Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviours

摘要

Background. Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the 'blunt' nature of many cybersecurity controls. Aim. Here we present a framework produced from a synthesis of methods from cybercrime opportunity reduction and behaviour change, and a consideration of existing risk management guidelines. Method. We illustrate the framework and its principles with a range of examples and a potential application focusing on online abuse and social media controls, relating in turn to issues inherent in cyberbullying and tech-abuse. Results. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system. Conclusions. We describe capabilities for a novel approach to managing sociotechnical cyber-risk which can be integrated into typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders to identify behaviours to preserve in a system.