Cyber-Security across the Life Span (cSaLSA)

Lead Research Organisation: Northumbria University
Department Name: Fac of Health and Life Sciences

Abstract

Despite increased efforts to improve cyber-security for organisations and individuals, growing reports of breaches and attacks suggest that not only are we more vulnerable than ever, but also that there "is no obvious solution to the problem of cyber-security" (Garfinkel, 2012, p. 32). As technology has become embedded in virtually all aspects of everyday life, and more and more people are engaged in interactions with systems, it seems likely that the 'problem' of cyber-security will remain unsolved in the foreseeable future. While it has become accepted wisdom that cyber-security is a 'socio-technical' system, with both technical and human elements, making advances based on this understanding has proved difficult. In part this is due to the diversity of both people and the social contexts in which they live their lives, and the systems with which they interact. At the same time, the public discourse and guidance about cyber-security is confusing and often inappropriately targeted. For instance, the term 'cyber-security' can be used to encompass a wide range of attitudes, behaviours, technologies and threats ranging from authentication methods, SCADA systems, spear phishing and cyber-bullying, with interventions poorly targeted and overly technology-threat based. Crucially, however, the experience and understanding of the cyber-security problem is not the same for everyone and the cSALSA project seeks to address the fundamental challenge of how we can more fully understand a diverse range of cyber-security experiences, attitudes and behaviours in order to design better, more effective cyber-security services and educational materials.

In the cSALSA project, we take a lifespan approach to studying how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. The project will study cyber-security across three main life stages - amongst young people, those of working age, and older people. The research project will focus on how people's attitudes and behaviours towards cyber-security and risk change across the lifespan in sync with their goals and aspirations, cognitive abilities and knowledge and ability to control and adapt their cyber-security behaviour. Importantly, we recognize that neither cyber-security related behaviours nor life course development occur in a vacuum. Rather, they are part of a complex inter-play of individual characteristics, elements shared with others in a particular life stage, and the dynamic context in which the person finds themselves. These contexts include aspects of family life, organizational structures, cognitive capacity and knowledge, and social support networks.

We propose a three pronged approach to studying these three life stages: (1) research investigating how cyber-security is understood and framed in everyday language across the lifespan; (2) in-depth qualitative and quantitative work on cyber-security attitudes, knowledge and behaviour across our three points in life, with a specific focus on how the dynamics of people's lives influences how cyber-security is understood, risks appraised and talked about, and actions taken; and (3) specific work on metrics for cyber-security, and the development of new psychometrically validated measures of cyber-security perceptions and behaviours.
 
Description To date we have derived a dictionary of key cybersecurity terms which reflects those terms most commonly understood and used by teenagers, working age adults and older adults.
We have identified the communication channels for cybersecurity information that are most pressing for older adults. We have also established the ways that older adults communicate and receive information about cybersecurity and have identified potential issues for the ways that government and policymakers may wish to send out information targeted at older adults.
Exploitation Route Northumbria Police have an expressed an interest in an age-related glossary of security terms.
NCSC have expressed an interest in our communication findings.
We have talked to the Home Office in regard to communication and have also worked with NCSC to run two workshops for policymakers, one on communication and one on resilience.
Sectors Digital/Communication/Information Technologies (including Software),Education,Government, Democracy and Justice,Security and Diplomacy

 
Description The csalsa team made a response to the UK Gov Green paper on Internet Safety (Oct 2017) and have conducted a series of workshops in conjunction with U3A to improve older adult cybersecurity. The older adults work has led to a new project about empowering cyberguardians in the older adult community The csalsa team have conducted a number of workshops with policymakers on cyber resilience and on effective communication with the public. Csalsa work has been the topic of a Peepsec report to industry professionals.
First Year Of Impact 2018
Sector Digital/Communication/Information Technologies (including Software),Education
Impact Types Policy & public services

 
Description Citation in the UK Government Secure by Design consultation document
Geographic Reach National 
Policy Influence Type Citation in other policy documents
URL https://www.gov.uk/government/publications/secure-by-design/government-response-to-the-secure-by-des...
 
Description Response to the Internet Safety Strategy Green Paper
Geographic Reach National 
Policy Influence Type Participation in a national consultation
URL https://pactlab.gitlab.io/RF/greenpaper.htm
 
Description NCSC 
Organisation National Cyber Security Centre
Country United Kingdom 
Sector Public 
PI Contribution Joint workshop on cyber-resilience. Working on guidance collaboratively
Collaborator Contribution Hosting workshop at Nova South, invitation list, planning outputs
Impact Cyber Resilience Workshop (March 2020)
Start Year 2020
 
Description Research Institute for the Science of Cyber Security (RISCS) 
Organisation Research Institute in Science of Cyber Security
Country United Kingdom 
Sector Learned Society 
PI Contribution cSALSA project has joined the RISCS phase two institute - contributions include attending workshops and community meetings, presenting research at RISCS meeting and contributing to the RISCS website
Collaborator Contribution RISCS has provided access to cyber security professionals for research as part of WP1.
Impact n/a yet. Disciplines are computer science and psychology / behavioural science.
Start Year 2017
 
Description Contribution to All Party Parliamentary Group on Digital Identity 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Discussion in APPG on government priorities for digital identity management
Year(s) Of Engagement Activity 2017,2018
 
Description Cyber resilience workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact "Citizen-Centred Cyber Resilience: Building Resilient Communities from the Ground up" co-hosted with NCSC at Nova South. This workshop brought together experts on cyber security and community resilience to discuss how to build cyber-resilient communities. We began by framing the issue and introducing the different perspectives-community resilience in contexts other than cyber security and cyber resilience. Following a lunch break, participants engaged in round-table discussions on what a cyber-resilient community would look like, how it can be achieved, and what needs to be considered. The discussions were followed by presentations on existing citizen-centred cybersecurity initiatives. Attendees were from industry, government and academia.
Year(s) Of Engagement Activity 2020
 
Description Half day workshop for government and industry on cyber communication 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Workshop held March 12th 2019 in London, organised by the EPSRC CyberSecurity Across the LifeSpan (cSALSA) project on the topic of 'Communicating Effectively about Cybersecurity Across the Lifespan'. The aim of the workshop is to introduce the work of the project teams on the cybersecurity challenges faced by different groups, and how that might lead to different approaches to communicating about cybersecurity threats and protective actions. The workshop will also include opportunities to work with cSALSA researchers and other policy / practitioner colleagues to share experiences on communicating effectively about cybersecurity, as well as a practitioner panel on the challenges of communicating about cybersecurity. The intended audience for the workshop is policy makers and practitioners who are involved in communicating about cybersecurity and designing interventions that target specific groups and/or behaviours or skills.
Year(s) Of Engagement Activity 2019
 
Description Home Office briefing 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Presentation to Home Office cybercrime unit on CSALSA work
Year(s) Of Engagement Activity 2019
 
Description MACG 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Presentation on CSALSA work to the Mult-Agency Commissioning Group at City of London Police (the group run national cybersecurity awareness campaigns)
Year(s) Of Engagement Activity 2019
 
Description Presentation at Newcastle University PhD cybersecurity winter school 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Postgraduate students
Results and Impact Presentation of csalsa work at Winter Cybersecurity School (Jan 2020)
Year(s) Of Engagement Activity 2020
 
Description Security Workshop for U3A 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact 40 members of the University of the Third Age (U3A) attended two separate workshops held by the cSALSA research team at the University. The interactive workshops focused on improving participants' understanding of security on the internet, specifically covering new guidance on creating "strong passwords" (three random words as recommended by the UK Government) as well as information on how passwords are compromised and best practices for safeguarding passwords. The impact of social engineering was also covered in the second workshop, with a focus on the reasons why people fall for scams (romance, email) and what to look out for. The workshop concluded with advice on how to avoid phishing scams, including tips for identifying the authenticity of emails (based on our previous work). Participants were encouraged to engage in a discussion over lunch and to ask any questions in relation to password creation/management, scams, or more general security advice. Based on positive feedback from participants, we were asked to organise another workshop focusing on privacy issues related to social media use. A follow up questionnaire suggested participants attempted to change some of their passwords (to three random words) as well as evaluated emails more critically after attending the workshops.
Year(s) Of Engagement Activity 2017
URL https://pactlab.gitlab.io/RF/workshops.htm
 
Description Talk to PeerSec virtual summit 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Talk about the work of the csalsa project and the importance of considering cybersecurity across the lifespan and targetting information for different age groups
Year(s) Of Engagement Activity 2018
URL https://www.peepsec.com/prof-adam-joinson/
 
Description Workshop on Privacy (social media) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact Following on from the two Security workshops, the project team organised another workshop focused on privacy and social media. During this workshop - attended by 50 members of the University of the Third Age (U3A) - attendees were given information on how social media websites work, from features to financial models. They were encouraged to take part in an activity to help them think about the types of information that should be shared online and that should be kept offline. Participants were also given hands-on advice on how to change their privacy settings to maximise their online protection and extended discussion over lunch. Feedback from participants and the U3A representative was very good, with many members reportedly changing their privacy settings and being more cautious about the information they post. We have sent out a questionnaire to all attendees for an objective behaviour change measurement.
Year(s) Of Engagement Activity 2018
URL https://pactlab.gitlab.io/RF/workshops.htm
 
Description contribution to workshop: Future Directions in Cyber Crime Research 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact RISCS and the Home Office workshop to discuss future research priorities and evidence gaps in relation to cyber crime.
The cyber crime research field has been growing over the past years and we are beginning to see more join-up across the disciplines in tackling important research questions. However, we still have some way to go in resolving key evidence gaps regarding:
• the scale, costs and consequences of cyber crime;
• profiles and pathways into offending;
• victimisation and how to improve cyber security behaviours amongst public and businesses; and
• effectiveness of interventions to prevent, deter and disrupt offending.
Building further understanding of these areas is key for tackling cyber crime and meeting objectives set out in the National Cyber Security Strategy.

In the context of exciting plans for the expansion of RISCS, and further potential funding opportunities, we would like to invite you to a workshop with policy makers, law enforcement and academic colleagues from a range of disciplines, to help identify key evidence gaps and research opportunities for the future.
Year(s) Of Engagement Activity 2017
 
Description presentation to Symantec R&D 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact 1 hr presentation on cSALSA research to Symantec R&D in UK, Germany and USA.
Year(s) Of Engagement Activity 2019
 
Description presentation to the Cyber Aware Industry Forum (27th February, 2018) 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact At the invitation-only event, we bring together organisations with a shared interest in encouraging consumers and small business owners to be more cyber secure, and discuss how best all sectors can work together to respond to the cyber threat.

A government led, industry forum with a focus on the theme of protecting our online identity. Cyber Aware presents the risks cyber crime poses to customer and employee online identities, insights into public perceptions in this area, and the steps being taken to tackle this threat. I gave an invited presentation, followed by a panel discussion chaired by Britain Thinks that explored how our online identity is evolving and the opportunities this presents to cyber criminals, and how we can educate the public on the importance of protecting their personal information online.
Year(s) Of Engagement Activity 2018