Miika Sartonen, ... Jussi Timonen, in Emerging Cyber Threats and Cognitive Vulnerabilities, 2020
Target audience analysis (TAA) is an essential part of any influence operation. To convey a change in behaviour, the overall target population is systematically segmented into target audiences (TAs) according to their expected responsiveness to different types of influence and messages, as well as their expected ability to behave in a desired way.
The cyber domain poses a challenge to traditional TAA methods. Firstly, it is vast, complex and boundless, requiring effective algorithms to filter out relevant information within a meaningful timeframe. Secondly, it is constantly changing, representing a meshwork in formation, rather than a stable collection of TAA-specific data. The third challenge is that the TA consists not of people but of digital representations of individuals and groups, whose true identity, characteristics or location cannot usually be verified.
To address these challenges, the authors of this chapter suggest that the concept of TAA has to be revised for use in the cyber domain. Instead of trying to analyze physical people through the cyber interface, the authors have conceptualized an abstract entity whose physical identity might not be known but whose behavioural patterns can be observed in the cyber environment. These cyber personalities (some of which can be artificial in nature) construct and share their honest interpretation of reality, as well as their carefully planned narratives in the digital environment. From the viewpoint of TAA, the only relevant quality of these entities is their potential ability to contribute to the objectives of an influence operation.
As a first step, this chapter examines the cyber domain through a five-layer structure and looks at what TAA-relevant data are available for analysis. The authors also suggest a way of analyzing cyber personalities and their networks within adaptive TAs, to conduct a TAA that more effectively supports influence operations in the cyber domain.
The syntactic layer consists of the software that operates the devices of the physical layer (Sartonen et al., 2016). The corresponding cyber personality aspect is a virtual identity: a local user account on a computer or device. In other words, once a cyber personality starts using a new device (computer, mobile phone), a virtual identity has been created in the syntactic layer. A single virtual identity can provide access to multiple network identities, such as e-mail addresses or cloud-based user IDs, and can thus be the means of connecting multiple network identities to a single cyber personality. Linking a physical device, such as a computer on a campus or in a working place, to a virtual identity also provides demographic information about the physical identity of a cyber personality. The browser used by the cyber personality is also a good source of information. It can leave traces of past browsing and other information (such as user agent and operating system) (Wang, Lee, & Lu, 2016).
Again, conversely, supposing we have established a possible connection between the physical as well as the virtual identities of a cyber personality, we can assess the likelihood of the connection being real by comparing the information on both levels. Is the network usage pattern as expected and does it correspond with the physical trajectory? If there are discrepancies, it is possible that the cyber personality is fraudulent, such as an automated social media bot that is not utilizing a browser and is only focussing on application programming interface (Chu, Gianvecchio, Wang, & Jajodia, 2012). Discrepancies can also occur if a cyber personality uses different techniques, such as encryption (Gupta, Gupta, & Singhal, 2014) and TOR network (Haraty & Zantout, 2014), to avoid detection.