Reconfiguring Citizen Participation in Cybersecurity
Lead Research Organisation:
University of Oxford
Department Name: Oxford Internet Institute
Abstract
What threats count in cybersecurity? As a field, cybersecurity can seem obscure and daunting to outsiders, a domain for hackers, cyber-warriors and technical experts, who are more often than not male. Yet, everyone is exposed to potentially vulnerable technology. This research project pioneers a model of citizen participation in cybersecurity both to empower citizens in relation to their own cybersecurity practices and advance the field of cybersecurity by incorporating their perspectives and personal experiences.
Feminist theorists have challenged binaries of personal/political violence in conventional security studies, arguing these ignore or diminish the threat of gender-based violence and threats to women's security. Unfortunately, the field of cybersecurity has not incorporated these insights on the relationship between the personal and the political and therefore risks omitting many forms of technological abuse from the "threat models" that shape where researchers investigate challenges to security. Threat modelling procedures in cybersecurity often rely on experts to identify vulnerabilities and potential attackers. Despite being presented as abstract and impartial, this process often reflects assumptions about the causes of insecurity among elite technology users. For example, our pilot research conducted between the Oxford Internet Institute (OII) and UCL Department of Science, Technology, Engineering and Public Policy (STEaPP) found that intimate threats are ignored in the security analyses and the design of smart home devises, which focus instead on threats like hackers or burglars (Slupska 2019). Emerging Internet of Things and smart home devices can leave people vulnerable to new classes threats from their domestic partners (Leitão 2019; Tanczer et al. 2018).
By inviting citizens to participate in defining both what makes them feel threatened online, and how they could feel empowered to counter those threats, this project will humanise cybersecurity methods and create new opportunities for citizens to engage with shaping the research questions that they think should matter within cybersecurity. This project will do this by running eight co-design workshops on citizen cybersecurity. Each workshop will reconfigure assumptions about technical expertise by providing free digital security training to empower citizens to reflect on their own practices and to surface new types of threats to contribute to cybersecurity knowledge. Facilitators will also lead opt-in group discussions and focus groups on the relationships between personal experience and cybersecurity knowledge. Our objectives are to improve existing practices through reflective discussion, promote citizens' active involvement in their own cybersecurity, and solicit input for shaping and refining the directions of the academic field. The workshops will be free and open to all and will be hosted in conjunction with community organisations in the Oxford, London and Paris metro areas. Each participant will leave the workshop with practical advice on how to improve their cybersecurity practices. Participants will also have the opportunity to voluntarily contribute their observations, experiences, and stories with researchers in an open and safe environment to contribute to research. We will also elicit volunteers for coding and analysing data, and work to develop how we might use workshop participants to train others.
This project will bring together partners in the Oxford Internet Institute; the Centre for Doctoral Training in Cybersecurity at the University of Oxford; the Gender and IoT project at the UCL Science, Technology and Public Policy Department; Power Play, a feminist activist theatre company, and Darktrace, a cyber-defence company. We will also work with community groups in Oxford, London and Paris in hosting and publicising each workshop and recruiting potential participants.
Feminist theorists have challenged binaries of personal/political violence in conventional security studies, arguing these ignore or diminish the threat of gender-based violence and threats to women's security. Unfortunately, the field of cybersecurity has not incorporated these insights on the relationship between the personal and the political and therefore risks omitting many forms of technological abuse from the "threat models" that shape where researchers investigate challenges to security. Threat modelling procedures in cybersecurity often rely on experts to identify vulnerabilities and potential attackers. Despite being presented as abstract and impartial, this process often reflects assumptions about the causes of insecurity among elite technology users. For example, our pilot research conducted between the Oxford Internet Institute (OII) and UCL Department of Science, Technology, Engineering and Public Policy (STEaPP) found that intimate threats are ignored in the security analyses and the design of smart home devises, which focus instead on threats like hackers or burglars (Slupska 2019). Emerging Internet of Things and smart home devices can leave people vulnerable to new classes threats from their domestic partners (Leitão 2019; Tanczer et al. 2018).
By inviting citizens to participate in defining both what makes them feel threatened online, and how they could feel empowered to counter those threats, this project will humanise cybersecurity methods and create new opportunities for citizens to engage with shaping the research questions that they think should matter within cybersecurity. This project will do this by running eight co-design workshops on citizen cybersecurity. Each workshop will reconfigure assumptions about technical expertise by providing free digital security training to empower citizens to reflect on their own practices and to surface new types of threats to contribute to cybersecurity knowledge. Facilitators will also lead opt-in group discussions and focus groups on the relationships between personal experience and cybersecurity knowledge. Our objectives are to improve existing practices through reflective discussion, promote citizens' active involvement in their own cybersecurity, and solicit input for shaping and refining the directions of the academic field. The workshops will be free and open to all and will be hosted in conjunction with community organisations in the Oxford, London and Paris metro areas. Each participant will leave the workshop with practical advice on how to improve their cybersecurity practices. Participants will also have the opportunity to voluntarily contribute their observations, experiences, and stories with researchers in an open and safe environment to contribute to research. We will also elicit volunteers for coding and analysing data, and work to develop how we might use workshop participants to train others.
This project will bring together partners in the Oxford Internet Institute; the Centre for Doctoral Training in Cybersecurity at the University of Oxford; the Gender and IoT project at the UCL Science, Technology and Public Policy Department; Power Play, a feminist activist theatre company, and Darktrace, a cyber-defence company. We will also work with community groups in Oxford, London and Paris in hosting and publicising each workshop and recruiting potential participants.
Technical Summary
The project will run 8 citizen cybersecurity workshops to expand the methods and inputs for threat modelling and to co-design future research questions for cybersecurity. The goal is to integrate feminist methods of knowledge creation, design justice principles that support citizen participation in technology design and existing cybersecurity methods.
Citizen science and participatory research share many traits. Following the Design Justice Network Principles (Anon 2019), we will centre people who are normally marginalized by design and use collaborative, creative practices to address cybersecurity challenges. Participatory security design avoids the assumption that security of the individual will follow from technical security and ensures that actors who may ordinarily be marginalized have their perspectives taken into account (Heath, Hall, and Coles-Kemp 2018). It incorporates 'situated knowledge' (Haraway 1988) so that information security can be studied as it is practiced in everyday life. This project will build on these efforts by reconfiguring participants from passive consumers of cybersecurity to citizen scientists encouraged to consider whether cybersecurity guidelines and practices are feasible, empowering, and relevant to the threats they face in their everyday lives and produce observations on their own engagement with cybersecurity.
The workshops consist of a free and open cybersecurity training facilitated by the PI, the RAs and the industry partner. Their participation will evolve over the session from comments to reflections on the state of the discipline, and optional follow-up interviews will provide the inputs for reconfiguring threat models and research questions in cybersecurity. We will use a modified grounded theory approach analysing the concepts and practices of threat models, vulnerability, and usability that emerge.
Citizen science and participatory research share many traits. Following the Design Justice Network Principles (Anon 2019), we will centre people who are normally marginalized by design and use collaborative, creative practices to address cybersecurity challenges. Participatory security design avoids the assumption that security of the individual will follow from technical security and ensures that actors who may ordinarily be marginalized have their perspectives taken into account (Heath, Hall, and Coles-Kemp 2018). It incorporates 'situated knowledge' (Haraway 1988) so that information security can be studied as it is practiced in everyday life. This project will build on these efforts by reconfiguring participants from passive consumers of cybersecurity to citizen scientists encouraged to consider whether cybersecurity guidelines and practices are feasible, empowering, and relevant to the threats they face in their everyday lives and produce observations on their own engagement with cybersecurity.
The workshops consist of a free and open cybersecurity training facilitated by the PI, the RAs and the industry partner. Their participation will evolve over the session from comments to reflections on the state of the discipline, and optional follow-up interviews will provide the inputs for reconfiguring threat models and research questions in cybersecurity. We will use a modified grounded theory approach analysing the concepts and practices of threat models, vulnerability, and usability that emerge.
Planned Impact
In keeping with Design Justice principles, participants should leave the sessions with a better grasp of cybersecurity as concept and practice and empowered to reflect on and participate in cybersecurity research and practice. They should have a clear idea of what they can improve in their own cybersecurity, and feel more empowered to do so. We will evaluate this impact through an active feedback loop during and after each workshop, with opportunities for participants to share their thoughts and comments in questionnaires and interviews. This project will seek to maximise the impact on participants' personal development and self-empowerment, thus improving their quality of life.
Within a broader scope, this research aims to improve the effectiveness of knowledge gathering and policy-making related to cybersecurity. There are countless examples of experiments and research whose exclusion of citizens, including women and minority groups, is reflected in both design choices and policy decisions. By introducing a more inclusive methodology, inviting non-hierarchical contributions and underlining the personal experiences and positionalities of individuals, the knowledge we create can be made more representative, and resulting in technology design and policy decisions that are more effective and accessible to all. Ultimately, project outcomes may uncover new questions for future research, new threat models to incorporate into cybersecurity design and new considerations of for cybersecurity policy and technology regulation. These outcomes will be achieved and measured through working with the Citizen Science Exploration programme's evaluation team and by the research team through our internal evaluation process in the final project report on the project's methods, findings, and self-evaluation, which we will share with workshop participants and people in academia, industry, and policy. We will also develop a "train the trainers" workshop and materials for other researchers to use and disseminate this at a relevant international conference. We have included funding for sending PI Julia Slupska to the April 2020 ACM Conference on Human Factors in Computing (CHI) to present this as a 'late-breaking' work or in the 'Alt.CHI' conference.
Drawn from practice theory, feminist theory, critical design, and participatory and action research methods, our approach may provide a model for other researchers to emulate in creating citizen science projects for technology research. We fully anticipate working with UKRI Public Engagement to identify best practices and lessons learned to improve citizen science in the UK. This project will also directly inform PI Slupska's further research on feminist cybersecurity.
Finally, the impacts of this project could extend to the cybersecurity industry, and therefore the economy at large. According to the Global Cybersecurity Index, the UK ranks first internationally for its commitment to cybersecurity. This is reflected in the national market: at $5 billion, the UK cybersecurity industry is valued as the biggest in Europe, and one of the fastest growing in the world. It is predicted that by 2021 there will be 3.5 million unfilled cybersecurity positions, and yet many people are still excluded from this growing workforce. We propose that projects such as this one have the potential to encourage people who might not have otherwise seen themselves in technically-oriented industries and roles like cybersecurity. By challenging assumptions about what a cybersecurity expert looks like, we may also achieve positive impacts on recruitment and retention within the industry, by creating one pathway for people who may not fit traditional backgrounds in the field.
Within a broader scope, this research aims to improve the effectiveness of knowledge gathering and policy-making related to cybersecurity. There are countless examples of experiments and research whose exclusion of citizens, including women and minority groups, is reflected in both design choices and policy decisions. By introducing a more inclusive methodology, inviting non-hierarchical contributions and underlining the personal experiences and positionalities of individuals, the knowledge we create can be made more representative, and resulting in technology design and policy decisions that are more effective and accessible to all. Ultimately, project outcomes may uncover new questions for future research, new threat models to incorporate into cybersecurity design and new considerations of for cybersecurity policy and technology regulation. These outcomes will be achieved and measured through working with the Citizen Science Exploration programme's evaluation team and by the research team through our internal evaluation process in the final project report on the project's methods, findings, and self-evaluation, which we will share with workshop participants and people in academia, industry, and policy. We will also develop a "train the trainers" workshop and materials for other researchers to use and disseminate this at a relevant international conference. We have included funding for sending PI Julia Slupska to the April 2020 ACM Conference on Human Factors in Computing (CHI) to present this as a 'late-breaking' work or in the 'Alt.CHI' conference.
Drawn from practice theory, feminist theory, critical design, and participatory and action research methods, our approach may provide a model for other researchers to emulate in creating citizen science projects for technology research. We fully anticipate working with UKRI Public Engagement to identify best practices and lessons learned to improve citizen science in the UK. This project will also directly inform PI Slupska's further research on feminist cybersecurity.
Finally, the impacts of this project could extend to the cybersecurity industry, and therefore the economy at large. According to the Global Cybersecurity Index, the UK ranks first internationally for its commitment to cybersecurity. This is reflected in the national market: at $5 billion, the UK cybersecurity industry is valued as the biggest in Europe, and one of the fastest growing in the world. It is predicted that by 2021 there will be 3.5 million unfilled cybersecurity positions, and yet many people are still excluded from this growing workforce. We propose that projects such as this one have the potential to encourage people who might not have otherwise seen themselves in technically-oriented industries and roles like cybersecurity. By challenging assumptions about what a cybersecurity expert looks like, we may also achieve positive impacts on recruitment and retention within the industry, by creating one pathway for people who may not fit traditional backgrounds in the field.
People |
ORCID iD |
| Julia Slupska (Principal Investigator) | |
| Gina Neff (Co-Investigator) |
Publications
J Slupska
(2021)
Reconfigure: Feminist Action Research in Cybersecurity
Julia Slupska
(2021)
Participatory Threat Modelling: Exploring Paths to Reconfigure Cybersecurity
| Description | 1. We hosted 8 community cybersecurity workshops and worked with 5 community organisations and partners to work with 90 participants in co-creating a research agenda for cybersecurity modelling while providing training to expand their personal information security skills. 2. Using participatory research methods, we found what matters in digital security for our participants who identified threats to their personal information that are missed from more traditional approaches to threat modelling. These include fears of information being used for social and public shame, being used by people who are close to them, being used in ways connected to feelings of powerlessness and lack of privilege, and being used in ways that exposes intimate information about their sexual identities or explicit information or images about them. 3. Creating spaces and methods that empower people in securing their information counters their feeling of avoidance. Our workshops avoided jargon and created supportive spaces where participants could collective work to overcome these barriers. 4. Common narratives about personal information security blames the 'victim'. Our participants demonstrated care and thoughtfulness in their own digital privacy practices and in that of their families and communities. 5. Citizen science based approaches in cybersecurity highlight the need to redress the gaps in how people's digital practices are shaped by privileges and oppressions in race, class, gender, sexualities, and education. Designing approaches with diverse communities means these experiences can help motivate people to take action to prevent the greater harms they may face because of these experiences and positions. 6. Communal approaches work in cybersecurity because people articulate their safety and actions in terms of how they affect others. Therefore, setting time aside to discuss online threats and mitigations with members of a community makes the work easier, more effective, and encourages people to take action. 7. Cybersecurity as a field takes a systematic approach to threats to companies and works to design systems-based solutions to manage risks. However, for individuals, the cybersecurity approach places the responsibilities on users to change their behavior. Our findings point to this enormous gap between the scale and type of solutions that people can expect from cybersecurity compared to companies or governments. 8. A citizen science approach to cybersecurity would centre people's concerns and experiences to design better ways to make people safer online. More and more robust ways are necessary to bring citizen science and diverse perspectives into cybersecurity. The following objectives were listed in our proposal along with how we met them. Design a way to help citizens draw on their own experiences and individual positionality to expand cybersecurity research in threat modelling and usable security design 1. A. Participants reported leaving sessions with a better grasp of cybersecurity as concept and practice 1. B. Created a transportable methodology for others to do this work in more communities. 1.C. Conducted three, end-of-project co-design workshops with 9 NGOs in the UK, Canada, and Serbia to help community and advocacy groups think about how they might reconfigure community-based information security approaches 1.D. Presented our methodology at 3 international conferences and workshops for other researchers. Pilot pathways for citizens to engage in shaping future research directions for cybersecurity 2. A. Cybersecurity research can gain by developing methods for participatory threat modelling, new citizen science approaches to expanding knowledge and new abusability testing methods that all seek to include more varied and diverse perspectives in cybersecurity research. 2. B. Created new partnerships that create links between research and advocacy around expanding ways for citizens to work with and through cybersecurity methods to address needs of personal information security. Publish report aimed at workshop participants, academia, industry, and government entities 3. A. Published public-facing report that was launched at an event attended by more than 60 people. Disseminated this report to 100 key stakeholders including policymakers, participants, researchers, and interested technology industry participants. Train other researchers in these methods through the creation of materials and running a workshop 4. A. We will present a workshop on these methods and approaches at the Data Justice Conference at Cardiff University in May 2021. We will also present a paper on the findings at the ACM Conference on Human Factors in Computing Systems ('CHI) 2021 conference in May. We also used project pilot and theory to present at the International Studies Association conference in 2020. |
| Exploitation Route | We expect findings to be taken forward by four distinct groups. First, the work from this pilot will continue by the research team and interviews and design research continues to extend the results of this project. Second, the NGOs and participants that we worked with in this project have been handed a set of tools, methods and practices for continuing the practical and applied work of this project in their communities. Third, our larger academic audience for the presentations, workshops, and papers that come from this work may take up these findings in the larger human computer interaction and cybersecurity fields. Fourth, we would hope that through this project we can have an impact on citizen science projects more broadly by sharing lessons learned about working with community partners and about working with communities with different relationships to power, privilege and experience. |
| Sectors | Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| URL | https://www.oii.ox.ac.uk/videos/reconfigure-feminist-action-research-in-cybersecurity-report-launch/ |
| Description | Our research has had a broad impact in three main areas: (1) enabling participants (i.e., members of the general public), (2) building capacity among community partners and other third sector organisations, and (3) supporting policy change in online safety and cybersecurity. (1) Over 90 people attended Reconfigure workshops and developed their skills to improve their own cybersecurity practices and engage critically with the concept of cybersecurity. Participant feedback was overwhelmingly positive, with many saying the social, supportive spaces created in the workshops helped them overcome feelings of avoidance, intimidation and other barriers to engaging with cybersecurity. (2) Our workshops partnered with organisations including Victims of Image Crime and Extinction Rebellion Oxford (see partnerships section for full details). These workshops helped open up conversations on information security in many third sector and civil society organisations. Many participants said they would take skills like threat modelling back to their own organisations and activist groups. In addition, after the workshops were completed, we held three workshops to explore the findings and explore future research collaboration with organisations including Voice of Domestic Workers, Glitch UK, which focuses on online abuse, and Chayn, which focuses on gender-based violence. These discussions developed our collective expertise in applying cybersecurity methods to aid vulnerable populations and opened up several conversations about routes for future participatory research and collaboration. (3) Our research fed into policy impact. First, we submitted recommendations to the Law Commission's Review on Image-Based Sexual Abuse following our workshop with survivors of image-based sexual abuse. The Law Commission informed us this was a valuable resource for centring survivor voices in the Review. Our research has informed efforts to take a "gender-sensitive" approach to cybersecurity policy at the international level. Our pilot project developing "participatory threat modelling" was discussed at the United Nations Institute for Disarmament Research (UNIDIR) launch event for their report on "Gender Approaches to Cybersecurity: Design, Defence and Response". |
| First Year Of Impact | 2021 |
| Sector | Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| Impact Types | Cultural,Societal,Policy & public services |
| Description | Extinction Rebellion Workshop |
| Organisation | Extinction Rebellion |
| Country | United Kingdom |
| Sector | Charity/Non Profit |
| PI Contribution | A Reconfigure workshop organised and run by our team, with a partial focus on cybersecurity applicable to activist requirements. During the workshop, a discussion group was held specially for members of XR. We managed the promotion and communications around the event, and provided free food and drinks for participants. |
| Collaborator Contribution | Extinction Rebellion Oxford promoted the event using their own channels. |
| Impact | One of our 8 workshops, the data of which supported our final research outcomes. |
| Start Year | 2020 |
| Description | People and Planet virtual workshop |
| Organisation | Planet |
| Country | Greece |
| Sector | Private |
| PI Contribution | A Reconfigure workshop organised and run by our team virtually, as part of the People and Planet 2020 Power Shift festival. We managed part of the promotion and communications around the event, and included a specific discussion question about cybersecurity in the context of activism. |
| Collaborator Contribution | People and Planet managed the technical side of the online workshop, and provided access to their network and communication channels for participant recruitment. |
| Impact | One of our 8 workshops, held virtually, also lead to recruitment for one on one interviews. |
| Start Year | 2020 |
| Description | Power Play Workshop |
| Organisation | Power Play Productions CIC |
| Country | United Kingdom |
| Sector | Charity/Non Profit |
| PI Contribution | A Reconfigure online workshop organised and run by our team, with a special focus on image-based abuse and aimed at survivors of image-based abuse. |
| Collaborator Contribution | Assistance with organising the workshop and recruiting participants. |
| Impact | One of our 8 workshops, the data of which supported our final research outcomes, as well as a special report written for and aimed at the UK Law Commission detailing findings from the workshop and recommending policy improvements to better support and protect victims of image-based crime. |
| Start Year | 2020 |
| Description | Royal Holloway Workshop |
| Organisation | Royal Holloway, University of London |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | A Reconfigure workshop organised and run by our team. We managed the promotion and communications around the event. |
| Collaborator Contribution | This workshop was organised within the context of a student reading group. Our collaborators at Royal Holloway arranged for the location and logistics. |
| Impact | One of our 8 workshops, the data of which supported our final research outcomes. |
| Start Year | 2020 |
| Description | Public Report Launch |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | More than 60 people attended an online public launch of a public-facing report on the Reconfigure project and findings, including members of the research team and one of our community partners, which resulted in disseminating the online report to all attendees and made printed copies available to 30 of them and answered questions of a diverse audience with different interests. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.oii.ox.ac.uk/videos/reconfigure-feminist-action-research-in-cybersecurity-report-launch/ |