Part of Adam Joinson‘s work focuses on what “cyber security” actually means to both lay people and experts. A professor of information systems at the University of Bath, Joinson’s newest project is cSALSA: Cyber Security Across the Life Span. Launched in April 2017, the three-year project has a long list of partners, primarily behavioural and cognitive psychologists, plus one computer scientist. Among the project’s partners are Pam Briggs (Northumbria University); Debi Ashenden (University of Portsmouth and the Centre for Research and Evidence on Security Threats); Darren Lawrence (Cranfield University); and researchers at Pacific Northwestern Labs, Carleton University, BAe Systems, and others.
The goal of the project is to take a lifespan approach to understanding how cyber security is understood and how that relates to risk and behaviour. There are many reasons for pursuing this approach. First, prior work supports the idea that there are unique security challenges at different life stages. Briggs’s early work suggests a U-shaped curve of vulnerability, with the oldest and youngest are most vulnerable to particular types of threats. Many other changes also occur during a lifetime: the resources people have to draw on change as family, friends, work colleagues, and the power structures within these relationships shift over time. Power systems in particular can be quite important; the 21st century has seen the rise of the teen guru who knows the passwords for the family router. In addition, goals change throughout life as people aspire to and then achieve independence, stability, family, security. These changing states also play a part in determining how individuals interact with technology products.
So, the cSALSA project seeks to study questions such as how these factors intertwine and interact and determine individuals’ responses. What protective steps do they take to understand risk? How do individuals deal with large-scale social and technological change? Age is not the only factor; cohort is also significant in determining an individual’s social networks, families, cognitive ability, technical understanding, and skills. Individuals also vary according to the vulnerabilities that are available for attackers to exploit.
The model the researchers are developing to be shared among all the partners draws on approaches used for diseases to express individuals’ varying levels of exposure, which help to determine how they respond: whether they avoid thinking about it, seek as much information as they can find about it, or adapt to the changing situation. Each of these responses leads to a different outcome.
There are three main strands the project seeks to pull together over the course of its three years. One, define cyber security in everyday language; two, develop the results of year one into a dictionary for testing how different groups of people talk about cyber security; and three, create metrics from a series of interactions to study how to measure risk in cyber security tools, using the understanding gained from the first two years.
Currently, the researchers are working on definitions. Classical definitions pose the problem of having sharp boundaries. They define elements that are necessary and sufficient; then everything that has those elements fits in the definition and everything lacks one or more of those elements is excluded.
But “cyber security” may include myriad vastly different phenomena: hacktivism, cyber crime, cyber terrorism, and cyber warfare all fit within that one term. In addition, risk, by its nature, is fuzzy: we speak of degrees of risk, just as we speak of degrees of security or protection. More fuzzy definitions and, especially, boundaries are needed to capture this. Cognitive psychologists have prototyped approaches that attempt to capture the degree by which something is or is not included. In this approach, exemplars are found for a superordinate category, some of which may be better than others – we might see a robin as a better exemplar of the superordinate “bird” than a penguin. For cyber security, exemplars might be information protection, with an opposing example of identity fraud or loss of bank card details.
Among the possible applications of this work are contributions to theory creating links between security and privacy; the development of a dictionary that can be used to analyse discussions; improvements to the design of awareness and training materials; improvements to the design of security products and features; and the development of workplace metrics and measures.
Readers who would like to help are invited to complete the survey. Both experts and laypeople are welcome to participate.
In answer to questions, Joinson noted that a reason for seeking partners in the US and Canada was to capture some of the fundamental cultural differences; the model does take into account the fact that cohorts differ. Social changes such as working longer may also have their effects on individuals and change the microsystems they rely on.