Identifying Unintended Harms of Cybersecurity Countermeasures

Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk count… Show more

“…The authors posit that analytical tools are necessary to reduce these harms, and as part of risk assessment. Similarly, Chua et al [17] encourage risk managers to explore the potential for unintended harms to emerge as a result of their own risk controls. The authors' framework emphasises the need to support vulnerable populations who may experience harms if risk controls work against them rather than for them.…”

“…Risk controls in an IT environment potentially restrict behaviour, users, and infrastructure [17], in turn affecting actual user behaviour, through their representations in IT systems. A risk owner making decisions about IT-security and related technical systems is unlikely to have a direct view of what users are doing.…”

“…privacy risk management practices is that if a control is well-intentioned, it will not do any harm to those it is meant to protect. Cyber threats can impose a range of different harms upon legitimate users [3], however so can cybersecurity risk controls if not carefully considered [17]. This can result in e.g., legitimate users being removed from a system, or their activity being misclassified.…”

Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviours

“…The authors posit that analytical tools are necessary to reduce these harms, and as part of risk assessment. Similarly, Chua et al [17] encourage risk managers to explore the potential for unintended harms to emerge as a result of their own risk controls. The authors' framework emphasises the need to support vulnerable populations who may experience harms if risk controls work against them rather than for them.…”

“…Risk controls in an IT environment potentially restrict behaviour, users, and infrastructure [17], in turn affecting actual user behaviour, through their representations in IT systems. A risk owner making decisions about IT-security and related technical systems is unlikely to have a direct view of what users are doing.…”

“…privacy risk management practices is that if a control is well-intentioned, it will not do any harm to those it is meant to protect. Cyber threats can impose a range of different harms upon legitimate users [3], however so can cybersecurity risk controls if not carefully considered [17]. This can result in e.g., legitimate users being removed from a system, or their activity being misclassified.…”

Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviours

“…For registered domains, an incorrect decision may have unintended adverse effects [23], [42]. In case of the seizure of a benign domain, its legitimate owner can no longer provide its service to end users.…”

“…By using the mean, we do not attach any statistical meaning to the absence of data and do not skew the distribution. (19)(20)(21)(22)(30)(31)(32)(33)(34)(35)(36) are set to zero and binary feature values (23)(24)(25)(26)(27)(28)(29) to false as no data means that DNS records for the domain were never queried, suggesting unpopularity. Table IX presents the performance metrics of the machine learning algorithms that we evaluate in Section V-B, for a base ensemble model trained and tested on the initial 2017 iteration.…”

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Tracking Without Traces—Fingerprinting in an Era of Individualism and Complexity