Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Improving Cybercrime Reporting in Scotland : A Systematic Literature Review

I have explored how to improve cybercrime reporting in Scotland by conducting a systematic literature review. Due to the lack of data on Scotland, I have frequently extrapolated from both the UK and the West. The research questions were: 1. What is known about cybercrime in the UK to date? 2. What is known about cybercrime victims in the UK to date? 3. What is known about cybercrime reporting to date? The answers were retrieved by combining Boolean variables with keywords into Scopus, Web of Science and ProQuest. This resulted in the analysis of 100 peer-reviewed articles. The analysis revealed a common trend, a novel taxonomy and an original conclusion. The common trend is that of responsibilisation, which is the shifting of responsibility for policing cybercrime from the government onto the citizens and private sector. The novel taxonomy is for classifying cybercrime reporting systems according to three pillars, which I referred to as Human-To-Human (H2H), Human-To-Machine (H2M) and Machine-To-Machine (M2M). The original conclusion is that to improve cybercrime reporting in Scotland, the process needs to be treated also as a social one rather than a purely mathematical one

Critically analyse the approaches to GDPR and DPA2018 compliance within the UK Further Education sector

On 25 May 2018 “the most monumental pan‐European regulation in the last decade” (Layton and Celant 2017), the General Data Protection Regulation became enforceable alongside a revision to the Data Protection Act. The regulation governs the use of personal data throughout Europe having impact on private, public and charitable organisations globally. The study focuses on one sector - the UK Further Education sector - who provide training and qualifications to 2.2million young people and adults annually (Association of Colleges 2019). Filling the void between schools and universities, the Further Education sector is unique in the challenges they face when ensuring compliance with this new legislation. These challenges include the application of legislation, noting key differences between the nations of the UK, and the moral duties placed upon the provider by parents who expect open dialogue with the education provider, consistent as happened with lower levels of education. This must be balanced with the student’s right to data privacy and control over who can access their educational records. The study is a first of its kind, critically analysing the approaches by Further Education providers to become and subsequently maintain compliance with the General Data Protection Regulation and the Data Protection Act. It highlights the impact on the provider, its staff and students. The research is significant because until now, data practitioners and senior managers have had no clear guidance from the Information Commissioner’s Office or the Department for Education on how the General Data Protection Regulation applies to the Further Education sector. The research provides baseline data to show the current landscape of compliance with the new data protection legislation, highlighting best practice and common challenges as providers continue on a journey towards compliance

Unmanned Remotely Operated Search and Rescue Ships in the Canadian Arctic: Exploring the Opportunities, Risk Dimensions and Governance Implications

This chapter is a proactive risk exploration of hypothetical remotely operated search and rescue (SAR) ships in the Canadian Arctic. The harsh and remote environment in the region, combined with complicated coastlines and many uncharted or poorly charted traffic routes, makes it one of the most challenging SAR areas. Canada has committed itself to safety, environmental protection and sovereign presence in the area by maintaining joint SAR centres of federal government departments and mobilizing private volunteers. The characteristics of Canadian SAR response in the Arctic rest with its high dependency on heavy equipment such as aircraft, helicopters and icebreakers, entailing prolonged hours of response time. As recent climate change impacts and maritime traffic increase in the northern waters disclose safety gaps, innovation in SAR assets is anticipated. The safety gaps may be filled by state-of-the-art remote control technology. This chapter discusses remotely operated unmanned ships for SAR response, exploring their opportunities, risk dimensions and governance implications

University Responses to Digitalization at the Start of Covid-19 -Cases in Scotland

Purpose: This paper seeks to investigate some of the ongoing issues faced by Scottish and other universities in moving their teaching of under-and postgraduates rapidly online during the Covid-19 pandemic of 2020.-Design/methodology/approach: A review of academic and policy literature is followed by a series of interviews with university staff involved in online teaching and learning.-Findings: For most institutions and organisations, the pandemic has accelerated the speed of embedding digital ways of working. This has led to a recognition of the need for practically-focused effective inclusive interventions. These need to be designed and offered more widely to reach individuals from disadvantaged backgrounds and with low level of skills or qualifications and from older age groups. Effort is needed by policy-makers and HEI to better understand challenges and unintended consequences digital learning and working poses.-Originality/value of the paper: This is an early paper to consider the impact of Covid-19 on the acceleration towards greater university online teaching.-Research limitations/implications (if applicable): The range of interviewees is limited to one organisation and a wider range of university staff and types of organisation may add additional insights.-Practical implications (if applicable): Insights from the interviews suggest ways of responding to increasing online teaching and learning in universities

Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)

In 2014 NATO’s Center of Excellence-Defence Against Terrorism (COE-DAT) launched the inaugural course on “Critical Infrastructure Protection Against Terrorist Attacks.” As this course garnered increased attendance and interest, the core lecturer team felt the need to update the course in critical infrastructure (CI) taking into account the shift from an emphasis on “protection” of CI assets to “security and resiliency.” What was lacking in the fields of academe, emergency management, and the industry practitioner community was a handbook that leveraged the collective subject matter expertise of the core lecturer team, a handbook that could serve to educate government leaders, state and private-sector owners and operators of critical infrastructure, academicians, and policymakers in NATO and partner countries. Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency is the culmination of such an effort, the first major collaborative research project under a Memorandum of Understanding between the US Army War College Strategic Studies Institute (SSI), and NATO COE-DAT. The research project began in October 2020 with a series of four workshops hosted by SSI. The draft chapters for the book were completed in late January 2022. Little did the research team envision the Russian invasion of Ukraine in February this year. The Russian occupation of the Zaporizhzhya nuclear power plant, successive missile attacks against Ukraine’s electric generation and distribution facilities, rail transport, and cyberattacks against almost every sector of the country’s critical infrastructure have been on world display. Russian use of its gas supplies as a means of economic warfare against Europe—designed to undermine NATO unity and support for Ukraine—is another timely example of why adversaries, nation-states, and terrorists alike target critical infrastructure. Hence, the need for public-private sector partnerships to secure that infrastructure and build the resiliency to sustain it when attacked. Ukraine also highlights the need for NATO allies to understand where vulnerabilities exist in host nation infrastructure that will undermine collective defense and give more urgency to redressing and mitigating those fissures.https://press.armywarcollege.edu/monographs/1951/thumbnail.jp

Cybersecurity insights gleaned from world religions

Organisations craft and disseminate security policies, encoding the actions they want employees to take to preserve and protect organisational information resources. They engage in regular cybersecurity awareness and training drives to ensure that employees know what to do, and how to do it. Despite these efforts, employees make mistakes or do not comply with policy dictates, triggering cybersecurity incidents. The reality is that whereas cyber professionals propose, human nature disposes.In addressing this kind of conundrum, researchers suggest that it could be beneficial to learn from the established practices of other domains that also grapple with erratic human behaviours. This seems reasonable, given that cybersecurity is a relatively young field, and not yet particularly successful in accommodating human nature and fallibility, whereas other fields have years of experience coping with these kinds of problems. Here, we consider learning from religions, which have been around for millennia. The one aspect that all understand is human nature, and the tendency of humans to make mistakes and behave ill-advisedly, sometimes despite knowing better. Religions have developed a number of practices to accommodate human frailties, and to care for their adherents. This might well be a fruitful domain for cybersecurity professionals to learn from, in terms of harnessing effective mechanisms to encourage secure behaviours.To this end, we explored the literature on religions, and interviewed a number of religious leaders to produce a ‘vision for cybersecurity’. The vision was evaluated by cybersecurity professionals, its target audience. We provide our vision here, in the hope that it will launch a debate into a more equitable new era of ‘best practice’ in the cybersecurity domain