corporate data and the infrastructure. When succeeded, it may cause loss of customers and reputational damage.
Countermeasures in place include Two-Factors Authentication and a corporate policy for cyber security. Intelligent back up and training of the personnel, may improve considerably the firm’s resilience.


4. Diverse attacks in academia

A professor in an academic institution with advanced IT skills and extensive work experience reported a wide spectrum of attacks in his everyday work. His daily tasks include teaching, IT management, administration, software testing, document management and development. In his IT environment, a variety of threats appears on a normal basis. It includes phishing, malware, brute force attacks, credentials compromised, ransomware, mining for cryptocurrencies, etc.
The threats show up as phishing emails, notifications in email-box, connections refused, IP hijacking, compromised it infrastructure, compromised switch, ransom demands. On average one threat succeeds per month leading to data loss even loss of banking data and reputational damage.
The risks so far mitigated by testing, semi-automatic testing, vulnerability scans, etc. Penetration testing, QA testing, and mainly a total solution for email security and antimalware protection, may provide significant improvements in cyber resilience of the organization.


5. Attacks to the administration staff in an academic institution

A member of administration staff in an academic institution with advanced IT skills reported that threats occur in his department through the way the personnel uses IT, mainly web access. His typical tasks include IT administration and service deployment. The threats include malware attacks of several kinds and phishing.
On average, a threat appears per week, causing data loss, infrastructure malfunctions, and analytics data loss. This inducts negative effect on the organization reputation and may have financial impact too.
The counter measures used include tools such as OpenVAS, Apache Spot, etc. Adoption of CVSS evaluation or other risk evaluation solutions could improve immunity against the attacks.


6. Cyber-attacks against staff of sales department in an IT specialized SME

A member of sales department in an SME that provides specialized IT services stated that phishing and ransomware are the most common types of attacks. He has basic IT skills. His everyday tasks focus on customer relationships, marketing and consulting services. The phishing and ransomware attacks shown up through phishing email and ransomware. The attacks endanger privacy, data reputation and sales thus inducting negative financial impact.
The adoption of new technologies in the corporate environment, featuring improved intelligence (real-time notification, assistance, GDPR compliancy, security-by-design, real-time protection, etc.) could significantly improve the resilience against such attacks.

7. Data breaches in an IT specialized SME

A marketing director of an SME that provides specialized IT services stated that data breach is the most common attack in his job position. His typical tasks in his job include brand development, marketing, decision-making, sales management, sales, management, product management, media presence, reporting to management, market analysis.
According to him, data breach causes mainly reputational damage, which is considered as a very sensitive topic in the context of his work in this company. The threats could be mitigated through a training initiative for user awareness raising.


8. Cyber threats targeting resource availability in an SME

A young consultant with advanced IT skills responsible for governance, risk and compliance consulting in an SME that provides specialized IT services, in a typical day is involved in risk assessment and compliance assessment. In the frame of his job, a variety of cyber-attacks shown up, including information disclosure, service interruption, loss of confidential data, loss of data, system compromised, malicious remote access, malware, etc.
The endangered assets are for the majority of cases data and service as well. On average, an attack succeeds per year causing loss of data and unavailability of service as well as damages regarding confidentiality.
Countermeasures involved include strong password policies, penetration tests, and supervision actions such as log management and log review. User awareness is a key measure for improving the resilience of the firm against the attacks and any educational activity for user awareness could help a lot.


9. Social engineering and spear phishing attacks against an SME

A consultant with medium IT skills working as a governance, risk and compliance consulting in an SME that provides specialized IT services, referred that in his job, the most common types of threats are social engineering and spear phishing attacks both usually based on lack of awareness. The typical tasks of this user concern project management, project delivery, and customer relationships.
The attacks are shown up through phishing emails and, on average, one time per year, they lead to compromised credentials and compromised systems. This results to loss of data including personal data and sometimes banking data.
The countermeasures in place are 2FA (Two-Factors Authentication), user training, awareness raising actions, email filtering, etc. Additional measures such as a real time monitoring and notification service (via email or via the system) will improve resilience against cyber-attacks.


10. Spam emails and phishing

An experienced user with advanced IT skills, working on Research and Development of New Products (SW included) in an SME, referred that in his job, the common threats include spamming and phishing.
The threats are shown up weekly, through phishing emails and the attached documents. They endanger assets like data, banking data and reputation. If succeed the attacks lead to loss of data and exposure of internal information.
So far the firm applies countermeasures including personnel training, compliance to international standards ISO27001 and ISO20000, backup mechanisms and corporate cyber security policies. Further improvements of the firm’s resilience could be reached through upgraded cyber security policies and integrated cyber security solutions.


11. Loss of sales due to cyber attacks

An administration staff member in an SME reported that economic loss occurs when a cyber-attack succeeds. In a typical day this user reads/filters/forwards emails received by the admin email account, uses the internal CRM, uses office applications (mainly for .doc and .xls files with macros and filters), uses the web for administrative reasons. The common types of threats are viruses, spam emails and phishing. The threats are shown up weekly, through phishing emails and through email attachments with viruses.
The risk is to have the full company intranet down for hours or days. It can mean loss of commercial deals or delays in after sale support or bad management of relationship with the supply chain. After a successful cyber-attack, the firm loose at least 8 hours to rebuild a new pc if the problem stays only there. This cause loss of economical assets but also loss of data linked to the sales dept, or the service dept, or the R&D.
The company uses IDS/IPS on firewall, antivirus packages on windows systems and performs regular and periodic backups to devices that are isolated from the intranet when the back-up is completed.


12. Loss of software code due to ransomware attacks

A user with extensive experience working on Research and Development of New Products (SW included) in an SME specialized in software development, stated that concerning his job, the main threats are the stealing of the written code or its malicious alteration/ destruction (e.g. encryption from a ransomware). This user has advanced IT skills. A typical day includes short discussion with the colleagues on the status of SW development progress (previous day’s achievements and current day’s development tasks). Then the day continues with the actual SW development.
Concerning ransomware this can be installed for example by clicking an email attachment; the code stealing could occur, if an adversary manages to get access to the company’s internal network. Such threats are shown up almost daily.
The endangered assets include source code repositories, servers hosting the repositories and the developers’ workstations. If the attack succeeds the firm suffer financial damage depending on the amount of source code stolen or altered. It has definitely a negative impact on the SW developer’s team.
The company so far uses a firewall, an antivirus scanner (covers also the e-mails) and follows a policy for robust passwords. Future improvements should include the use of a firewall with an Intrusion Detection System (IDS) and a Security Information and Event Management System (SIEM). Network traffic should pass through the IDS. Further to that the SIEM should be able to receive the logs/events from the servers/workstations


13. Loss of performance or abnormal system operation due to cyber attacks

A developer with advanced IT skills working on Research and Development of New Products (SW included) in a software house, reported that has experience with several malware-related problems caused by several types of cyber-attacks such as Trojans, viruses, browser hijackers and adware. His day-to-day work is software development and research. These attacks if succeed cause loss of performance or abnormal system operation. Some of them are blocked by the antivirus software in use.
The endangered assets include almost all information related to the company such as data, intellectual property, research and development results, etc. On average, a serious attack succeeds one time per year. In this case the economic damage would be of an important scale in terms of economic loss and work of the company.
Countermeasures so far include use of security and recovery software, as well as repositories to recover from the loss of development data. A considerable improvement would be the introduction of a real time notification and advice system, so the user could receive clear and concise information from any appropriate channel (email, the system, etc.) about the actions needed to be taken.


14. Loss of performance or abnormal system operation due to cyber attacks

A technical manager with advanced IT skills working in SME that offers IT support services, has experienced several types of attacks in his career. In his current job a typical day includes Jira projects management, review email and alerts related to IT infrastructure, meetings with dev team, meetings with sales team and code review in bitbucket GIT repositories.
The most common types of cyber-attacks are virus attacks, ransomware attacks, DDoS attacks. Depending on the nature of the attack, monitoring services for the availability of web services rise alerts, or antivirus products raise alerts or sandboxing of apps. The endangered assets are corporate infrastructures and firm reputation.
The company managed to keep the negative impact to a minimal level since it formed and maintained adequate backup plans for recovery. The company so far uses firewalls, web application firewalls - WAFs and CDN-as-a-Service to protect its assets. A significant improvement would be the use of firewalls with integrated threat handling functionality and dynamic IP blocking lists, as well as cloud-based SaaS protection


15. Fake payment requests to the financial department of an SME

A financial administration staff member with extensive experience and basic IT skills is employed in an SME. The daily tasks of this user include management of the financial department, work with payments, invoice management, etc. On a weekly basis, spam emails with suspicious attached files and spear phishing emails are received.
Sometimes the user receives fake mails which are written as if they come from the general manager asking to transfer large sums of money as payments. In this case the user wants to be warned automatically and the addresses those emails come from to be blocked. Such emails represent a risk of losing financial resources (money), and also a risk for the firm’s reputation.
So far, the mail is checked for spam by hardware devices. When the user receives suspicious mail and is not sure if its fake he have to ask the IT people or the general manager. A real time monitoring and notification system, warning the user if a mail, asking payment is a fake one, or notifying that a mail was quarantined because it appears to be fake could offer improved protection against this kind of cyber-attacks.