A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems

Islam, Tasmina; Becker, Ingolf; Posner, Rebecca; Ekblom, Paul; McGuire, Morgan; Borrion, Hervé; Li, Shujun

doi:10.1007/978-981-15-1304-6_22

Cited by 12 publications

(8 citation statements)

References 29 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors emphasise that where cause and effect are not immediately apparent, there can be a need to consult with and consider the perspectives of others within the system. The framework for reducing humanrelated risks developed by Islam et al [128] is motivated in part by the increased connectedness of individuals and technologies. The authors also approach cybercrime in terms of mobilising crime preventers within the system.…”

Section: Related Workmentioning

confidence: 99%

Identifying Unintended Harms of Cybersecurity Countermeasures

Chua

Parkin

Edwards

et al. 2019

2019 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity. The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex, multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to illuminate harmful consequences, not to paralyze decisionmaking, but so that potential unintended harms can be more thoroughly considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.

show abstract

Section: Related Workmentioning

confidence: 99%

Identifying Unintended Harms of Cybersecurity Countermeasures

Chua

Parkin

Edwards

et al. 2019

2019 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

show abstract

“…We can identify system vulnerabilities (such as for an OS environment, or a sociotechnical system) using the risk management variant of this approach, chiefly by identifying the parameters of a "good" system state, the goals and assets of the relevant stakeholders, and triggering events (criminal or mistaken) that counteract these goals as deviations from this state. Islam et al [83] propose such a framework for reducing human-related risks in sociotechnical systems.…”

Section: Crime Enablersmentioning

confidence: 99%

Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime

Ife¹,

Davies²,

Murdoch³

et al. 2019

Preprint

View full text Add to dashboard Cite

Cybercrime is a complex phenomenon that spans both technical and human aspects. As such, two disjoint areas have been studying the problem from separate angles: the information security community and the environmental criminology one. Despite the large body of work produced by these communities in the past years, the two research efforts have largely remained disjoint, with researchers on one side not benefitting from the advancements proposed by the other. In this paper, we argue that it would be beneficial for the information security community to look at the theories and systematic frameworks developed in environmental criminology to develop better mitigations against cybercrime. To this end, we provide an overview of the research from environmental criminology and how it has been applied to cybercrime. We then survey some of the research proposed in the information security domain, drawing explicit parallels between the proposed mitigations and environmental criminology theories, and presenting some examples of new mitigations against cybercrime. Finally, we discuss the concept of cyberplaces and propose a framework in order to define them.We discuss this as a potential research direction, taking into account both fields of research, in the hope of broadening interdisciplinary efforts in cybercrime research. CCS Concepts: • General and reference → Surveys and overviews; • Information systems → World Wide Web; • Security and privacy → Human and societal aspects of security and privacy; • Humancentered computing; • Applied computing;

show abstract

“…The potential for risk controls to harm legitimate users is pronounced in modern IT systems. The hyperconnectivity these systems embody [65] means that malicious and legitimate human activity in the same IT environment can have some of the same observable behaviours and use of the same infrastructure. For example, they can access online accounts through the same interface.…”

Section: Introductionmentioning

confidence: 99%

A cyber-risk framework for coordination of the prevention and preservation of behaviours1

Parkin

Chua

2022

JCS

View full text Add to dashboard Cite

Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the ‘blunt’ nature of many cybersecurity controls. Here we present a framework produced from consideration of concerns across methods from cybercrime opportunity reduction and behaviour change, and existing risk management guidelines. We illustrate the framework and its principles with a range of examples and potential applications, including management of suspicious emails in organizations, and social media controls. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system. We describe capabilities for a novel approach to managing sociotechnical cyber risk which can be integrated alongside elements of typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders in the identification of behaviours to preserve in a system.

show abstract

A Socio-Technical and Co-evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems

Abstract: The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.

Cited by 12 publications

References 29 publications

Identifying Unintended Harms of Cybersecurity Countermeasures

Identifying Unintended Harms of Cybersecurity Countermeasures

Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime

A cyber-risk framework for coordination of the prevention and preservation of behaviours1

Contact Info

Product

Resources

About