Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

A Stronger Europe in the World: Major Challenges for EU Trade Policy. College of Europe EU Diplomacy Paper 02/2020

On 29 January 2020, Dr. Sabine Weyand, Director-General for Trade at the European Commission, gave a lecture on “‘A stronger Europe in the world’: Major challenges for EU trade policy” at the College of Europe in Bruges. She started out with the challenges posed by the rise of populism and the shift towards more power-based relations and protectionism, arguing that trade is increasingly seen as a proxy through which the battle for political supremacy is fought. Dr. Weyand then explained the trade priorities of the new European Commission: reforming the World Trade Organisation for the benefit of a predictable, rules-based multilateral system; managing the bilateral relations with major powers including the United States, China and the United Kingdom; contributing as a ‘geopolitical Commission’ to other policy fields and in particular the European Green Deal; and levelling the playing field by promoting EU standard

Global Risks 2012, Seventh Edition

The World Economic Forum's Global Risks 2012 report is based on a survey of 469 experts from industry, government, academia and civil society that examines 50 global risks across five categories. The report emphasizes the singular effect of a particular constellation of global risks rather than focusing on a single existential risk. Three distinct constellations of risks that present a very serious threat to our future prosperity and security emerged from a review of this year's set of risks. Includes a special review of the important lessons learned from the 2011 earthquake, tsunami and the subsequent nuclear crisis at Fukushima, Japan. It focuses on therole of leadership, challenges to effective communication in this information age and resilient business models in response to crises of unforeseen magnitude

The European Union versus External Disinformation Campaigns in the Midst of Information Warfare: Ready for the Battle? College of Europe EU Diplomacy Paper 01/2019

As a result of increased globalisation and digitalisation, new security challenges emerge such as the rise of online disinformation which undermines democracy and people’s trust in mainstream media and public authorities. The 2016 United States presidential elections, the Brexit referendum in the United Kingdom and the 2017 French presidential elections have all been disturbed by external interference coming from Russia, including massive disinformation campaigns which were disseminated on social media to influence citizens’ opinion. This paper studies the European Union’s (EU) strategy to counter external disinformation campaigns in cyberspace, i.e. the campaigns that are diffused online by foreign actors, such as Russia, within the EU’s territory. To what extent is the EU strategically prepared to counter external disinformation campaigns in cyberspace? The EU has adopted a defensive strategy to deal with disinformation. It has delivered several strategic documents, including an Action Plan in December 2018, that provides a promising basis for action. The work done by the East StratCom Task Force, which detects and debunks Russian narratives, is a strong asset for the EU. The major online platforms are currently trying to implement a Code of Practice that the European Commission has set up with the aim of curbing disinformation spreading on social networks. Having a long-term perspective in mind, the EU rightly implements measures to enhance societal resilience and improve media literacy among its citizens. However, the financial resources dedicated to counter disinformation are not commensurate with the threat it represents. Furthermore, the EU’s approach is not focusing enough on artificial intelligence tools that can significantly influence how disinformation is carried out and disseminated but can, on the other hand, also help fact-checking activities. Hence, the EU is not entirely prepared to counter external disinformation campaigns in cyberspace. Moreover, disinformation should be looked at in the wider framework of hybrid warfare and should therefore be considered as a cybersecurity matter

Community Self Help

This paper advocates controlling crime through a greater emphasis on precautions taken not by individuals, but by communities. The dominant battles in the literature today posit two central competing models of crime control. In one, the standard policing model, the government is responsible for the variety of acts that are necessary to deter and prosecute criminal acts. In the other, private self-help, public law enforcement is largely supplanted by providing incentives to individuals to self-protect against crime. There are any number of nuances and complications in each of these competing stories, but the literature buys into this binary matrix

Managing Risk and Information Security: Protect to Enable (Second Edition)

Examine the evolving enterprise security landscape and discover how to manage and survive risk. While based primarily on the author’s experience and insights at major companies where he has served as CISO and CSPO, the book also includes many examples from other well-known companies and provides guidance for a management-level audience. Managing Risk and Information Security provides thought leadership in the increasingly important area of enterprise information risk and security. It describes the changing risk environment and why a fresh approach to information security is needed. Because almost every aspect of an enterprise is now dependent on technology not only for internal operations but increasing as a part of product or service creation, the focus of IT security must shift from locking down assets to enabling the business while managing and surviving risk. This edition discusses business risk from a broader perspective, including privacy and regulatory considerations. It describes the increasing number of threats and vulnerabilities and offers strategies for developing solutions. These include discussions of how enterprises can take advantage of new and emerging technologies—such as social media and the huge proliferation of Internet-enabled devices—while minimizing risk. What You'll Learn Review how people perceive risk and the effects it has on information security See why different perceptions of risk within an organization matters Understand and reconcile these differing risk views Gain insights into how to safely enable the use of new technologies Who This Book Is For The primary audience is CIOs and other IT leaders, CISOs and other information security leaders, IT auditors, and other leaders of corporate governance and risk functions. The secondary audience is CEOs, board members, privacy professionals, and less senior-level information security and risk professionals

Cybersecurity: mapping the ethical terrain

This edited collection examines the ethical trade-offs involved in cybersecurity: between security and privacy; individual rights and the good of a society; and between the types of burdens placed on particular groups in order to protect others. Foreword Governments and society are increasingly reliant on cyber systems. Yet the more reliant we are upon cyber systems, the more vulnerable we are to serious harm should these systems be attacked or used in an attack. This problem of reliance and vulnerability is driving a concern with securing cyberspace. For example, a ‘cybersecurity’ team now forms part of the US Secret Service. Its job is to respond to cyber-attacks in specific environments such as elevators in a building that hosts politically vulnerable individuals, for example, state representatives. Cybersecurity aims to protect cyberinfrastructure from cyber-attacks; the concerning aspect of the threat from cyber-attack is the potential for serious harm that damage to cyber-infrastructure presents to resources and people. These types of threats to cybersecurity might simply target information and communication systems: a distributed denial of service (DDoS) attack on a government website does not harm a website in any direct way, but prevents its normal use by stifling the ability of users to connect to the site. Alternatively, cyber-attacks might disrupt physical devices or resources, such as the Stuxnet virus, which caused the malfunction and destruction of Iranian nuclear centrifuges. Cyber-attacks might also enhance activities that are enabled through cyberspace, such as the use of online media by extremists to recruit members and promote radicalisation. Cyber-attacks are diverse: as a result, cybersecurity requires a comparable diversity of approaches. Cyber-attacks can have powerful impacts on people’s lives, and so—in liberal democratic societies at least—governments have a duty to ensure cybersecurity in order to protect the inhabitants within their own jurisdiction and, arguably, the people of other nations. But, as recent events following the revelations of Edward Snowden have demonstrated, there is a risk that the governmental pursuit of cybersecurity might overstep the mark and subvert fundamental privacy rights. Popular comment on these episodes advocates transparency of government processes, yet given that cybersecurity risks represent major challenges to national security, it is unlikely that simple transparency will suffice. Managing the risks of cybersecurity involves trade-offs: between security and privacy; individual rights and the good of a society; and types of burdens placed on particular groups in order to protect others. These trade-offs are often ethical trade-offs, involving questions of how we act, what values we should aim to promote, and what means of anticipating and responding to the risks are reasonably—and publicly—justifiable. This Occasional Paper (prepared for the National Security College) provides a brief conceptual analysis of cybersecurity, demonstrates the relevance of ethics to cybersecurity and outlines various ways in which to approach ethical decision-making when responding to cyber-attacks

Profiling a decade of information systems frontiers’ research

This article analyses the first ten years of research published in the Information Systems Frontiers (ISF) from 1999 to 2008. The analysis of the published material includes examining variables such as most productive authors, citation analysis, universities associated with the most publications, geographic diversity, authors’ backgrounds and research methods. The keyword analysis suggests that ISF research has evolved from establishing concepts and domain of information systems (IS), technology and management to contemporary issues such as outsourcing, web services and security. The analysis presented in this paper has identified intellectually significant studies that have contributed to the development and accumulation of intellectual wealth of ISF. The analysis has also identified authors published in other journals whose work largely shaped and guided the researchers published in ISF. This research has implications for researchers, journal editors, and research institutions