In certain circumstances the responsibility of managing risk is thrown back upon the individual. Margaret Thatcher famously blamed a large proportion of Britain’s record level crime rates on the victims’ carelessness: ‘we have to be careful that we ourselves don’t make it easy for the criminal’. Another example is when women are blamed for sexual assault: ‘women need to protect themselves against the threat of being raped while drunk’, Judge Lindsey Kushner controversially declared in 2017. Unsurprisingly, victim displacement has also moved into the realm of cybersecurity, with security departments treating users as a security risk to be controlled.
The tendency to pass the blame onto victims in the event of a cyber attack is a direct consequence of the cyber domain’s very nature; it is the state’s recognition of the limits of its sovereign power. Cyber attacks challenge a governments’ ability to protect its citizens and businesses because of their lack of attribution. There are copious methods an attacker can employ to remain hidden, from mix networks (a series of encrypted tunnels that form a cascade of anonymous proxies) to botnets (a network of private computers hacked undetected and programmed with malicious code). This, mixed with skill gaps within law enforcement to deal with criminal activity in the cyber domain, make it very difficult for governments and law enforcement to ensure the safety of their citizens online. Attention is therefore diverted onto the actions of the victim, compared to a faceless cybercriminal, residing in a borderless entity.
So why shouldn’t we blame people for cybersecurity errors?
Firstly, blaming people for cyber security errors has led to a culture of silence. This silence causes low cyber security report rates and stunted progress in both the recovery of those affected by the cyber security error and prevention of future errors. The majority of individuals feel that cyber security errors are their fault, and as a result are disinclined to report a cybercrime; they are denied the status of a legitimate victim. Norton’s study found that individuals take cybercrime personally, and blame themselves, even in cases of online harassment (41% of participants) or being approached by a sexual predator online (47% of participants). Norton’s study also found that 78% of adult participants feel responsible for phishing, 77% feel responsible for online scams and 73% feel responsible for computer viruses or malware attacks. This is an unhealthy side-effect of victim displacement because there is no motivational reward for victims to report the cybercrime, with the risk that victims will be blamed.
This has even greater consequences for businesses, involving greater financial, legal, and reputational costs. In 2017, Equifax suffered a major security breach which led to over 143 million records, including personal and financial information, being stolen. However, Equifax did not publically announce the incident until two months after it was discovered. Meanwhile, in an attempt to mitigate any costs for the company, stakeholders were found to have sold stock before the breach was announced. This reaction is a direct result of placing the blame on victims; it creates a deadlock between disclosing the data breach, suffering reputational, legal and financial costs, and hiding the data breach, placing those affected at a disadvantage.
Secondly, blaming people for cyber security errors underestimates the difficulties in the design and implementation of strategies which seek to get individuals to behave in a cyber-secure way. It has become common place to refer to users as the weakest link in the security chain. The spear phishing of John Podesta during the 2016 US election, placed focus on Podesta’s lack of cyber-awareness. Eileen Donahoe concluded that ‘if John Podesta didn’t understand the importance of two-factor authentication for his Gmail account, it is hard to expect such awareness in others’, implying that the hack was a result of Podesta’s lack of interest in becoming cyber-aware.
This fails to take into account that cyber security errors are often caused by the implementation of security mechanisms that are not designed with the user in mind. The lack of user-centred design in cyber security mechanisms create ‘overheads for users, or require unworkable user behaviour’, compelling users to ‘circumvent such mechanisms’. Password policies are a prime example of this trend. Although the dominant method for access control, passwords are the weakest form of protection. Take the example of change regimes, where a user is required to change their password frequently in order to reduce the impact of an undetected security breach. This action will typically reduce the overall password security in an organisation because users are caught between memory and security.
User behaviour is not the fault of the user, but instead the security mechanism.
However, transferring the responsibility away from users and back onto governments is not the solution. The regulation of the cyber domain is difficult, therefore all elements of the cyber security chain, from government down to users, including cyber security departments and manufacturers, should work equally towards combating cyber security errors, with blame placed outside of the equation and focus placed on defence mechanisms and the faceless cybercriminal.
This model will create a more effective security system by placing users at the centre of design, engender a greater understanding in society that it is harder to defend against a cyber attack than to conduct one, and encourage greater information sharing in the event of a cyber attack to help allocate relevant resources to prevent future attacks.