SHARE

Insights Analysis – Online Conversations about Cyber security in 2017

IN Insights Reports

Introduction

Right Relevance (RR) provides curated information and intelligence on ~50 thousand topics. This includes:

Topic relationships including related topics & semantic information like synonyms.
Topical influencers (~2.5M) with score and rank.
Topical content and information in the form of articles, videos and conversations.

Additionally, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to events like elections, emerging technologies, issues/activism, conferences, product launches etc.

This report is a summary of graph analysis of engagements and conversations including retweets, mentions and replies of tweets related to ‘Cybersecurity’.

Data & Duration

The report leverages tweets sampled from April 20th to May 23rd 2017 and along with Right Relevance topics, topical communities’ and articles data form the basis for the analysis.

Note: The anlaysis is based on EN-only (English) data.

The phrases used for gathering tweets are: “cybersecurity”, “cyber security”

The use of above phrases, incuding exclusion of synonyms like ‘information security’, ‘computer security’ and other terms which effectively mean the same, is deliberate to keep focus on policy and executive (CISO/CIO/CTO) information scope instead of security from engineering perspective, though that’s not excluded.

Most of the summary report is extracted from the analysis collateral in the form of:

Tableau Online Dashboard: Visualizes graph analysis results via charts and tables. Insights include flocks, top trending terms, top hashtags, top Users/accounts, RR topics, top tweets and several other measures. Faceting is supported per flock, RR topic and Twitter/RR account.
Gephi Communities Graph Visual: Extracts are shown below.

For access to Tableau and the complete graphs please email [email protected].

Cyber security Communities Graph

Community detection graph algorithms like Walktrap and InfoMap are used to identify communities (as sub-graphs) in our engagements graph built using Neo4j & R. Graph visualizations are done via Gephi.

The all engagements graph, which includes mentions, is dense with one large engaged subgraph/community and set of smaller communties. The WannaCry ransomware attack, starting on May 12th 2017 fell in the sampled timeframe. It became the the single largest topic of discussion leading to one large dense community overpowering other discussions. Hence, the RTs-only graph (Fig 1) was selected for analysis to be able to extract smaller communities/subgraphs along with other topics of discussion more clearly.

Figure 1: RTs-only Gephi snapshot

Open the zoomable clickable RT graph

The RTs-only graph shows:

A large central community (purple) which is mixed with other smaller communities. This is primairly due to WannaCry ransomware attack being the main topic of discussion across several smaller communities.
A fairly substantial personal branding community (green) around Evan Kirstel (@evankirstel), Mike Quindazzi (@MikeQuindazzi), ipfconline (@ipfconline1) et al.
Small but active community (yellow) around the UK NHS attack political fallout around Jonathan Ashworth (@JonAshworth).
Several small communities in dark blue, orange, red and dark green that will be outlined below.

Top Themes

Latent Dirichlet allocation (LDA) based text analysis of the tweets is used for identifying high value trending terms. These along with hashtags and Right Relevance topics form the basis for identifying top conversation themes during the analysis timeframe.

Fig 2 shows the top trending terms, RR topics and hashtags for conversations around ‘cybersecurity’ during the timeframe monitored.

Figure 2: Top Trending terms, Hashtags and RR Topics

The top trending terms, hashtags and RR topics brings out the following as the top themes:

WannaCry ransomware attack. This became by far the biggest issue and overwhelmed other themes.
UK NHS is a highly active topic in general, and being one of the primary targets of WannaCry ransomware attack, it was a major theme.
Trump’s ‘Presidential Executive Order’ on strenghtening Federal cyber security.
ML, AI application to cyber security
Google phishing attack.

Top Tweets

The top two tweets (Fig 3) during this timeframe show the ‘Presidential Executive Order’ and WannaCry ransomware attack esp. on the UK NHS being the events with most engagements.

Figure 3: Top ‘cybersecurity’ Tweets

Accounts via RR Topic Facets

Using RR topics facets (via Tableau dashboard here) is a great way to pinpoint the top accounts connected to a given conversation theme. The top influencer accounts for ‘cybercrime’ and ‘malware’ within the context of ‘cyber security’ are outlined below.

The top ‘Cybersecurity– Cybercrime’ conversation related accounts are DHS Cybersecurity (@cyber), Joseph Marks (@Joseph_Marks_), Symantec (@symantec), CSOonline (@CSOonline), Digital Forensics (@CyberExaminer) and DarkReading (@DarkReading).

The top ‘Cybersecurity– Malware’ conversation related accounts are MalwareTechBlog (@MalwareTechBlog), CyberWarrior (@CyberDomain), CSOonline (@CSOonline), Digital Forensics (@CyberExaminer), DarkReading (@DarkReading), Evan Vanderburg (@evanderburg) and Kaspersky Lab (@kaspersky).

More themes will be explored as part of the flock analysis later in the report.

Topical Influence: Tribes

Measuring influence is not deterministic. It’s a subjective task with numerous different methodologies and is generally relatively dynamic and ephemeral in nature. Right Relevance platform measures users/accounts influence in 2 distinct ways: topical & engagement-based.

Right Relevance algorithmically mines web content and social media at scale to determine topics and influencers and produce a measure of influence per topic termed as ‘topical influence’. Unstructured text, network connections, social signals along with semantic data, ML, NLP are leveraged to produce two sets of information; a set of ‘structured topics’ (~50K) with semantic information and; a connected graph of scored ranked influencers for each of these structured topics we call ‘topical influencers’ or Tribes.

Cyber security is a structured topic in the Right Relevance platform with the following metadata (Fig 6) returned by the RR Topics Metadata API of the RR API offering.

The first two related topics (Fig 6), ‘information security’ and ‘computer security’, are bascially the same as ‘cyber security’. Fig 6 also provides a list of the top 10 Right Relevance ‘cyber security’ influencers along with the top 10 domains where influencers post about ‘cyber security’.

Engagements-based Influence

Right Relevance ‘engagement influence’ measures are calculated by a set of graph analysis algorithms that measure the quality and quantity of engagements (RTs, mentions, replies), reach of tweets etc. within the context of a subject (event, trend etc.).

We apply several methods including PageRank and Betweeness centrality to measure Flock influence. The meaning of rankings within this methodology are documented at Twitter Conversation Performance Measures.

Top PageRank & Overall Influence Measures

The first two lists (Fig 7) are of the top 30 accounts by PageRank & Overall measures.

Overall rank is a normalized rank to reduce the skew towards users with large numbers of followers or a single tweet having a large number of engagements/RTs (often referred to as becoming ‘viral’).

PageRank brings up Donald Trump (@realDonaldTrump), NCSC UK (@ncsc), Homeland Security (@DHSgov), Forbes (@Forbes) and DHS Cybersecurity (@cyber) as the top 5. The extremely high number of followers for some of these accounts, Trump and Forbes in particular, lead to much higher engagements, thus leading to them bubbling up close to the top. This exposes the susceptibility of simple PageRank to high followers count and/or high reach (RT etc.) of one tweet.

The top Overall measure, in spite of the normalized nature, doesn’t bring up many new interesting accounts to the top.

The results above lead to other measures becoming important to measure influence as discussed below.

Top Connectors: Betweenness Centrality

The ‘Top Connectors’ list (Fig 8) shows the top 30 accounts based on the ‘Betweenness Centrality’ measure.

Betweenness centrality, which is a measure of the degree to which a node forms a bridge or critical link between all other users. We use this as a measure of influence wrt value in being information and/or communication hubs.

The top accounts like Bob Carver (@cybersecboardrm), CyberTaters (@CyberTaters), Marc R Gagn (@OttLegalRebels), Evan Kirstel (@evankirstel), ipfconline (@ipfconline1), Shawn Tuma (@shawnetuma), Ludmila MorozovaBuss (@TopCyberNews), ITSPmagazine (@ITSPmagazine), Ian Fagan (@I_Fagan) and Alan Woodward (@ProfWoodward) are generally analysts, PR, advisors, publishers, personal branding experts etc. who have built up influence and value as news and information hubs in the ‘cybersecurity’ domain.

The value of this measure lies in that it bubbles up accounts with potentially real influence in terms of news and information dissemination on a given subject.

Interesting “Flocks”

The engagements or “flocking” in the context of a subject (topic, event etc.) can lead to building of temporal communities with local influence that is not obvious by the standalone influence of the individuals or without the context of the event. The subgraphs aka communities formed by applying community detection graph algorithms are termed as ‘Flocks’.

As seen in the RTs-only graph in Fig 1, there is one large engaged community with few smaller scattered communities. Flocks generally align well with the subgraphs aka communities noted in the graph.

Note: Flocks are named after the account with the highest PageRank in the flock.

The first flock, realDonaldTrump, is a mix of the ‘wannacry ransomware’ conversation with the 1 extremely high engagement tweet (Fig 3) ”Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure’ by Donald Trump (@realDonaldTrump). Due to the mix caused by 1 high engagement relevant tweet and a major breaking event, this flock doesn’t seem interesting from Insights pov.

Some other interesting flocks are outlined below.

Flock: ‘cybersecboardrm’

Wannacry ransomware is the driving theme behind several flocks. Trending terms (fig 9) show that ‘cybersecboardrm’ is the leading flock for this.

The center of the RTs-only graph in purple visualizes the primary community for this flock.

The top users for this flock are Bob Carver (@cybersecboardrm), CyberWarrior (@CyberDomain), Marco Essomba (@marcoessomba), NCSC UK (@ncsc), Kenneth Holley (@kennethholley) among others (fig 11).

Flock: evankirstel

Based on the hashtags and RR topics like IoT, AI, big data, fintech, blockchain/bitcoint/banking etc. mixed with cybersecurity, this seems like the analysts, personal branding, PR, publishers, advisors etc. flock. They cover a broad spectrum of topics as part of the general advisory nature to C-suite executives.

Top users of this flock, Evan Kirstel (@evankirstel), ipfconline (@ipfconline1), Spiros Margaris (@SpirosMargaris), Ludmila MorozovaBuss (@TopCyberNews), Sarah Todd (@Sarahetodd), Mike Quindazzi (@MikeQuindazzi), Marc R Gagn (@OttLegalRebels) etc. are active across several upcoming and connected areas like IoT, Blockchain, Devops etc. among others.

Fig 13 visualizes the primary community for this flock in the RTs-only graph.

Flock: JonAshworth

The top trending terms and RR topics show the focus of this flock is the UK NHS (National Health Service) as it was among the first and largest targets of ‘wannacry ransomeware’.

Figure 14: Top Trending Terms & RR Topics for flock ‘JonAshworth’

The ‘JonAshworth’ flock is especially focused on the UK political angle and fallout after the attack. The top tweets (fig 15) are all clustered around this theme.