PI: Professor Shujun Li, University of Kent
Researchers and practitioners have acknowledged human-related risks among the most important factors in cybersecurity, e.g. an IBM report (2014) shows that over 95% of security incidents involved “human errors”. Responses to human-related cyber risks remain undermined by a conceptual problem: the mindset associated with the term ‘cyber’-crime which has persuaded us that that crimes with a cyber-dimension occur purely within a (non-physical) ‘cyber’ space, and that these constitute wholly new forms of offending, divorced from the human/social components of traditional (physical) crime landscapes. In this context, the unprecedented linking of individuals and technologies into global social-physical networks – hyperconnection – has generated exponential complexity and unpredictability of vulnerabilities.
In addition to hyperconnectivity, the dynamic evolving nature of cyber systems is equally important. Cyber systems change far faster than biological/material cultures, and criminal behaviour and techniques evolve in relation to the changing nature of opportunities centring on target assets, tools and weapons, routine activities, business models, etc. Studying networks and relationships between individuals, businesses and organisations in a hyperconnected environment requires understanding of communities and the broader ecosystems. This complex, non-linear process can lead to co-evolution in the medium-longer term.
The focus on cybersecurity as a dynamic interaction between humans and socio-technic elements within a risk ecosystem raises implementation issues, e.g. how to mobilise diverse players to support security. Conventionally they are considered under ‘raising awareness’, and many initiatives have been rolled out. However, activities targeting society as a whole have limitations, e.g. the lack of personalisation, which makes them less effective in influencing human behaviours.
While there is isolated research across these areas, there is no holistic framework combining all these theoretical concepts (co-evolution, opportunity management, behavioural and business models, ad hoc technological research on cyber risks and cybercrime) to allow a more comprehensive understanding of human-related risks within cybersecurity ecosystems and to design more effective approaches for engaging individuals and organisations to reduce such risks.
The project’s overall aim is therefore to develop a framework through which we can analyse the behavioural co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviours of a range of actors in the ecosystems in order to reduce human-related risks. To achieve the project’s overall aim, this research will:
(1) Be theory-informed: Incorporate theoretical concepts from social, evolutionary and behavioural sciences which provide insights into the co-evolutionary aspect of cybersecurity/cybercrime ecosystems. (2) Be evidence-based: Draw on extensive real-world data from different sources on behaviours of individuals and organisations within cybersecurity/cybercrime ecosystems. (3) Be user-centric: Develop a framework that can provide practical guidance to system designers on how to engage individual end users and organisations for reducing human-related cyber risks. (4) Be real world-facing: Conduct user studies in real-world use cases to validate the framework’s effectiveness.
The new framework and solutions it identifies will contribute towards enhanced safety online for many different kinds of users, whether these are from government, industry, the research community or the general public.
This project will involve a group of researchers working in 5 academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at 4 UK research institutes, and be supported by an Advisory Board with 12 international/UK researchers and a Stakeholder Group formed by 12 non-academic partners (including LEAs, NGOs and industry).