ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks

Lead Research Organisation: University of Surrey
Department Name: Computing Science

Abstract

Researchers and practitioners have acknowledged human-related risks among the most important factors in cybersecurity, e.g. an IBM report (2014) shows that over 95% of security incidents involved "human errors". Responses to human-related cyber risks remain undermined by a conceptual problem: the mindset associated with the term 'cyber'-crime which has persuaded us that that crimes with a cyber-dimension occur purely within a (non-physical) 'cyber' space, and that these constitute wholly new forms of offending, divorced from the human/social components of traditional (physical) crime landscapes. In this context, the unprecedented linking of individuals and technologies into global social-physical networks - hyperconnection - has generated exponential complexity and unpredictability of vulnerabilities.

In addition to hyperconnectivity, the dynamic evolving nature of cyber systems is equally important. Cyber systems change far faster than biological/material cultures, and criminal behaviour and techniques evolve in relation to the changing nature of opportunities centring on target assets, tools and weapons, routine activities, business models, etc. Studying networks and relationships between individuals, businesses and organisations in a hyperconnected environment requires understanding of communities and the broader ecosystems. This complex, non-linear process can lead to co-evolution in the medium-longer term.

The focus on cybersecurity as a dynamic interaction between humans and socio-technic elements within a risk ecosystem raises implementation issues, e.g. how to mobilise diverse players to support security. Conventionally they are considered under 'raising awareness', and many initiatives have been rolled out. However, activities targeting society as a whole have limitations, e.g. the lack of personalisation, which makes them less effective in influencing human behaviours.

While there is isolated research across these areas, there is no holistic framework combining all these theoretical concepts (co-evolution, opportunity management, behavioural and business models, ad hoc technological research on cyber risks and cybercrime) to allow a more comprehensive understanding of human-related risks within cybersecurity ecosystems and to design more effective approaches for engaging individuals and organisations to reduce such risks.

The project's overall aim is therefore to develop a framework through which we can analyse the behavioural co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviours of a range of actors in the ecosystems in order to reduce human-related risks. To achieve the project's overall aim, this research will:
(1) Be theory-informed: Incorporate theoretical concepts from social, evolutionary and behavioural sciences which provide insights into the co-evolutionary aspect of cybersecurity/cybercrime ecosystems. (2) Be evidence-based: Draw on extensive real-world data from different sources on behaviours of individuals and organisations within cybersecurity/cybercrime ecosystems. (3) Be user-centric: Develop a framework that can provide practical guidance to system designers on how to engage individual end users and organisations for reducing human-related cyber risks. (4) Be real world-facing: Conduct user studies in real-world use cases to validate the framework's effectiveness.

The new framework and solutions it identifies will contribute towards enhanced safety online for many different kinds of users, whether these are from government, industry, the research community or the general public.

This project will involve a group of researchers working in 5 academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at 4 UK research institutes, and be supported by an Advisory Board with 12 international/UK researchers and a Stakeholder Group formed by 12 non-academic partners (including LEAs, NGOs and industry).

Planned Impact

The Je-S form's "Academic Beneficiaries" field explains the expected academic impact in detail, so here we focus on economic and societal impact.

The project will benefit citizens and communities they belong to by providing 1) better protection against human-related cyber risks leading to victimisation or harm; 2) better feeling of being safe and secure in cyber(-physical) space due to improved engagement; 3) better education about cyber risks due to more personalised, contextualised and thus easier-to-understand guidelines and recommendations; 4) better value of their personal data via controlled data sharing with trusted stakeholders. As a whole, the project can help foster a better culture of more active collaboration between individuals, communities and other stakeholders to reduce the whole society's risk level to cyber threats.

Product/system/service/social innovation designers will benefit from the project, which will provide clearly-defined and practical design principles and knowledge/understanding based on research and theory, hence improved capacity to generate plausible crime preventive innovations, and integrate security with other requirements.

The project can benefit businesses who are end users of cybersecurity products and services, which include financial institutes, online (not limited to payment) service providers, transportation service (e.g. transportation service, railway and road network) operators and vehicle vendors. Those businesses are key stakeholders of the two use cases in the project, and our work will help them better protect their customers and infrastructures via reduced cyber risks from their customers and employees and increased capacity of engaging users to behave more securely.
NGOs managing cybersecurity and cybercrime awareness activities such as Neighbourhood and Home Watch Network (our research partner) will benefit from the project as the developed framework will provide a more effective way to engage human users and organisations working with government to raise awareness of individual citizens and businesses.

LEAs and governments will benefit from the project in a number of ways: 1) improved policing capacity and efficiency due to more contextualised information received from individual citizens and other organisations via more active engagement of stakeholders; 2) improved relationship with citizens, communities, businesses and NGOs by collaborating with them more closely; 3) better information collection and knowledge presentation tools which can help operation, decision making and internal staff training on cybersecurity and cybercrime.

Policy and law makers will also benefit from the project because the socio-technical framework when applied (widely) to real world will help produce better insights about what is going on in the cybersecurity and cybercrime ecosystems, thus making them more informed to design policies and adapt regulations which will fit more into its purpose and encourage compliance.

Another group of stakeholders who will benefit from the project is cybersecurity product vendors and service providers such as IBM and NCC Group on our Stakeholder Group. They can benefit due to two main reasons: 1) new opportunities to improve/adapt existing products and services; 2) opportunities to create completely new products and services e.g. new data management and user engagement systems which can be used by all the above beneficiaries listed.

Economically speaking, the project can help 1) prevent or reduce costs from user side by reduced victimisation and more informed decisions of end users; 2) enhance trust between consumers and cybersecurity products and services due to improved user experience (which can encourage consumption of such products and services); 3) reduce costs of investigating and pursuing criminals by LEAs with improved policing tools and procedures; 4) create new business opportunities that contribute to the economy directly.

Related Projects

Project Reference Relationship Related To Start End Award Value
EP/P011896/1 01/04/2017 30/11/2017 £880,980
EP/P011896/2 Transfer EP/P011896/1 01/12/2017 29/02/2020 £767,982
 
Description Gianluca Stringhini gave evidence to UK Parliament on "Foreign policy in changed world conditions"
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL http://parliamentlive.tv/event/index/e71e81ae-0e37-41d5-8827-67be7c8ea628
 
Title A searchable database of key cybersecurity incidents between 2010-2016 
Description A database for research purposes 
Type Of Material Database/Collection of data 
Year Produced 2018 
Provided To Others? No  
Impact We are still working on it so no outcome has been generated. 
 
Title Cyber crime computational ontology and knowledge base 
Description A computational ontology and knowledge base is being developed to capture information around cyber crime for guiding development of computational tools for prevention purposes. 
Type Of Material Database/Collection of data 
Year Produced 2017 
Provided To Others? No  
Impact We are still working on it and have not published it. So impact has been generated. 
 
Description Collaboration with Universities of Surrey and Warwick on a project bid for EPSRC TIPS2 call 
Organisation University of Surrey
Country United Kingdom 
Sector Academic/University 
PI Contribution Co-developed a research bid on privacy protection for leisure travellers
Collaborator Contribution Co-developed a research bid on privacy protection for leisure travellers
Impact Not yet. This is just bidding phase.
Start Year 2018
 
Description Collaboration with Universities of Surrey and Warwick on a project bid for EPSRC TIPS2 call 
Organisation University of Warwick
Country United Kingdom 
Sector Academic/University 
PI Contribution Co-developed a research bid on privacy protection for leisure travellers
Collaborator Contribution Co-developed a research bid on privacy protection for leisure travellers
Impact Not yet. This is just bidding phase.
Start Year 2018
 
Description Collaboration with Universities of Twente and Portsmouth on cyber crime 
Organisation University of Portsmouth
Country United Kingdom 
Sector Academic/University 
PI Contribution Co-developed a new research proposal on cyber crime
Collaborator Contribution Co-developed a new research proposal on cyber crime
Impact The collaboration led to a joint research bid to the Home Office / RISCS call on multi-year project "Understanding cyber offenders, criminal careers and business models".
Start Year 2018
 
Description Collaboration with Universities of Twente and Portsmouth on cyber crime 
Organisation University of Twente
Country Netherlands 
Sector Academic/University 
PI Contribution Co-developed a new research proposal on cyber crime
Collaborator Contribution Co-developed a new research proposal on cyber crime
Impact The collaboration led to a joint research bid to the Home Office / RISCS call on multi-year project "Understanding cyber offenders, criminal careers and business models".
Start Year 2018
 
Description A journal special issue on cyber crime 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Co-editing a special issue on Cybercrime: interdisciplinary approaches to cutting crime and victimisation in cyber space, to be published in the open access journal Crime Science: An Interdisciplinary Journal by Springer.
Year(s) Of Engagement Activity 2018
URL https://crimesciencejournal.springeropen.com/cybercrime
 
Description A tutorial on "Human Factors in Cyber Security: User authentication as a use case" 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact An invited 3-hour tutorial as an invited guest speaker at the 2017 Summer School on "Human Factor in Systems Safety and Security", organized by the Department of Computing and Informatics, Bournemouth University, UK and sponsored by the IEEE Systems, Man and Cybernetics (SMC) Society.
Year(s) Of Engagement Activity 2017
URL https://www.eventbrite.co.uk/e/human-factors-in-systems-safety-and-security-tickets-33332437217
 
Description An interview with Sussex Police's Cyber Crime Unit 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Professional Practitioners
Results and Impact An interview with two police officers working at Cyber Crime Unit of Sussex Police, for getting input about use cases of cyber crime.
Year(s) Of Engagement Activity 2017
 
Description An invited talk on "Human Factors in Cyber Security: User authentication as a use case" 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact An invited talk at ISWRACS (International Symposium and Workshop on Research Advances in Cyber Security) 2018, organized by the Hindustan Institute of Technology & Science (Hindustan University), India
Year(s) Of Engagement Activity 2018
 
Description An invited talk on "Project ACCEPT (Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks)" 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact An invited talk at Workshop on Economics and Human Aspects of Cyber-Security, organized by the School of Economics, University of Kent, UK in Canterbury, UK
Year(s) Of Engagement Activity 2017
URL https://www.kent.ac.uk/economics/research/micro-group/events/workshop-20-nov17.html
 
Description An invited talk on "Research Institute in Science of Cyber Security (RISCS) and Project ACCEPT (Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks)" and a panel discussion on Cyber Security 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact An invited talk and a panel discussion at the 21st LAPFF (Local Authority Pension Fund Forum) Conference 2017, Bournemouth, UK.
Year(s) Of Engagement Activity 2017
 
Description Competitive Advantage in the Digital Economy (CADE) 2017 (Venice, Italy) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact The CADE Forum 2017 was an exclusive three-day forum held in Venice, Italy, bringing together academic and practitioner speakers to educate and to discuss the state of the art with PhD students, early career researchers and practitioners working within the digital economy. This year saw CADE enter its fourth year, following three successful years during which CADE grew from a predominately Western European forum to a European conference welcoming participants from Eastern Europe. In 2017, CADE Forum became a global event, with applicants from the USA and Australia, highlighting the increased importance of the digital economy and the Forum's relevance and popularity. This year, CADE also merged with WMG's Service Systems Forum to become a single event, tackling the topic of Smart Service Systems, Digital Innovation, Privacy and Trust.
During CADE 2017, internationally-recognised thought leaders from a variety of subjects including Marketing, Service Management, Operations Management, Supply Chain Management and Computer Science shared their thoughts and latest research about the digital economy. The CADE Forum aims to discuss the current state of the art in the digital economy, with a focus not just on presenting the latest research, but also on opening up avenues for future research with a lengthy discussion session following the presentations. This year was no exception, with thought leaders presenting various cutting-edge research topics whilst simultaneously addressing a number of increasingly important issues that left open the possibility for future research.
As well as the keynotes, for the first time in CADE's history this year saw the inclusion of parallel sessions, which gave participants the opportunity to present and then discuss their own research. With the format of CADE placing emphasis on discussion, participants were given up to 15 minutes each to present their research, followed by a short discussion. With topics ranging from the future of blockchain, to participation styles of young people in virtual worlds, these presentations provided a broad and thought-provoking insight into the type of research being conducted in the digital economy. Awards were also offered for best paper (overall), most relevant to practice and unique methodological approach.
Much discussion also took place during CADE 2017's panel session, which saw the Forum's keynote speakers and scientific committee take open questions from participants. The first question drove a long discussion around the future of digital economy research and teaching. This question asked broadly: what needs to be done to advance digital economy research across disciplines, how can we encourage multidisciplinary work within the digital economy and how do we teach the additional knowledge created within said research. Interestingly, whilst the question's focus was on the first two areas, it was the teaching component that received considerable attention. The keynote speakers suggested different approaches, including interactive lectures, lectures from industry on best practice within the digital economy given that industry is seemingly ahead of academia in the digital economy at present (a gap that the Forum agreed needs closing), and creating a more comprehensive extra-curricular reading list which would subsequently be tested in class to ensure the reading is being completed. However, in view of the exponential amount of new knowledge coming into the world through ground-breaking research that needs to be learned and absorbed by students, imparting this effectively remains a considerable challenge for academia, and it is one that the Forum's panel put forth to the participants to solve, as they will be the ones teaching the research in the years to come.
Year(s) Of Engagement Activity 2017
URL https://warwick.ac.uk/fac/sci/wmg/research/business_transformation/ssg/ssgabout/sswmgactivities/cade...
 
Description Data Needs to Be More Personal in the 21st Century - Inc Magazine article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact HAT featured in an article on Inc magazine's website about how consumers want more data privacy and how that's a big opportunity for entrepreneurs
Year(s) Of Engagement Activity 2017
URL https://www.inc.com/drew-hendricks/data-needs-to-be-more-personal-in-the-21st-century.html
 
Description From GDPR to blockchain, we're getting more power over our data - The WIRED World in 2018 article 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Article authored by project PI Professor Irene Ng on private data accounts hosted by data stores like the Hub of All Things (HAT) may be the first step towards the internet as a civil society, paving the way for a governing system where digital citizens, in the form of their private micro-server data account, do not merely have to depend on legislation to champion their private rights, but also have the economic power to enforce them as well.
Year(s) Of Engagement Activity 2018
URL http://www.wired.co.uk/article/gdpr-personal-data-private-data-accounts
 
Description HAT Track at 5th Naples Forum on Service 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact The HAT parallel session on Digitization and Datafication of Services took a data-driven perspective of Service Science, Service-Dominant Logic, and Network Theory in order to better explore the implications, challenges and direction of further digitization among services. It was a track of the 5th Naples Forum on Service, held in Sorrento, Italy on June 6-9, 2017
Year(s) Of Engagement Activity 2017
 
Description HHMC 2017 (Workshop on Hybrid Human-Machine Computing) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact A workshop co-sponsored by the COMMANDO-HUMANS project and chaired by the project's PI. It covers two related work from the COMMANDO-HUMANS project.
Year(s) Of Engagement Activity 2017
URL http://hhmc2017.commando-humans.net/
 
Description Interviews with 5 cybersecurity experts on dynamic/evolutionary aspects of data breaches 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Ethnographic interviews for better understanding of dynamic/evolutionary aspects of data breaches.
Year(s) Of Engagement Activity 2017,2018
 
Description Let's make this the year we reclaim control of our data - The WIRED World in 2018 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Article authored by project Co-I Jon Crowcroft on how differential privacy, homomorphic encryption, and GDPR could help consumers wrestle back control of their personal information
Year(s) Of Engagement Activity 2018
URL http://www.wired.co.uk/article/2018-data-privacy-control
 
Description Media interviews & briefings with journalists 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact This was done for the The Web of Profit project and the EPSRC funded ACCEPT project by Michael McGuire. The journalists were from Computer Weekly, New Statesman, and Dark Reading.
Year(s) Of Engagement Activity 2017
 
Description Our personal data are precious - we must take back control - Financial Times 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Article in the Financial Times about the HAT and its role in helping individuals reclaim future personal data control
Year(s) Of Engagement Activity 2017
URL https://www.ft.com/content/3278e6dc-67af-11e7-9a66-93fb352ba1fe
 
Description Personal Data as an Asset: Design and Incentive Alignments in a Personal Data Economy 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Industry/Business
Results and Impact Presentation argued that a person-controlled personal data (PPD), technologically, legally and economically architected such that the individual owns a personal micro-server and therefore have full rights to the data within, much like owning a PC or a smartphone, is potentially a route to reducing transaction costs and innovating in the personal data economy. There was good engagement through discussion and debate.
Year(s) Of Engagement Activity 2018
URL https://infolawcentre.blogs.sas.ac.uk/2018/01/17/personal-data-as-an-asset-design-and-incentive-alig...
 
Description Provocation paper for Royal Society: Data management and use: governance in the 21st century 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact A provocation paper submitted for discussions at a British Academy and Royal Society seminar on 16 October 2017 that focused on data governance, resulting in a report Data management and use: Governance in the 21st Century that addressed the changing data landscape and recommended a principled approach to data governance, and called for stewardship of the entire data governance landscape.
Year(s) Of Engagement Activity 2017
URL https://royalsociety.org/~/media/policy/Publications/2017/Data_management_and_use_governance_in_the_...
 
Description SPCPS 2017 (Workshop on Security and Privacy in Cyber-Physical Systems 2017) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact A workshop organised at IEEE CYBCONF 2017 (3rd IEEE International Conference on Cybernetics)
Year(s) Of Engagement Activity 2017
 
Description Talk on co-evolution based modelling of cybersecurity 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Two talks, one at a meeting of the American Society of Criminology in Philadelphia in November 2017, and another one at a meeting of the European Society of Criminology in Cardiff in September 2017.
Year(s) Of Engagement Activity 2017
 
Description The New Data Economy - Connect-World.com 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Article by Irene Ng on the new data economy
Year(s) Of Engagement Activity 2017
URL http://connect-world.com/2017/11/30/new-data-economy/
 
Description Wolfson-HAT Annual Symposium on the Digital Person 2017 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact The Wolfson-HAT Annual Symposium on the Digital Person 2017 served to raise awareness on the topic of personal data and discuss issues relating to personal data in the Internet Economy. Organised by the HAT Community Foundation with Wolfson College Cambridge, the symposium was a series of four panel discussions held over four weeks in March and April 2017 to explore critical issues around the uses (and abuses) of our personal data, as well as the wider questions of the Digital Person, freedom, identity, security and innovation.
With broad-ranging appeal, the series was designed to interest practitioners and policy makers, as well as academics in the sciences, humanities and social sciences with discussions relating to law, computer science, history, sociology, entrepreneurship, business, economics and the global society.
Year(s) Of Engagement Activity 2017
URL https://hatresearch.org/wolfson-hat-symposium-digital-person/
 
Description Workshop with British Transport Police 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact The presentations on the ACCEPT project and the Co-evolution framework ; Questions based on our ontology/framework were discussed.
After the workshop, the participants gained more understanding of the ACCEPT project, the approaches/framework employed, the value of the project and the benefits of their engagement. I suggest that we need to conduct follow up interviews to further probe the questions and to develop the ontology framework.
Year(s) Of Engagement Activity 2017
 
Description Workshop with Lloyds Banking group 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Industry/Business
Results and Impact ACCEPT project and the Co-evolution framework were presented. . Questions based on our ontology/framework materials were discussed. After the workshop, the participants gained more understanding of the ACCEPT project, the approaches/framework employed, the value of the project and the benefits of their engagement. I suggest that we need to conduct follow up interviews to further probe the questions and to develop the ontology framework.
Year(s) Of Engagement Activity 2017