Terry Bossomaier - Human Dimensions of Cybersecurity

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2020 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

International Standard Book Number-13: 978-1-138-59040-3 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Names: Bossomaier, Terry R. J. (Terry Richard John), author. |

DAlessandro, Steven, author. | Bradbury, R. H. (Roger H.), author.

Title: Human dimensions of cybersecurity / by Terry Bossomaier, Steven

DAlessandro, Roger Bradbury.

Description: Boca Raton : CRC Press, [2020] | Includes bibliographical

references and index. | Summary: The book identifies the technological

features that give rise to security issues. It describes the structure

of the Internet and how it is compromised by malware, and examines some

of the more common security issues. It then looks at aspects of human

persuasion and consumer choice, and how these affect cyber security. It

argues that social networks and the related norms play a key role as

does government policy, as each impact on individual behavior of

computer use. The book identifies the most important human and social

factors that affect cybersecurity. It illustrates each factor using case

studies, and examines possible solutions from both technical and human

acceptability viewpoints Provided by publisher.

Identifiers: LCCN 2019038924 (print) | LCCN 2019038925 (ebook) |

ISBN 9781138590403 (hardback) | ISBN (ebook)

Subjects: LCSH: Computer securityCase studies. | Computer

securitySocial aspects. | Computer networksSecurity measures. |

Data protection. | Computer securityGovernment policy.

Classification: LCC QA76.9.A25 B6395 2020 (print) | LCC QA76.9.A25

(ebook) | DDC 005.8dc23

LC record available at https://lccn.loc.gov/2019038924

LC ebook record available at https://lccn.loc.gov/2019038925

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com

Professor Paul Cornish
Visiting Professor, LSE IDEAS, London School of Economics
Editor, The Oxford Handbook to Cyber Security (Oxford University Press,
forthcoming 2020)
Associate Director, Global Cyber Security Capacity Centre, University of
Oxford (201318)

Cybersecurity has several dimensions and characteristics. The first, the most obvious and the most important of these, is that cybersecurity is concerned with an environment that is not natural, but man-made. In other words, this environment, which we know as cyberspace, is an artifact, defined in the Concise Oxford Dictionary as a product of human art and workmanship. For all its technological sophistication, which many of us can scarcely comprehend, cyberspace is essentially human. Cyberspace was invented, developed, and is validated by human beings: by men and women who devised ways to encode and decode and encrypt and decrypt vast amounts of information at extraordinary speed; by people who could design and build a global digital communication infrastructure; by experts who can maintain cyberspace as a system of networks and processes and who constantly find ways to improve and develop that system; and by the ever-increasing proportion of humanity who use cyberspace in many aspects of our daily life. And we should not forget that there are also more than enough people devoting substantial time and resources to subvert this system for various malign reasons. Another distinctive feature of cybersecurity is that it is a discussion that never stands still; it evolves very rapidly, while our ideas about the proper governance, management, security, and safety of cyberspace often seem to move at a glacially slow pace at best. But whenever the technology seems just too bewildering, the pace of change just too uncomfortable, and our security just a little too precarious, it is vital that we remember the importance of our own, human agency (both constructive and destructive). Unlike the natural environments of land, sea, air, and outer space, cyberspace is our own work in progress; humans are in charge and, for the time being at least, we make the decisions.

Cybersecurity is concerned with the avoidance, management, and mitigation of riskthe risk of harm and damage that might occur as the result of everything, from individual carelessness to organized criminality, to industrial and national security espionage and, at the extreme end of the scale, to disabling attacks against a countrys critical national infrastructure. But as any university lecture on international and national security would point out, the pursuit of security from financial loss, physical damage, etc., should not be seen as an end in itself. Security must also be for something; more than simply the avoidance of risk, security is also the maximization of benefit. This important point is often explained by analogy: we lock our front door to protect our house, ourselves, and our property from thieves and predators. But we dont do this because we see ourselves as an arm of law enforcement: we do so in order that we can enjoy what we have, live as we choose and grow as we need. Securityincluding cybersecurityis protective, but it is also liberating and enabling. This applies at every levelindividually, nationally, and globally. The central purpose of cyber-security could not therefore be clearer or more positiveand, again, it could hardly be more human.

Finally, it is because cyberspace is technologically sophisticated, because it reaches into everything that we do, and because it affects individual freedom, quality of life, and fulfilment that we need a rounded, inclusive approach to our understanding and management of it. Just as Georges Clemenceau once quipped that war is too important to be left to military men, so we might say, rather dismissively perhaps, that cyberspace is too important to be left to computer scientists. But what Clemenceau probably meant was that generals were a necessary yet not sufficient component of any reasonable and useful discussion of war and all that it entails. Something similar can be said of cybersecurity. It would be just as absurd for nonscientific users of cyberspace (i.e., most of humanity) to ignore the science of cyberspace (perhaps on the grounds that its too difficult to understand or moves too fast) as it would be for computer scientists, mathematicians, and physicists to insist that the social sciences (such as politics, sociology, economics, psychology, and development studies) have nothing useful to say about cyberspace and generate questions that are little more than derivative.