Reconfiguring Citizen Participation in Cybersecurity

Lead Research Organisation: University of Oxford
Department Name: Oxford Internet Institute

Abstract

What threats count in cybersecurity? As a field, cybersecurity can seem obscure and daunting to outsiders, a domain for hackers, cyber-warriors and technical experts, who are more often than not male. Yet, everyone is exposed to potentially vulnerable technology. This research project pioneers a model of citizen participation in cybersecurity both to empower citizens in relation to their own cybersecurity practices and advance the field of cybersecurity by incorporating their perspectives and personal experiences.

Feminist theorists have challenged binaries of personal/political violence in conventional security studies, arguing these ignore or diminish the threat of gender-based violence and threats to women's security. Unfortunately, the field of cybersecurity has not incorporated these insights on the relationship between the personal and the political and therefore risks omitting many forms of technological abuse from the "threat models" that shape where researchers investigate challenges to security. Threat modelling procedures in cybersecurity often rely on experts to identify vulnerabilities and potential attackers. Despite being presented as abstract and impartial, this process often reflects assumptions about the causes of insecurity among elite technology users. For example, our pilot research conducted between the Oxford Internet Institute (OII) and UCL Department of Science, Technology, Engineering and Public Policy (STEaPP) found that intimate threats are ignored in the security analyses and the design of smart home devises, which focus instead on threats like hackers or burglars (Slupska 2019). Emerging Internet of Things and smart home devices can leave people vulnerable to new classes threats from their domestic partners (Leitão 2019; Tanczer et al. 2018).

By inviting citizens to participate in defining both what makes them feel threatened online, and how they could feel empowered to counter those threats, this project will humanise cybersecurity methods and create new opportunities for citizens to engage with shaping the research questions that they think should matter within cybersecurity. This project will do this by running eight co-design workshops on citizen cybersecurity. Each workshop will reconfigure assumptions about technical expertise by providing free digital security training to empower citizens to reflect on their own practices and to surface new types of threats to contribute to cybersecurity knowledge. Facilitators will also lead opt-in group discussions and focus groups on the relationships between personal experience and cybersecurity knowledge. Our objectives are to improve existing practices through reflective discussion, promote citizens' active involvement in their own cybersecurity, and solicit input for shaping and refining the directions of the academic field. The workshops will be free and open to all and will be hosted in conjunction with community organisations in the Oxford, London and Paris metro areas. Each participant will leave the workshop with practical advice on how to improve their cybersecurity practices. Participants will also have the opportunity to voluntarily contribute their observations, experiences, and stories with researchers in an open and safe environment to contribute to research. We will also elicit volunteers for coding and analysing data, and work to develop how we might use workshop participants to train others.

This project will bring together partners in the Oxford Internet Institute; the Centre for Doctoral Training in Cybersecurity at the University of Oxford; the Gender and IoT project at the UCL Science, Technology and Public Policy Department; Power Play, a feminist activist theatre company, and Darktrace, a cyber-defence company. We will also work with community groups in Oxford, London and Paris in hosting and publicising each workshop and recruiting potential participants.

Technical Summary

The project will run 8 citizen cybersecurity workshops to expand the methods and inputs for threat modelling and to co-design future research questions for cybersecurity. The goal is to integrate feminist methods of knowledge creation, design justice principles that support citizen participation in technology design and existing cybersecurity methods.

Citizen science and participatory research share many traits. Following the Design Justice Network Principles (Anon 2019), we will centre people who are normally marginalized by design and use collaborative, creative practices to address cybersecurity challenges. Participatory security design avoids the assumption that security of the individual will follow from technical security and ensures that actors who may ordinarily be marginalized have their perspectives taken into account (Heath, Hall, and Coles-Kemp 2018). It incorporates 'situated knowledge' (Haraway 1988) so that information security can be studied as it is practiced in everyday life. This project will build on these efforts by reconfiguring participants from passive consumers of cybersecurity to citizen scientists encouraged to consider whether cybersecurity guidelines and practices are feasible, empowering, and relevant to the threats they face in their everyday lives and produce observations on their own engagement with cybersecurity.

The workshops consist of a free and open cybersecurity training facilitated by the PI, the RAs and the industry partner. Their participation will evolve over the session from comments to reflections on the state of the discipline, and optional follow-up interviews will provide the inputs for reconfiguring threat models and research questions in cybersecurity. We will use a modified grounded theory approach analysing the concepts and practices of threat models, vulnerability, and usability that emerge.

Planned Impact

In keeping with Design Justice principles, participants should leave the sessions with a better grasp of cybersecurity as concept and practice and empowered to reflect on and participate in cybersecurity research and practice. They should have a clear idea of what they can improve in their own cybersecurity, and feel more empowered to do so. We will evaluate this impact through an active feedback loop during and after each workshop, with opportunities for participants to share their thoughts and comments in questionnaires and interviews. This project will seek to maximise the impact on participants' personal development and self-empowerment, thus improving their quality of life.

Within a broader scope, this research aims to improve the effectiveness of knowledge gathering and policy-making related to cybersecurity. There are countless examples of experiments and research whose exclusion of citizens, including women and minority groups, is reflected in both design choices and policy decisions. By introducing a more inclusive methodology, inviting non-hierarchical contributions and underlining the personal experiences and positionalities of individuals, the knowledge we create can be made more representative, and resulting in technology design and policy decisions that are more effective and accessible to all. Ultimately, project outcomes may uncover new questions for future research, new threat models to incorporate into cybersecurity design and new considerations of for cybersecurity policy and technology regulation. These outcomes will be achieved and measured through working with the Citizen Science Exploration programme's evaluation team and by the research team through our internal evaluation process in the final project report on the project's methods, findings, and self-evaluation, which we will share with workshop participants and people in academia, industry, and policy. We will also develop a "train the trainers" workshop and materials for other researchers to use and disseminate this at a relevant international conference. We have included funding for sending PI Julia Slupska to the April 2020 ACM Conference on Human Factors in Computing (CHI) to present this as a 'late-breaking' work or in the 'Alt.CHI' conference.

Drawn from practice theory, feminist theory, critical design, and participatory and action research methods, our approach may provide a model for other researchers to emulate in creating citizen science projects for technology research. We fully anticipate working with UKRI Public Engagement to identify best practices and lessons learned to improve citizen science in the UK. This project will also directly inform PI Slupska's further research on feminist cybersecurity.

Finally, the impacts of this project could extend to the cybersecurity industry, and therefore the economy at large. According to the Global Cybersecurity Index, the UK ranks first internationally for its commitment to cybersecurity. This is reflected in the national market: at $5 billion, the UK cybersecurity industry is valued as the biggest in Europe, and one of the fastest growing in the world. It is predicted that by 2021 there will be 3.5 million unfilled cybersecurity positions, and yet many people are still excluded from this growing workforce. We propose that projects such as this one have the potential to encourage people who might not have otherwise seen themselves in technically-oriented industries and roles like cybersecurity. By challenging assumptions about what a cybersecurity expert looks like, we may also achieve positive impacts on recruitment and retention within the industry, by creating one pathway for people who may not fit traditional backgrounds in the field.

Publications

10 25 50