Practical Cybersecurity Ethics: Mapping CyBOK to Ethical Concerns

Research into the ethics of cybersecurity is an established and growing topic of investigation, however the translation of this research into practice is lacking: there exists a small number of professional codes of ethics or codes of practice in cybersecurity, however these are very broad and do not offer much insight into the ethical dilemmas that can be faced while performing specific cybersecurity activities. In order to address this gap, we leverage ongoing work on the Cyber Security Body of Knowledge (CyBOK) to help elicit and document the responsibilities and ethics of the profession. Based on a literature review of the ethics of cybersecurity, we use CyBOK to frame the exploration of ethical challenges in the cybersecurity profession through a series of 15 interviews with cybersecurity experts. Our approach is qualitative and exploratory, aiming to answer the research question "What ethical challenges, insights, and solutions arise in different areas of cybersecurity?". Our findings indicate that there are broad ethical challenges across the whole of cybersecurity, but also that different areas of cybersecurity can face specific ethical considerations for which more detailed guidance can help professionals in those areas. In particular, our findings indicate that security decision-making is expected of all security professionals, but that this requires them to balance a complex mix of technical, objective and subjective points of view, and that resolving conflicts raises challenging ethical dilemmas. We conclude that more work is needed to explore, map, and integrate ethical considerations into cybersecurity practice; the urgent need to conduct further research into the ethics of cybersecurity AI; and highlight the importance of this work for individuals and professional bodies who seek to develop and mature the cybersecurity profession in a responsible manner.Comment: 14 pages, 2 figures, New Security Paradigms Workshop 202

Digital Deception: Generative Artificial Intelligence in Social Engineering and Phishing

The advancement of Artificial Intelligence (AI) and Machine Learning (ML) has profound implications for both the utility and security of our digital interactions. This paper investigates the transformative role of Generative AI in Social Engineering (SE) attacks. We conduct a systematic review of social engineering and AI capabilities and use a theory of social engineering to identify three pillars where Generative AI amplifies the impact of SE attacks: Realistic Content Creation, Advanced Targeting and Personalization, and Automated Attack Infrastructure. We integrate these elements into a conceptual model designed to investigate the complex nature of AI-driven SE attacks - the Generative AI Social Engineering Framework. We further explore human implications and potential countermeasures to mitigate these risks. Our study aims to foster a deeper understanding of the risks, human implications, and countermeasures associated with this emerging paradigm, thereby contributing to a more secure and trustworthy human-computer interaction.Comment: Submitted to CHI 202

Useful shortcuts: Using design heuristics for consent and permission in smart home devices

Prior research in smart home privacy highlights significant issues with how users understand, permit, and consent to data use. Some of the underlying issues point to unclear data protection regulations, lack of design principles, and dark patterns. In this paper, we explore heuristics (also called “mental shortcuts” or “rules of thumb”) as a means to address security and privacy design challenges in smart homes. First, we systematically analyze an existing body of data on smart homes to derive a set of heuristics for the design of consent and permission. Second, we apply these heuristics in four participatory co-design workshops (n = 14) and report on their use. Third, we analyze the use of the heuristics through thematic analysis highlighting heuristic application, purpose, and effectiveness in successful and unsuccessful design outcomes. We conclude with a discussion of the wider challenges, opportunities, and future work for improving design practices for consent in smart homes

“It becomes more of an abstract idea, this privacy”—Informing the design for communal privacy experiences in smart homes

In spite of research recognizing the home as a shared space and privacy as inherently social, privacy in smart homes has mainly been researched from an individual angle. Sometimes contrasting and comparing perspectives of multiple individuals, research has rarely focused on how household members might use devices communally to achieve common privacy goals. An investigation of communal use of smart home devices and its relationship with privacy in the home is lacking. The paper presents a grounded analysis based on a synergistic relationship between an ethnomethodologically-informed (EM-informed) study and a grounded theory (GT) approach. The study focuses on household members’ interactions to show that household members’ ability to coordinate the everyday use of their devices depends on appropriate conceptualizations of roles, rules, and privacy that are fundamentally different from those embodied by off-the-shelf products. Privacy is rarely an explicit, actionable, and practical consideration among household members, but rather a consideration wrapped up in everyday concerns. Roles and rules are not used to create social order, but to account for it. To sensitize to this everyday perspective and to reconcile privacy as wrapped up in everyday concerns with the design of smart home systems, the paper presents the social organization of communal use as a descriptive framework. The framework is descriptive in capturing how households navigate the ‘murky waters’ of communal use in practice, where prior research highlighted seemingly irreconcilable differences in interest, attitude, and aptitude between multiple individuals and with other stakeholders. Discussing how households’ use of roles, rules, and privacy in-practice differed from what off-the-shelf products afforded, the framework highlights critical challenges and opportunities for the design of communal privacy experiences

Further Exploring Communal Technology Use in Smart Homes: Social Expectations

Device use in smart homes is becoming increasingly communal, requiring cohabitants to navigate a complex social and technological context. In this paper, we report findings from an exploratory survey grounded in our prior work on communal technology use in the home [4]. The findings highlight the importance of considering qualities of social relationships and technology in understanding expectations and intentions of communal technology use. We propose a design perspective of social expectations, and we suggest existing designs can be expanded using already available information such as location, and considering additional information, such as levels of trust and reliability.Comment: to appear in CHI '20 Extended Abstracts, April 25--30, 2020, Honolulu, HI, US

Security should be there by default: Investigating how journalists perceive and respond to risks from the Internet of Things

Journalists have long been the targets of both physical and cyber-attacks from well-resourced adversaries. Internet of Things (IoT) devices are arguably a new avenue of threat towards journalists through both targeted and generalised cyber-physical exploitation. This study comprises three parts: First, we interviewed 11 journalists and surveyed 5 further journalists, to determine the extent to which journalists perceive threats through the IoT, particularly via consumer IoT devices. Second, we surveyed 34 cyber security experts to establish if and how lay-people can combat IoT threats. Third, we compared these findings to assess journalists' knowledge of threats, and whether their protective mechanisms would be effective against experts' depictions and predictions of IoT threats. Our results indicate that journalists generally are unaware of IoT-related risks and are not adequately protecting themselves; this considers cases where they possess IoT devices, or where they enter IoT-enabled environments (e.g., at work or home). Expert recommendations spanned both immediate and long-term mitigation methods, including practical actions that are technical and socio-political in nature. However, all proposed individual mitigation methods are likely to be short-term solutions, with 26 of 34 (76.5%) of cyber security experts responding that within the next five years it will not be possible for the public to opt-out of interaction with the IoT

“It becomes more of an abstract idea, this privacy” – Informing the design for communal privacy experiences in smart homes

In spite of research recognizing the home as a shared space and privacy as inherently social, privacy in smart homes has mainly been researched from an individual angle. Sometimes contrasting and comparing perspectives of multiple individuals, research has rarely focused on how household members might use devices communally to achieve common privacy goals. An investigation of communal use of smart home devices and its relationship with privacy in the home is lacking. The paper presents a grounded analysis based on a synergistic relationship between an ethnomethodologically-informed (EM-informed) study and a grounded theory (GT) approach. The study focuses on household members’ interactions to show that household members’ ability to coordinate the everyday use of their devices depends on appropriate conceptualizations of roles, rules, and privacy that are fundamentally different from those embodied by off-the-shelf products. Privacy is rarely an explicit, actionable, and practical consideration among household members, but rather a consideration wrapped up in everyday concerns. Roles and rules are not used to create social order, but to account for it. To sensitize to this everyday perspective and to reconcile privacy as wrapped up in everyday concerns with the design of smart home systems, the paper presents the social organization of communal use as a descriptive framework. The framework is descriptive in capturing how households navigate the ‘murky waters’ of communal use in practice, where prior research highlighted seemingly irreconcilable differences in interest, attitude, and aptitude between multiple individuals and with other stakeholders. Discussing how households’ use of roles, rules, and privacy in-practice differed from what off-the-shelf products afforded, the framework highlights critical challenges and opportunities for the design of communal privacy experiences