Cybersecurity: mapping the ethical terrain

This edited collection examines the ethical trade-offs involved in cybersecurity: between security and privacy; individual rights and the good of a society; and between the types of burdens placed on particular groups in order to protect others. Foreword Governments and society are increasingly reliant on cyber systems. Yet the more reliant we are upon cyber systems, the more vulnerable we are to serious harm should these systems be attacked or used in an attack. This problem of reliance and vulnerability is driving a concern with securing cyberspace. For example, a ‘cybersecurity’ team now forms part of the US Secret Service. Its job is to respond to cyber-attacks in specific environments such as elevators in a building that hosts politically vulnerable individuals, for example, state representatives. Cybersecurity aims to protect cyberinfrastructure from cyber-attacks; the concerning aspect of the threat from cyber-attack is the potential for serious harm that damage to cyber-infrastructure presents to resources and people. These types of threats to cybersecurity might simply target information and communication systems: a distributed denial of service (DDoS) attack on a government website does not harm a website in any direct way, but prevents its normal use by stifling the ability of users to connect to the site. Alternatively, cyber-attacks might disrupt physical devices or resources, such as the Stuxnet virus, which caused the malfunction and destruction of Iranian nuclear centrifuges. Cyber-attacks might also enhance activities that are enabled through cyberspace, such as the use of online media by extremists to recruit members and promote radicalisation. Cyber-attacks are diverse: as a result, cybersecurity requires a comparable diversity of approaches. Cyber-attacks can have powerful impacts on people’s lives, and so—in liberal democratic societies at least—governments have a duty to ensure cybersecurity in order to protect the inhabitants within their own jurisdiction and, arguably, the people of other nations. But, as recent events following the revelations of Edward Snowden have demonstrated, there is a risk that the governmental pursuit of cybersecurity might overstep the mark and subvert fundamental privacy rights. Popular comment on these episodes advocates transparency of government processes, yet given that cybersecurity risks represent major challenges to national security, it is unlikely that simple transparency will suffice. Managing the risks of cybersecurity involves trade-offs: between security and privacy; individual rights and the good of a society; and types of burdens placed on particular groups in order to protect others. These trade-offs are often ethical trade-offs, involving questions of how we act, what values we should aim to promote, and what means of anticipating and responding to the risks are reasonably—and publicly—justifiable. This Occasional Paper (prepared for the National Security College) provides a brief conceptual analysis of cybersecurity, demonstrates the relevance of ethics to cybersecurity and outlines various ways in which to approach ethical decision-making when responding to cyber-attacks

The social psychology of cybersecurity

Cybersecurity incidents may seem very technological in nature, but ultimately the hackers and the organisations they target are people, with their own goals, influences and beliefs. There is a danger of relying on lazy stereotypes of those involved in cybersecurity, or taking the Hollywood portrayals of hackers and cybersecurity experts as fact. Our research aims to explore the social psychological factors of this increasingly important societal issue, as well as inputting into the discussion about where psychologists should place themselves in what can be a controversial and morally complex topic

Harnessing Large Language Models to Simulate Realistic Human Responses to Social Engineering Attacks: A Case Study

The research publication, “Generative Agents: Interactive Simulacra of Human Behavior,” by Stanford and Google in 2023 established that large language models (LLMs) such as GPT-4 can generate interactive agents with credible and emergent human-like behaviors. However, their application in simulating human responses in cybersecurity scenarios, particularly in social engineering attacks, remains unexplored. In addressing that gap, this study explores the potential of LLMs, specifically the Open AI GPT-4 model, to simulate a broad spectrum of human responses to social engineering attacks that exploit human social behaviors, framing our primary research question: How does the simulated behavior of human targets, based on the Big Five personality traits, responds to social engineering attacks? . This study aims to provide valuable insights for organizations and researchers striving to systematically analyze human behavior and identify prevalent human qualities, as defined by the Big Five personality traits, that are susceptible to social engineering attacks, specifically phishing emails. Also, it intends to offer recommendations for the cybersecurity industry and policymakers on mitigating these risks. The findings indicate that LLMs can provide realistic simulations of human responses to social engineering attacks, highlighting certain personality traits as more susceptible

The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

Cybersecurity Challenges and Awareness of the Multi-Generational Learners in Nepal

Increased exposure to technologies has lately emerged as one of the everyday realities of digital natives, especially K-12 students, and teachers, the digital immigrants. Protection from cybersecurity risks in digital learning spaces is a human right, but students are increasingly exposed to high-risk cyberspace without time to cope with cybersecurity risks. This study, using a survey (N-891 students and 157 teachers) and in-depth interviews (27 students and 14 teachers), described the students\u27 cybersecurity-related experiences and challenges in Nepal. This study revealed that the school’s cybersecurity support system is poor and teachers has very low awareness and competencies to protect students from cybersecurity-related challenges. To create a safe cyberspace for learners, it is urgent to enhance the cybersecurity awareness and skills of teachers, as the existing infrastructure is weak and there is a significant gap related to the cybersecurity awareness between students and teachers. Poor cybersecurity is one of the significant barriers to the quality of education in Nepal. In the age of information and technology, effective collaboration among parents, teachers, and students, the multi-generational learners, is the prerequisite for ensuring children\u27s rights to learn in all settings including cyberspace

The Specifics and Patterns of Cybercrime in the Field of Payment Processing

In the modern world, cybercrime in the field of payment processing as a phenomenon is developing rapidly. Highly developed, developing and least-developed states become victims of cyberattacks. The purpose of this study is to analyze the experience of the international community and a number of states in combating cybercrime in the field of payment processing. International and regional (on the example of the Council of Europe) legal regulation of the fight against this type of crime were analyzed. The data on the size of losses caused by cybercrime to the world economy are analyzed according to the latest report from the Center for Strategic and International Studies for 2018, the World Economic Forum for 2019, DLA Piper GDPR for the period January-April 2020. Besides, using the example of the Russian Federation, quantitative indicators of the growth of cybercrime and the level of its detection for the period from 2018 to April 2020 were investigated. Comparison of the experience of individual states and its analysis made it possible to single out the best possible measures to counter cybercrime in the field of financial processing. The necessity of interstate cooperation to counter cybercrime in the field of payment processing is indicated. However, due to the presence of significant differences in the legal systems of all states, it is proposed to interact within the framework of regional communities with gradual transfer to international interaction. The priority is given to precisely preventive measures to counter cybercrime in the field of payment processing

EDUCATION AS A SOLUTION TO COMBAT RISING CYBERCRIME RATES AGAINST CHILDREN AND TEENAGERS

Ninety seven percent (97%) of people between the ages of 3 and 18 are found to be users of technology and internet services daily. This number also correlates with rising cyber crime rates against people in this age bracket. It is found that people between 3 and 18 years old are found to be technologically savvy but often lack the knowledge of how to protect themselves in online environments. Researchers have suggested that cybersecurity awareness training is an effective method at combating common forms of cyberattack such as social engineering. Social engineering attacks are found to make up 98% of successful cyberattacks and it is crucial that users of these internet and technology services are knowledgeable in protecting themselves. Cybersecurity education materials are commonly found in enterprise and higher education environments, but there is a gap of available research that evaluates the effectiveness of this education in the K-12 environment. Therefore, this project evaluates the following research questions to help address the gap: (Q1) What affective methods to educate children and teenagers on cybersecurity concepts? (Q2) What are best practices for topic selection when it comes to cybersecurity education in the 3–18-year age range? (Q3) What are unique challenges that may be encountered when implementing this type of education nationwide? The research will discover the answers for the proposed research questions by analyzing existing literature and reviewing case studies of successful cybersecurity education in K-12 schools. The selected case studies went through an inclusion and exclusion criteria which required the following items to be present: publishing by a reputable journal or conference, contain empirical data in form of pre and post assessment, why the method of teaching was selected, and explain limitations. The findings and conclusions from the case studies are: (Q1) Students are receptive to learning cybersecurity principles via multiple teaching styles. The case studies displayed self-guided, collaborative, and traditional instruction methods and students were shown to improve greatly in post assessment results. (Q2) Best practices for selecting topics in the case studies was to utilize age-appropriate cybersecurity educational materials published by government agencies. A finding from this is that these materials are not readily available for educators and must be sought out as they are considered optional items. (Q3) Scaling of these type of cybersecurity workshops is difficult due to resource constraints faced by many schools found in lower income and rural districts. The availability of cybersecurity professionals and university campus’s willingness to host these camps is scarce and leaves this type of experience out of reach for many students. Areas of further study are researching methods on how to effectively scale this sort of education by utilizing a remote learning model and the creation of a standardized age-appropriate curriculum