Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Enhancing relationships between criminology and cybersecurity

‘Cybercrime’ is an umbrella concept used by criminologists to refer to traditional crimes that are enhanced via the use of networked technologies (i.e. cyber-enabled crimes) and newer forms of crime that would not exist without networked technologies (i.e. cyber-dependent crimes). Cybersecurity is similarly a very broad concept and diverse field of practice. For computer scientists, the term ‘cybersecurity’ typically refers to policies, processes and practices undertaken to protect data, networks and systems from unauthorised access. Cybersecurity is used in subnational, national and transnational contexts to capture an increasingly diverse array of threats. Increasingly, cybercrimes are presented as threats to cybersecurity, which explains why national security institutions are gradually becoming involved in cybercrime control and prevention activities. This paper argues that the fields of cyber-criminology and cybersecurity, which are segregated at the moment, are in much need of greater engagement and cross-fertilisation. We draw on concepts of ‘high’ and ‘low’ policing (Brodeur, 2010) to suggest it would be useful to consider ‘crime’ and ‘security’ on the same continuum. This continuum has cybercrime at one end and cybersecurity at the other, with crime being more the domain of ‘low’ policing while security, as conceptualised in the context of specific cybersecurity projects, falls under the responsibility of ‘high’ policing institutions. This unifying approach helps us to explore the fuzzy relationship between cyber-crime and cyber-security and to call for more fruitful alliances between cybercrime and cybersecurity researchers

Revitalizing Criminological Theory: Towards a New Ultra-Realism

This book provides a short, comprehensive and accessible introduction to Ultra-Realism: a unique and radical school of criminological thought that has been developed by the authors over a number of years. After first outlining existing schools of thought, their major intellectual flaws and their underlying politics in a condensed guide that will be invaluable to all undergraduate and postgraduate students, Hall and Winlow introduce a number of important new concepts to criminology and suggest a new philosophical foundation, theoretical framework and research programme. These developments will enhance the discipline’s ability to explain human motivations, construct insightful representations of reality and answer the fundamental question of why some human beings risk inflicting harm on others to further their own interests or achieve various ends

Toward a general ontology for digital forensic disciplines

Ontologies are widely used in different disciplines as a technique for representing and reasoning about domain knowledge. However, despite the widespread ontology-related research activities and applications in different disciplines, the development of ontologies and ontology research activities are still wanting in digital forensic disciplines. This paper therefore presents the case for establishing an ontology for digital forensic disciplines. Such an ontology would enable better categorisation of digital forensic disciplines, as well as help with the development of methodologies that can offer direction in different areas of digital forensics, such as professional specialisation, certifications, development digital forensic tools, curricula and educational materials. In addition, the ontology presented in this paper can be used, for example, to better organise digital forensics domain knowledge and explicitly describe the discipline's semantics in a common way. Finally, this paper is meant to spark discussions and further research on an internationally agreed ontological distinction of the digital forensic disciplines. Digital forensic disciplines ontology is a novel approach towards organising the digital forensics domain knowledge and constitutes the main contribution of this paper.http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1556-4029hb201

Social aspects in organisational cyber-security effectiveness - Of British coal mines, resilience and emergence

Cyber-security, which plays a key role in all areas of the digital world, from the power grid to healthcare, is mainly addressed from an analytical, engineering perspective. This research looks at social factors impacting real-life cyber-security, and their possible effects, such as resilience and emergence. Semi-structured interviews were conducted with 20 participants from a broad range of international organisations. Their analysis shows that social factors are indeed relevant to cyber-security. Tension within social structures in organisations (e.g., employee-supervisor relationship, and peer pressure within teams) can significantly impact cyber-security effectiveness. The study concludes that cyber-security should be addressed through social-technical system design, in recognition of the fundamental interdependence of social and technical aspects. As a corollary, organisational cyber-security needs to be treated as a so-called wicked problem, for which a reductionist engineering approach is futile. The complexity and ambiguity of cyber-security’s socio-technical challenges calls for adequate principles, ways of thinking and methods

Linking Threat Avoidance and Security Adoption: A Theoretical Model For SMEs

A deficiency exists in the Information Systems Security literature because of the tendency to regard IT threat avoidance and IT security adoption as separate behaviours. In addressing the deficiency this research in progress focuses on SMEs, for several reasons including their strategic importance globally, the current trend among cybercriminals to conduct more high volume, low risk attacks against weaker targets and also because of the individualistic behavioural patterns in SMEs. Drawing on several well-established behavioural theories, this paper synthesises elements of these theories into a holistic model, with coping theory placed firmly at is centre. This study will make several contributions to the field, initially creating an empirically validated model for behaviours surrounding both avoidance and preventative actions in small firms and also in presenting and prioritising a specific view of the external factors influencing how threats are appraised, assessed and dealt with

Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime

Cybercrime is a complex phenomenon that spans both technical and human aspects. As such, two disjoint areas have been studying the problem from separate angles: the information security community and the environmental criminology one. Despite the large body of work produced by these communities in the past years, the two research efforts have largely remained disjoint, with researchers on one side not benefitting from the advancements proposed by the other. In this paper, we argue that it would be beneficial for the information security community to look at the theories and systematic frameworks developed in environmental criminology to develop better mitigations against cybercrime. To this end, we provide an overview of the research from environmental criminology and how it has been applied to cybercrime. We then survey some of the research proposed in the information security domain, drawing explicit parallels between the proposed mitigations and environmental criminology theories, and presenting some examples of new mitigations against cybercrime. Finally, we discuss the concept of cyberplaces and propose a framework in order to define them. We discuss this as a potential research direction, taking into account both fields of research, in the hope of broadening interdisciplinary efforts in cybercrime researc

Policing the smart home:The internet of things as ‘invisible witnesses'

In this paper, we develop the concept of smart home devices as ‘invisible witnesses’ in everyday life. We explore contemporary examples that highlight how smart devices have been used by the police and unpack the socio-technical implications of using these devices in criminal investigations. We draw on several sociological, computing and forensics concepts to develop our argument. We consider the challenges of obtaining and interpreting trace evidence from smart devices; unpack the ways in which these devices are designed to be ‘invisible in use’; and reflect on the processes by which they become domesticated into everyday life. We also analyse the differentiated levels of control occupants have over smart home devices, and the surveillance impacts of making everyday life visible to third parties, particularly the police

Artificial Intelligence Adoption in Criminal Incestigations: Challenges and Opportunities for Research

Artificial Intelligence (AI) offers the potential to transform organisational decision-making and knowledge-sharing processes that support criminal investigations. Yet, there is still limited evidence-based knowledge concerning the successful use of AI for criminal investigations in literature. This paper identifies the main areas and current dynamics of the adoption of AI in criminal investigations using bibliometric analysis. We synthesise existing research by identifying key themes researchers have delved into on AI in criminal investigations. The themes include crime prediction and human-centred issues relating to AI use in criminal investigations. Finally, the paper elaborates on the challenges that may influence AI adoption in criminal investigations by police professionals. These challenges include possible laggard effects with AI adoption, implementation challenges, lack of government oversight, and a skills gap