Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk

The role of Responsibilised Non-Policing Agencies (RNPAs) in improving cybercrime reporting in Scotland

The Scottish neoliberal government's enlisting of community and private sector organisations in economic cybercrime reporting is a form of responsibilisation. These organisations collect, evaluate and forward victims' cybercrime reports as state intelligence. I pioneer the term Responsibilised Non-Policing Agencies (RNPAs) to unmask the genealogy of their acquired role. I interviewed and compared Scottish versus Italian RNPAs to understand responsibilisation internationally and improve cybercrime reporting nationally. Scottish RNPAs are state-sponsored charities, banks, regulators of commerce and private institutions. Italian RNPAs are private law firms. All were represented by their relevant functions. In Scotland, RNPAs form a responsibilisation buffer zone between the state and victims. The Scots state exports selective funding and catholic responsibility to RNPAs and imports cybercrime intelligence. The Italian state is comparatively disengaged. Victims risk criminal responsibilisation, which is why they turn to RNPAs. Scottish RNPAs supply an opportunity cost dilemma. The state can keep using RNPAs to narrate an improving cybercrime reporting strategy, which is cheaper. Alternatively, the state can restructure the funding of select RNPAs and increase funding for specialised cybercrime policing, which is more expensive. Both options are viable with specialisation bearing the opportunity cost

Accessible and inclusive cyber security:a nuanced and complex challenge

It has been argued that human-centred security design needs to accommodate the considerations of three dimensions: (1) security, (2) usability and (3) accessibility. The latter has not yet received much attention. Now that governments and health services are increasingly requiring their citizens/patients to use online services, the need for accessible security and privacy has become far more pressing. The reality is that, for many, security measures are often exasperatingly inaccessible. Regardless of the outcome of the debate about the social acceptability of compelling people to access public services online, we still need to design accessibility into these systems, or risk excluding and marginalising swathes of the population who cannot use these systems in the same way as abled users. These users are particularly vulnerable to attack and online deception not only because security and privacy controls are inaccessible but also because they often struggle with depleted resources and capabilities together with less social, economic and political resilience. This conceptual paper contemplates the accessible dimension of human-centred security and its impact on the inclusivity of security technologies. We scope the range of vulnerabilities that can result from a lack of accessibility in security solutions and contemplate the nuances and complex challenges inherent in making security accessible. We conclude by suggesting a number of avenues for future work in this space.</p

Managing cyber risk in supply chains:A review and research agenda

Purpose: Despite growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study investigates cyber risk management in supply chain contexts. Methodology: Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis were established using data mining techniques to conduct a comprehensive, replicable and transparent review. Findings: The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between IT, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention due to a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience. Research implications: Different type of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience. Practical implications: A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions. Originality: This is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies

Gender approaches to cybersecurity: design, defence and response

Cybersecurity en cybergovernanceSecurity and Global Affair

A Universal Cybersecurity Competency Framework for Organizational Users

The global reliance on the Internet to facilitate organizational operations necessitates further investments in organizational information security. Such investments hold the potential for protecting information assets from cybercriminals. To assist organizations with their information security, The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) was created. The framework referenced the cybersecurity work, knowledge, and skills required to competently complete the tasks that strengthen their information security. Organizational users’ limited cybersecurity competency contributes to the financial and information losses suffered by organizations year after year. While most organizational users may be able to respond positively to a cybersecurity threat, without a measure of their cybersecurity competency they represent a cybersecurity threat to organizations. The main goal of this research study was to develop a universal Cybersecurity Competency Framework (CCF) to determine the demonstrated cybersecurity Knowledge, Skills, and Tasks (KSTs) through the NCWF (NICE, 2017) as well as identify the cybersecurity competency of organizational users. Limited attention has been given in cybersecurity research to determine organizational users’ cybersecurity competency. An expert panel of cybersecurity professionals known as Subject Matter Experts (SMEs) validated the cybersecurity KSTs necessary for the universal CCF. The research study utilized the explanatory sequential mixed-method approach to develop the universal CCF. This research study included a developmental approach combining quantitative and qualitative data collection in three research phases. In Phase 1, 42 SMEs identified the KSTs needed for the universal CCF. The results of the validated data from Phase 1 were inputted to construct the Phase 2 semi-structured interview. In Phase 2, qualitative data were gathered from 12 SMEs. The integration of the quantitative and qualitative data validated the KSTs. In Phase 3, 20 SMEs validated the KST weights and identified the threshold level. Phase 3 concluded with the SMEs\u27 aggregation of the KST weights into the universal CCF index. The weights assigned by the SMEs in Phase 3 showed that they considered knowledge as the most important competency, followed by Skills, then Tasks. The qualitative results revealed that training is needed for cybersecurity tasks. Phase 3 data collection and analysis continued with the aggregation of the validated weights into a single universal CCF index score. The SMEs determined that 72% was the threshold level. The findings of this research study significantly contribute to the body of knowledge on information systems and have implications for practitioners and academic researchers. It appears this is the only research study to develop a universal CCF to assess the organizational user’s competency and create a threshold level. The findings also offer further insights into what organizations need to provide cybersecurity training to their organizational users to enable them to competently mitigate cyber-attacks

”Et nää on näitä meiän kyberhyökkäyksiä nämä” – The government of one and all in everyday digital security in Finnish Lapland

The government of one and all in everyday digital security in Finnish Lapland This study contextualises the gradual institutionalising of conventional concepts of cybersecurity by providing a more human-centric perspective. While discussion of cybersecurity can be encountered in daily news and in the workplace ever more frequently, its content and practical implications often remain abstract to everyday life. When cybersecurity is understandably addressed in highly technical and/or strategic terms, involving specific threat imageries and vocabularies, the mundane effects of the (un)successful securitisation of cyberspace can receive less attention. However, it is precisely these everyday effects that justify and undermine everyday cyber/digital security, and influence the respective security roles assigned to all citizens in emerging cyber-physical societies. Drawing out commonalities and differences between human security and governmentality studies, this thesis critically examines the entanglement of digitalisation and cyber/digital security in Finnish Lapland: opportunities it provides and concerns it awakes in sparsely populated areas characterised by harsh climate, cultural diversity, long distances, and infrastructural issues, all of which relate to imagery of the Arctic as a developing region. It investigates the power relations and positions thus created, mainly through securitisation, development, and resilience. However, it also incorporates the related techniques of responsibilisation, human rights, commercialisation, surveillance and transparency, and, finally, techniques of the self, which aim at the assimilation of modern governmentality but also provide the means for its resistance. While digitalisation in Lapland is carried out with the stated aim of continuing service provision or improving it, it is efficiency and cost calculations that drive it. Digitalisation and cyber/digital security are not generally examined together but as two separate trajectories. This thesis brings them together hence addressing both positive (freedom to) and negative (freedom from) security. It also provides localised research on the effects of digitalisation in the northernmost areas of Finland, Sweden and Norway, partially addressing a gap in the current knowledgebase. The research was carried out by problematising the mainstream framings of cyber/digital security from a number of individual security perspectives: applying human security to digitalisation and cybersecurity in the European High North, examining the interconnection of digitalisation and regional re-organisation of health and social services, studying the responsibilisation of the users of digital sharing economy platforms in contract law, and through a case study on the use of ICT and views on the requisite security roles amongst people living in Lapland. The synthesis re-problematises a human security approach to digitalisation through governmentality studies. This move visualises power relations embedded in human security that regardless of its emancipatory aim turn the approach to support modern governmentality through responsibilisation of individuals and communities for their own security and wellbeing. The theories and approaches covered in this thesis show that a multitude of human behaviours in digitality ought to be acknowledged and security practices able to accommodate it developed. In the prevailing framings of cybersecurity, ICT corporations and states and/or societies are constituted as the main objects and subjects of security, whereas individuals are expected to behave in a digisavvy and safe manner and thus contribute to the overall effort of securing cyberspace. The main forms of public support in meeting the requirements of this kind of subjectivity are information provision, guidance and training, as well as societal accessibility policies. The aims of and values embedded in digitalisation remain unquestioned and increased connectivity is automatically expected to improve everyone’s quality of life. However, digitalisation also leads to novel inequalities, power imbalances and dependencies – or aggravates the existing ones – and to a loss of self-sufficiency. Digitalisation will not be turned around. However, as the power relations and positions it creates have not yet been firmly institutionalised, there is possibility to impact them, to turn them into networked relations that take people’s needs, wants and wishes into account – instead of advancing digitalisation merely in the terms of technology and/or administration. Instead of approaching people as a vulnerability and hence in need of education and support, they ought to be viewed as subjects who can decide for themselves. At the heart of this struggle is the question of what kind of world we wish to live in.Yksilön ja yhteisön hallinta arkipäivän digitaalisen turvallisuuden kautta Lapissa Tutkin tässä väitöskirjassa kyberturvallisuuden tavanomaisia, vähitellen institutionalisoituvia käsitteellistyksiä ihmiskeskeisestä näkökulmasta. Samalla kun kyberturvallisuudesta on tulossa uutisten ja työpaikkakeskusteluiden vakioaihe, sen sisältö ja käytännön vaikutukset jäävät usein abstrakteiksi ja kaukaisiksi ihmisten arkipäivän kokemuksesta. Tekninen ja/tai strateginen lähestymistapa kyberturvallisuuteen jättää kyberavaruuden (epä)onnistuneen turvallistamisen arkipäivän vaikutukset suhteellisen vähälle huomiolle, mikä on aiheen teknisyyden ja turvallisuuspoliittisen merkityksen vuoksi ymmärrettävää. Samalla se kuitenkin tuo mukanaan tietyt uhkakuvastot ja sanastot aiheen käsittelyyn, mikä rajoittaa sitä, millaisia sisältöjä kyberturvallisuus voi saada ja millaisia politiikkatoimia siihen voi kohdistua. Siitäkin huolimatta, että juuri ihmisten arkipäivän kokemukset joko oikeuttavat tai kyseenalaistavat kyber-/digiturvallisuuden politiikkana ja ne turvallisuusroolit, joita kansalaisille kehittymässä olevissa kyber-fyysisissä yhteiskunnissa asetellaan. Tarkastelen tutkimuksessa digitalisaation ja kyber-/digiturvallisuuden kietoutumista yhteen inhimillisen turvallisuuden ja hallinnan analytiikan teorioiden avulla. Keskityn digitalisaation avaamiin mahdollisuuksiin ja sen herättämiin turvallisuushuoliin Suomen Lapissa, jota luonnehtivat vähäväkisyys, kulttuurinen monimuotoisuus, haasteellinen ilmasto, pitkät etäisyydet ja infrastruktuurihaasteet. Edellä mainitut piirteet vaikuttavat siihen, että arktiset alueet mielletään usein kehittyviksi alueiksi ja niihin kohdistetaan tämän mukaisia politiikkatoimia. Mielikuvan mukaiset puhetavat ja käytännön toimet luovat valtasuhteiden ja valta-asemien verkoston, mitä havainnollistan pääosin turvallistamisen, kehityksen ja resilienssin tekniikoiden kuvauksen kautta. Kuvaukseen sisältyvät myös edellisiin liittyvät vastuuttamisen, ihmisoikeuksien, kaupallistamisen, valvonnan ja läpinäkyvyyden tekniikat, samoin kuin itsetekniikat, joilla pyritään modernin hallinnallisuuden sisäistämiseen, mutta jotka samalla mahdollistavat sen vastustamisen. Vaikka Lapin digitalisoitumisen julkilausuttu tavoite on ylläpitää tai parantaa palveluiden tarjontaa, sitä edistävät ensisijaisesti tehokkuus- ja kustannuslaskelmat. Digitalisaatiota ja kyber-/digiturvallisuutta tutkitaan yleensä kahtena erillisenä kehityskulkuna. Väitöskirjassa tuon nämä kehityskulut yhteen ja tarkastelen niin positiivista (vapaus johonkin) kuin negatiivista (vapaus jostakin) turvallisuutta. Lisäksi kontekstualisoin tutkimuksen Suomen, Ruotsin ja Norjan pohjoisimmille alueille, joilta vastaavanlaista tutkimusta on suhteellisen vähän. Tutkimuksessa problematisoin kyber-/digiturvallisuuden valtavirran käsitteellistykset yksilöturvallisuuden eri näkökulmista: soveltamalla inhimillisen turvallisuuden lähestymistapaa digitalisaatioon ja kyberturvallisuuteen Euroopan pohjoisimmilla alueilla, tarkastelemalla digitalisaation ja alueellisen terveys- ja sosiaalipalveluiden uudistuksen välisiä kytköksiä, tutkimalla jakamistalouden digitaalisten alustojen käyttäjien vastuuttamista sopimusoikeudessa sekä tapaustutkimuksella Lapin asukkaiden tietotekniikan käytöstä ja näkemyksistä kyber-/digiturvallisuuden roolituksista. Väitöskirjan synteesi problematisoi inhimillisen turvallisuuden lähestymistavan uudelleen hallinnan analytiikan avulla. Tämä teko visualisoi inhimillisen turvallisuuden sisältämät valtasuhteet, jotka voimaannuttamispyrkimyksistään huolimatta ajautuvat tukemaan modernia hallinnallisuutta vastuuttamalla yksilöt ja yhteisöt heidän omasta turvallisuudestaan ja hyvinvoinnistaan. Väitöskirjan sisältämät teoriat ja lähestymistavat painottavat inhimillisen käytöksen moninaisuutta digitaalisuudessa, mikä pitäisi tunnistaa ja kyetä huomioimaan turvallisuuden käytännöissä. Kyberturvallisuuden valtavirran käsitteellistyksissä tieto- ja viestintäteknologiayritykset sekä valtio ja/tai yhteiskunta ovat turvallisuuden pääasialliset viittauskohteet ja toimijat. Yksilöiden oletetaan toimivan taitavasti ja turvallisesti siten tehden oman osansa kyberavaruuden turvallistamisessa. Pääasialliset julkisen tuen muodot tämänkaltaisen toimijuuden saavuttamiseksi ovat tiedon tuottaminen, ohjaaminen ja harjoitukset, sekä erilaiset saavutettavuuspolitiikat ja -ohjelmat. Digitalisaation tavoitteita tai sen edistämiä arvoja ei kyseenalaisteta. Sen sijaan parempien viestintäyhteyksien oletetaan automaattisesti parantavan jokaisen elämänlaatua. Digitalisaatio kuitenkin tuottaa myös uudenlaista epätasa-arvoisuutta, vallan epätasapainoa ja riippuvuutta samalla kun se vahvistaa aiempia epätasa-arvoisuuksia ja riippuvuuksia sekä heikentää itseriittoisuutta ja omaehtoisuutta. Digitalisaatio ei ole kehityskulku, joka on käännettävissä ympäri. Niin kauan kuin sen luomat valtasuhteet ja -asemat eivät ole vahvasti institutionalisoituneet, niihin voidaan vaikuttaa. Tavoitteena tulisi olla valtasuhteiden verkosto, joka huomioi ihmisten tarpeet, tavoitteet ja toiveet sen sijaan, että digitalisaatiota edistetään ainoastaan teknologian ja/tai hallinnon ehdoilla. Sen sijaan, että ihmiset hahmotetaan haavoittuvuutena ja siksi koulutuksen sekä tuen kohteena, heidät pitäisi nähdä toimijoina, jotka päättävät omasta puolestaan. Tämän valtataistelun keskiössä on kysymys siitä, millaisessa maailmassa haluamme elää