top of page

Victimology in CyberSecurity

Updated: Dec 30, 2022

Almost a third of businesses admitted that they have had a cyber security breach in the last 12 months. Varonis, cybersecurity experts with headquarters in New York and Tel Aviv, reported that in 2017, spear-phishing emails were employed by 71% of groups that staged cyber-attacks.

As shocking as it is that so many cyber-attacks are really due to human error or naivety, it has to be driven home that preventing the remaining 29% largely depend on your security team and procedures.

That means that for 29% of the time, by making sure that the security team is investigating and obviously preventing attacks, you stand a much better chance at preventing breaches.

The security team, in-house or out-sourced needs a concrete plan as well as a clearly defined methodology to better protect against the majority of attacks. One of these methods is known as ‘victimology’ and it lets security teams determine if they are handling a hack that is a standard phishing attack or a targeted offensive against the business.

Cyber Victimology is essentially when cyber professionals seek to understand and thereby identify the motives of hackers. An arduous process, this method is multi-pronged and looks at different types of email attacks and their origins over a period of time, usually around 25 days to one-month period of incubation and inspection.

One of the major questions being asked in a victimology investigation is:

Who are the attackers trying to attack? How often?

Taking a 360 degree look around the potential threat, security analysts will try to understand if the emails are sporadic or there is a coordinated pattern, basically are emails consistently being addressed to the same worker or department. As they are obviously unfamiliar with the company’s employees, the cybersecurity professionals build an excel list and see if let’s say for example, the finance department is consistently being targeted, which would obviously mean that the objectives behind the attack are at least partially financial as opposed to disruptive, ideological or to simply steal data.

Technical Analysis

A technical assessment is conducted to deploy the necessary countermeasures to stop regular email phishing attempts.

Professionals will look at the time of the events themselves as a clue, for example regimented emails sent daily are probably being sent by hackers that are systematically targeting multiple companies. For a company that receives a much more randomized pattern we could assume that the company is a specific target to the hacker and someone they are going to consistently try to break into, over and over- the hacker is focused on. If the attackers are changing recipients as different employees move in and out of the department, the organization may have a larger problem on their hands.

A security team will email scan it all and check if the same content is being used in each dispatch, which would include the malware, attachments and malicious code. The analysis allows the team to be prepared and prioritize vulnerabilities.

Building up your data sets

This investigation is ongoing, the security team will be analyzing targeted attacks, and they will be waiting for future hacking attempts. If attacks are generalized, patching the security gaps and cyber awareness training for staff will suffice for majority of the issues. If attacks are targeted, the company needs to strategize against that attacker. It will be critical to compare the next spear-phishing defense efforts to decide if the same hacker is targeting the company and what techniques they use.


Victimology investigations give concrete answers on being able to reassemble information at every level of a company for better security practices. Learning what assets the hackers are going after is a great way to create your security plan.

28 views0 comments

Recent Posts

See All


bottom of page