This project involves a group of researchers working in five academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at six UK research institutes (University of Kent, University of Surrey, UCL, University of Warwick, University of Birmingham, and TRL Ltd). It has an overall budget of £1.1m, with 80% (£881k) funding from the Engineering and Physical Sciences Research Council (EPSRC). It is part of Phase 2 of RISCS (Research Institute in Science of Cyber Security). It started in April 2017 and will last for 24 months (with potential extension due to late start of main RAs). For more technical details, see its Research page.
Researchers and practitioners have acknowledged human-related risks among the most important factors in cybersecurity, e.g. an IBM report (2014) shows that over 95% of security incidents involved "human errors". Responses to human-related cyber risks remain undermined by a conceptual problem: the mindset associated with the term 'cyber'-crime which has persuaded us that that crimes with a cyber-dimension occur purely within a (non-physical) ‘cyber’ space, and that these constitute wholly new forms of offending, divorced from the human/social components of traditional (physical) crime landscapes. In this context, the unprecedented linking of individuals and technologies into global social-physical networks – hyperconnection – has generated exponential complexity and unpredictability of vulnerabilities.
In addition to hyperconnectivity, the dynamic evolving nature of cyber systems is equally important. Cyber systems change far faster than biological/material cultures, and criminal behaviour and techniques evolve in relation to the changing nature of opportunities centring on target assets, tools and weapons, routine activities, business models, etc. Studying networks and relationships between individuals, businesses and organisations in a hyperconnected environment requires understanding of communities and the broader ecosystems. This complex, non-linear process can lead to co-evolution in the medium to longer term.
The focus on cybersecurity as a dynamic interaction between humans and socio-technic elements within a risk ecosystem raises implementation issues, e.g. how to mobilise diverse players to support security. Conventionally they are considered under 'raising awareness', and many initiatives have been rolled out. However, activities targeting society as a whole have limitations, e.g. the lack of personalisation, which makes them less effective in influencing human behaviours.
While there is isolated research across these areas, there is no holistic framework combining all these theoretical concepts (co-evolution, opportunity management, behavioural and business models, ad hoc technological research on cyber risks and cybercrime) to allow for a more comprehensive understanding of human-related risks within cybersecurity ecosystems and to design more effective approaches for engaging individuals and organisations to reduce such risks.
The project's overall aim is therefore to develop a framework through which we can analyse the behavioural co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviours of a range of actors in the ecosystems in order to reduce human-related risks. To achieve the project’s overall aim, this research will:
Be theory-informed: Incorporate theoretical concepts from social, evolutionary and behavioural sciences which provide insights into the co-evolutionary aspect of cybersecurity/cybercrime ecosystems.
Be evidence-based: Draw on extensive real-world data from different sources on behaviours of individuals and organisations within cybersecurity/cybercrime ecosystems.
Be user-centric: Develop a framework that can provide practical guidance to system designers on how to engage individual end users and organisations for reducing human-related cyber risks.
Be real world-facing: Conduct user studies in real-world use cases to validate the framework’s effectiveness.
The new framework and solutions it identifies will contribute towards enhanced safety online for many different kinds of users, whether from government, industry, the research community or the general public.
Project website: https://accept.cyber.kent.ac.uk/