Social and Behavioural Science in Cyber Security Research
Together with some colleagues from the Cyber Security group, we attended last week the “Social and Behavioural Science for Cyber Security” conference at Roke Manor Research in Romsey. The event was organised by the University of Portsmouth and Bournemouth and supported by the NSCS Research Institute in Science of Cyber Security (RISCS) and the Centre for Research and Evidence on Security Threats (CREST).
The conference gathered both industry experts and academic researchers discussing real-world cyber security problems.
It emerged clearly that the role and impact of social and behavioural science in cyber security is tremendous, yet to be actually exploited.
Just to mention a few: acceptability (hence effectiveness) of cyber controls; social and cultural background of cyber-attack victims; awareness on cyber security and development of cyber hygiene practices.
Nowadays all humans are part of the cyber-space. In its essence, the cyber-space is a unique, unbounded blend of IT elements (both software and hardware) and humans, the largest and most difficult part to handle.
We could say that without humans, cyber security would be easy!
(Well, not really, but at least we could limit our challenges to physical, math and computer science laws 😄)
The day started with a keynote looking at how cyber security is now everywhere, spanning from the physical and virtual worlds and most of all including the cognitive world. This was greatly summarised in this slide (sorry for the poor photo quality).
Once you start working in cyber security, you cannot avoid to cut across social and behavioural science. Intuitively, it appears to me that as research does not create impact if it is not properly shared (both dissemination and exploitation); cyber security cannot progress if humans, the main actors in the game, are not aboard. They must be in the position to understand the threats and embrace changes. This message was strengthened by a great Dstl keynote in the afternoon. Creation of new security policies and plans is not enough if we do not consider their practical adoption consequences and routes.
Throughout the rest of the day, PhD students and researchers presented a variety of real-world use cases. Below I tried to group some overall topics among those discussed.
The role of security policies in SME and development activities.
Cyber controls like Cyber essentials and 10 Step to Cyber Security have been proven effective in practice for the protection against cyber-attacks. However, the adoption of such and similar security policies is facing daunting challenges as the level of awareness on cyber security risks is still too low. Activities like awareness and training campaigns must consider social aspects. From SME to software developers, the risks caused by loose security policies should be better explained.
A quite recent great example was pointed out. Do you remember the ‘incidental’ alert in Hawaii?
The authorities remarked that the incident had happened due to a human fault during a shift change. The authorities reassured that all security policies would have been applied and any similar incident would ever happen again. Jointly with these statements the following photo was released…nothing else to add!
Raising awareness of IoT cyber security.
Risk is perceived differently by individuals. The never-ending race to buy new “smart” devices to show off is broadening the risk faced by consumers. IoT vulnerabilities are well-known, yet looking at market trends consumers are still buying new devices without paying particular attention to their cyber security. Multiple proposals to introduce security labelling solutions for IoT were presented, somehow reminiscence of Energy Consumption classes for appliances and EuroNCAP stars for cars. Despite the variety of proposals presented, I personally still doubt their effectiveness in practice.
Would a consumer buy a more expensive IoT product due to higher security guarantees?
It boils down to: what is security for a consumer? And most of all: where is the incentive for buying ‘security’?
Most (maybe all?) consumers are driven by selfish interests: when you buy an A+++ energy class appliance you will recover (over time) the initial price difference in your energy bills. Could we have the same ‘incentive mechanism; for IoT security?
Answering to this question will create a key driver for raising awareness about IoT security within consumers.
The concluding panel
The day finished with a panel that drew on the talks and brought together needs and objectives from government, academia and industry. Much still to be done and all of us should be engaged in these activities.
Some final thoughts
Coming from a technical/mathematical computer science background, I am addressing cyber security from a more technical angle rather than a social one. The conference was a great opportunity to get more acquainted with the social and behavioural science.
Being part of the Cyber Security Academy and working closely, at the same time, with PhD students and industries has allowed me in the last years to address various multi-disciplinary challenges, e.g. consent tracking in medical data, privacy regulation compliance, cyber awareness campaign and cyber gamification. However, I have overlooked the role of social and behavioural science and the significant impact it could have in practice.