Typologies demystified – what are they and why are they important?

What are typologies and what role do they perform?

The term ‘typology’ is used in the sciences and social sciences and can be defined as “a system for dividing things into different types”. According to Solomon (1977) “a criminal typology offers a means of developing general summary statements concerning observed facts about a particular class of criminals who are sufficiently homogenous to be treated as a type“. Use of the term ‘typology’ in this way apparently dates back to italian criminologist Cesare Lombroso (1835–1909).

As we see the increasing convergence of financial crime, cybersecurity and physical threat detection in domains such as insider threats or fraud, it becomes increasingly important to have an end-to-end understanding of the path and actions that ‘bad actors’ must take to realise their objective, as well as other factors such as offender attributes / characteristics, motive, and overall threat posed. Amongst other things, constructing a fraud or insider threat typology requires a good understanding of how and where an organisation’s normal business processes can be exploited, including an understanding of the systems and data needed by offenders to be successful.

How do typologies, modus operandi and TTP’s differ?

The disciplines of fraud, cybersecurity, intelligence analysis, security risk analysis and others have largely evolved in isolation from each other as this is the way we design organisations (by functional specialisation which align to employee positions, not threats which align to the criminals targeting the organisation). This has given rise to a variety of different terms and approaches to doing effectively the same thing.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

As disciplines converge, driven by the need for an end-to-end view of a threat in order to facilitate timely detection, professionals across these domains need to understand the practices and lexicon used by peers. In my experience and from research, a typology provides a broad overview of the threat and will comprise multiple data points, including but not limited to Modus Operandi / TTP’s:

Modus Operandi (MO) and Tactics, Techniques, and Procedures (TTPs) are effectively the same thing in practice and refer to the way a crime (or attack) is executed, the one difference being that MO has its roots in criminal law and TTPs in the military but today is heavily referenced in cybersecurity:

  • Tactics, Techniques and Procedures (TTPs) – “The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.” (NIST SP 800-150)
  • Modus Operandi (MO) – Latin meaning “mode of operating.” “In criminal law, modus operandi refers to a method of operation or pattern of criminal behavior so distinctive that separate crimes or wrongful conduct are recognised as the work of the same person” (Cornell Law School). For example, “it was argued that these features were sufficiently similar such that it was improbable that robberies with those features were committed by persons other than the respondents” (NSW Judicial Commission).

Everything we do leaves a trail, including in the digital world (often referred to as ‘digital exhaust‘). Detecting a potential ‘bad actors’ trail to prevent insider threats, financial crime and cybercrime requires both (a) understanding what to look for (which can comprise very subtle, highly nuanced signs amongst a sea of data), as well as (b) having tools sensitive and fast enough to collect, process and analyse these signs so as to prompt a response.

My favourite analogy for a typology is a recipe: If I am going to bake a cake, the typology is to a data scientist (who designs and runs the analytics models for detection) what the recipe is to the baker. In contrast, intelligence analysts are the recipe writers – they understand all the ingredients and how they need to come together. The skills of data scientists and intelligence professionals are complementary.

How do they relate to risks?

Should you choose to perform more research into the concept of typologies in criminology, you will find they can be developed for just about anything. But in the case of insider threats, financial crime and cybercrime, we are only interested in those threats which directly impact our respective organisation, customers, products, systems or assets. This means we need to link them to risks: Whilst we can develop other typologies, if the materialisation of the threat does not result in a risk to the organisation, then the exercise may be pointless.

To develop a typology that is capable of being used in an advanced analytics-based detection system, the typology needs to be as specific as possible. This means a typology should be developed for a specific, or highly detailed risk (i.e. 4th level risk). It is common to find there are one or more typologies associated for each 4th level risk. The following figure illustrates the relationship between risks, typologies and analytics-based detection models which generate ‘alerts’ (cases) for disposition and potential investigation:

Author: Paul Curwell (2022) (c) – how typologies bridge the gap between risks and analytics-based detection

Throughout my career I have worked with many typologies, and one of my early learnings was that typologies are highly contextualised. For example, an employee who has resigned and works in sales whose job involves sending out brochures to a prospective customer’s email address is not a problem, whilst an employee who has access to sensitive trade secrets and sends emails with attachments to a personal email address may well be.

Typologies need to address this level of specificity, which is part of the reason for aligning them to 4th level risks. Good typologies also include indicators specific to the parties involved in the activity, the context of the activity, and the associated threat.

What are the components of a typology and why?

Writing good typologies is hard (I refer to them as ‘deceptively simple’). Some typologies are quite generic, written so as to be implemented by any reader with any detection system (examples include those written for Anti-Money Laundering or Counter-Terrorist Financing by bodies such as FATF, FINCEN and AUSTRAC). Substantial work can be required to take these more generic typologies and implement them – sometimes this even requires complete rewriting.

Irrespective, there are a number of fundamental components of any typology. Note however, that some required fields will be specific to the detection system used (i.e. they may be required as inputs to design or build the models):

  • Typology name
  • Threat actor details (perpetrator, group affiliation, threat type etc)
  • Target(s)
  • Description of how the attack is perpetrated
  • Illustration (e.g. process map) for how the attack is perpetrated
  • Indicators (contextual, threat and party specific)
  • Data sources for each indicator
  • Description of the steps required for investigation and any associated analytical techniques

In my opinion, a typology is ‘finished’ when it can be readily understood and converted to analytics-based detection model by a data scientist with minimal rework or clarification being required. Often intelligence professionals (who are the experts in a particular threat) write typologies and hand them over to a data scientist, who then needs to become another expert in the threat to implement them! This is not a valuable use of resources and should be avoided. There will always be gaps in intelligence and threat actors keep changing to advoid detection – so a typology may never be 100% complete – but they should be written in a manner that addresses the information and design needs of its intended audience (i.e. data scientists, investigators and risk managers).

When building your typology library, it is good practice to map these to your 4th level risks to identify potential detection gaps. Steps involved in writing a typology will be explored in future posts.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.