Cyber-Security across the Life Span (cSaLSA)
Lead Research Organisation:
University of Bath
Department Name: School of Management
Abstract
Despite increased efforts to improve cyber-security for organisations and individuals, growing reports of breaches and attacks suggest that not only are we more vulnerable than ever, but also that there "is no obvious solution to the problem of cyber-security" (Garfinkel, 2012, p. 32). As technology has become embedded in virtually all aspects of everyday life, and more and more people are engaged in interactions with systems, it seems likely that the 'problem' of cyber-security will remain unsolved in the foreseeable future. While it has become accepted wisdom that cyber-security is a 'socio-technical' system, with both technical and human elements, making advances based on this understanding has proved difficult. In part this is due to the diversity of both people and the social contexts in which they live their lives, and the systems with which they interact. At the same time, the public discourse and guidance about cyber-security is confusing and often inappropriately targeted. For instance, the term 'cyber-security' can be used to encompass a wide range of attitudes, behaviours, technologies and threats ranging from authentication methods, SCADA systems, spear phishing and cyber-bullying, with interventions poorly targeted and overly technology-threat based. Crucially, however, the experience and understanding of the cyber-security problem is not the same for everyone and the cSALSA project seeks to address the fundamental challenge of how we can more fully understand a diverse range of cyber-security experiences, attitudes and behaviours in order to design better, more effective cyber-security services and educational materials.
In the cSALSA project, we take a lifespan approach to studying how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. The project will study cyber-security across three main life stages - amongst young people, those of working age, and older people. The research project will focus on how people's attitudes and behaviours towards cyber-security and risk change across the lifespan in sync with their goals and aspirations, cognitive abilities and knowledge and ability to control and adapt their cyber-security behaviour. Importantly, we recognize that neither cyber-security related behaviours nor life course development occur in a vacuum. Rather, they are part of a complex inter-play of individual characteristics, elements shared with others in a particular life stage, and the dynamic context in which the person finds themselves. These contexts include aspects of family life, organizational structures, cognitive capacity and knowledge, and social support networks.
We propose a three pronged approach to studying these three life stages: (1) research investigating how cyber-security is understood and framed in everyday language across the lifespan; (2) in-depth qualitative and quantitative work on cyber-security attitudes, knowledge and behaviour across our three points in life, with a specific focus on how the dynamics of people's lives influences how cyber-security is understood, risks appraised and talked about, and actions taken; and (3) specific work on metrics for cyber-security, and the development of new psychometrically validated measures of cyber-security perceptions and behaviours.
In the cSALSA project, we take a lifespan approach to studying how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. The project will study cyber-security across three main life stages - amongst young people, those of working age, and older people. The research project will focus on how people's attitudes and behaviours towards cyber-security and risk change across the lifespan in sync with their goals and aspirations, cognitive abilities and knowledge and ability to control and adapt their cyber-security behaviour. Importantly, we recognize that neither cyber-security related behaviours nor life course development occur in a vacuum. Rather, they are part of a complex inter-play of individual characteristics, elements shared with others in a particular life stage, and the dynamic context in which the person finds themselves. These contexts include aspects of family life, organizational structures, cognitive capacity and knowledge, and social support networks.
We propose a three pronged approach to studying these three life stages: (1) research investigating how cyber-security is understood and framed in everyday language across the lifespan; (2) in-depth qualitative and quantitative work on cyber-security attitudes, knowledge and behaviour across our three points in life, with a specific focus on how the dynamics of people's lives influences how cyber-security is understood, risks appraised and talked about, and actions taken; and (3) specific work on metrics for cyber-security, and the development of new psychometrically validated measures of cyber-security perceptions and behaviours.
Planned Impact
Cyber-security is a growing, global problem. Research that addresses the human dimension of cyber-security behaviour is highly valuable for both the identification and mitigation of threats, and for the design of technology and training that aligns how we think and behave with the technological tools to protect cyber-security. The cSALSA project will have impact in the following ways:
1. By adopting a novel approach to studying how people think about cyber-security, and how that connects to their behaviour
2. By working closely with partners in Government and Industry to ensure that our insights can have an impact on their practises.
3. By developing new methodologies that will provide a step change in how cyber-security is studied, and the ways in which interventions can be evaluated.
4. By developing our knowledge base and skills in the UK
There are four major beneficiary groups: academics, government, businesses, and the general public.
Academic impact: Our inter-university consortium of will support the training of highly skilled researchers and facilitate the generation and transfer of new methods of research synthesis across the country by running a 'researcher exchange' programme as part of cSALSA, with post-doctoral and faculty researchers being seconded across different partner universities in the UK, as well as short placements in our industrial partners and hosting visitors from our overseas collaborators (PNNL in the USA, and Carleton in Canada).
Government impact: It is intended that this work will assist in shaping the cyber-security agenda at national level. We will work with the new National Centre for Cyber Security to ensure that our work on metrics and measures contribute to the work of the Government on ensuring the cyber-security of the UK. Note that all members of the team have been active in supporting policy development at government love (see also letter of support from CESG).
Businesses: UK businesses will benefit from our work on metrics and measures. At present there are relatively few tools to measure cyber-security behaviour and attitudes in the workplace. We will work with our partners - BAE Systems and Hewlett Packard Enterprise - to ensure that our validated measures and metrics are appropriate and useable to the UK Business Sector. We will use these partners and the CyberInvest network to reach these targets.
Societal impact: The application of the results will contribute to increased well-being of citizens. Our work on how a diverse group of people understand, and respond to, cyber-security threats will help with the education of end-users, as well as in the development of new technologies that provide cyber-security while also supporting users' needs and goals. To this end, members of the team are already talking to relevant public facing bodies such as Cyberstreetwise and Age Concern.
1. By adopting a novel approach to studying how people think about cyber-security, and how that connects to their behaviour
2. By working closely with partners in Government and Industry to ensure that our insights can have an impact on their practises.
3. By developing new methodologies that will provide a step change in how cyber-security is studied, and the ways in which interventions can be evaluated.
4. By developing our knowledge base and skills in the UK
There are four major beneficiary groups: academics, government, businesses, and the general public.
Academic impact: Our inter-university consortium of will support the training of highly skilled researchers and facilitate the generation and transfer of new methods of research synthesis across the country by running a 'researcher exchange' programme as part of cSALSA, with post-doctoral and faculty researchers being seconded across different partner universities in the UK, as well as short placements in our industrial partners and hosting visitors from our overseas collaborators (PNNL in the USA, and Carleton in Canada).
Government impact: It is intended that this work will assist in shaping the cyber-security agenda at national level. We will work with the new National Centre for Cyber Security to ensure that our work on metrics and measures contribute to the work of the Government on ensuring the cyber-security of the UK. Note that all members of the team have been active in supporting policy development at government love (see also letter of support from CESG).
Businesses: UK businesses will benefit from our work on metrics and measures. At present there are relatively few tools to measure cyber-security behaviour and attitudes in the workplace. We will work with our partners - BAE Systems and Hewlett Packard Enterprise - to ensure that our validated measures and metrics are appropriate and useable to the UK Business Sector. We will use these partners and the CyberInvest network to reach these targets.
Societal impact: The application of the results will contribute to increased well-being of citizens. Our work on how a diverse group of people understand, and respond to, cyber-security threats will help with the education of end-users, as well as in the development of new technologies that provide cyber-security while also supporting users' needs and goals. To this end, members of the team are already talking to relevant public facing bodies such as Cyberstreetwise and Age Concern.
Publications
Branley-Bell D
(2022)
Exploring Age and Gender Differences in ICT Cybersecurity Behaviour
in Human Behavior and Emerging Technologies
Davidovic A
(2023)
To intervene or not to intervene: young adults' views on when and how to intervene in online harassment
in Journal of Computer-Mediated Communication
Joinson A
(2023)
Development of a new 'human cyber-resilience scale'
in Journal of Cybersecurity
Joinson A
(2020)
Developing a measure of information seeking about phishing
in Journal of Cybersecurity
Jones S
(2019)
What is 'Cyber Security'?
Morrison B
(2021)
How do Older Adults feel about engaging with Cyber-Security?
in Human Behavior and Emerging Technologies
Muir K
(2020)
An Exploratory Study Into the Negotiation of Cyber-Security Within the Family Home.
in Frontiers in psychology
North S
(2020)
Battle for Britain: Analyzing Events as Drivers of Political Tribalism in Twitter Discussions of Brexit
in Policy & Internet
| Description | We have discovered that the meaning of cybersecurity differs substantially between young people, those of working age, and older adults. This matters because training and education materials might not have the impact they could if they are not recognised by people as being of concern. It also suggests that current approaches to studying the meaning of constructs (in this case, cybersecurity) needs to acknowledge that different groups have varied ways of defining a core construct - something that raises issues with an approach to how we understand the meaning of things (called 'prototype theory') We have also developed a 'dictionary' for the automated analysis of texts that discuss cybersecurity - this means that researchers can study at scale trends across outlets, time, audiences and authors. We are also on the process of developing a new measure of cyber resilience. |
| Exploitation Route | We are working to develop a dictionary for the study of cyber-security - this will go some way towards establishing a taxonomy of cybersecurity for use by both researchers and practitioners. It will also be very useful for cyber-security education. |
| Sectors | Communities and Social Services/Policy,Government, Democracy and Justice,Security and Diplomacy |
| Description | The work we have been conducting has already begun to have an impact, specifically through interactions with schools and members of the public (e.g. Men's Sheds, WI, local schools) where we have been providing sessions on cybersecurity as part of our early data collection. We have also been engaging with Government (e.g. DCMS Secure by Default project, Cabinet Office Behaviour Change and Security project) to provide guidance and insight around the design of interventions and measurement of security behaviour. We have also engaged with industry - e.g. by providing briefings to UK CNIs on (cyber) security behaviour, including to Babcock and Nominet. General outreach also increased (Cheltenham Science Festival, Nimbus Ninety event, PeepSec) to public and practitioners. We have advised NCSC and the Home Office, and briefed the MACG group who commission national cybersecurity awareness campaigns. The workshop we ran in March 2020 was co-hosted with NCSC at Nova South, and began the process for developing new approaches to cyber-resilience. |
| First Year Of Impact | 2018 |
| Sector | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Economic,Policy & public services |
| Description | Contribution to ENISA guidance |
| Geographic Reach | Europe |
| Policy Influence Type | Influenced training of practitioners or researchers |
| URL | https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwjFkefj3-rgAhVlAWMBHVF5DlA... |
| Description | Secure by design guidance (IOT in the home) |
| Geographic Reach | National |
| Policy Influence Type | Citation in other policy documents |
| URL | https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/6860... |
| Description | REPHRAIN: Research centre on Privacy, Harm Reduction and Adversarial Influence online |
| Amount | £6,972,599 (GBP) |
| Funding ID | EP/V011189/1 |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 09/2020 |
| End | 09/2023 |
| Title | Dataset for "Battle for Britain: Analyzing Events as Drivers of Political Tribalism in Twitter Discussions of Brexit" |
| Description | In this study, we investigate how Brexit tribalism has unfolded over time on Twitter. The dataset contains a corpus of tweets posted to Twitter during a period of 32 months following the 2016 UK European Union membership referendum. The tweets were selected as a result of searching for keywords: firstly for "Brexiteer" and "Remainer" and secondly for "Brextremist" and "Remoaner". The CSV file in this dataset contains both sets of results. There are two columns in the file: timestamp and tweet text, which will be sufficient to replicate our process. Tweet IDs were removed to preserve user anonymity. First, we characterize the nature of the discussion by comparing language use patterns between tweets containing Brexiteer/Remainer and Brextremist/Remoaner keywords. We find that Brextremist/Remoaner are more commonly used in a derogatory way. We also find that all four group identity keywords are used more frequently over time, suggesting an increase in tribal interactions. Finally, we find evidence of a relationship between real-life Brexit events and spikes in tribal responses online." |
| Type Of Material | Database/Collection of data |
| Year Produced | 2020 |
| Provided To Others? | Yes |
| URL | https://researchdata.bath.ac.uk/id/eprint/812 |
| Title | Dataset for "Battle for Britain: Analyzing Events as Drivers of Political Tribalism in Twitter Discussions of Brexit" |
| Description | In this study, we investigate how Brexit tribalism has unfolded over time on Twitter. The dataset contains a corpus of tweets posted to Twitter during a period of 32 months following the 2016 UK European Union membership referendum. The tweets were selected as a result of searching for keywords: firstly for "Brexiteer" and "Remainer" and secondly for "Brextremist" and "Remoaner". The CSV file in this dataset contains both sets of results. There are two columns in the file: timestamp and tweet text, which will be sufficient to replicate our process. Tweet IDs were removed to preserve user anonymity. First, we characterize the nature of the discussion by comparing language use patterns between tweets containing Brexiteer/Remainer and Brextremist/Remoaner keywords. We find that Brextremist/Remoaner are more commonly used in a derogatory way. We also find that all four group identity keywords are used more frequently over time, suggesting an increase in tribal interactions. Finally, we find evidence of a relationship between real-life Brexit events and spikes in tribal responses online." |
| Type Of Material | Database/Collection of data |
| Year Produced | 2020 |
| Provided To Others? | Yes |
| Impact | TBC |
| URL | https://researchdata.bath.ac.uk/812/ |
| Description | NCSC |
| Organisation | National Cyber Security Centre |
| Country | United Kingdom |
| Sector | Public |
| PI Contribution | Joint workshop on cyber-resilience. Working on guidance collaboratively |
| Collaborator Contribution | Hosting workshop at Nova South, invitation list, planning outputs |
| Impact | Cyber-resilience workshop (March 2020) |
| Start Year | 2020 |
| Description | Research Institute for the Science of Cyber Security (RISCS) |
| Organisation | University College London |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | cSALSA project has joined the RISCS phase two institute - contributions include attending workshops and community meetings, presenting research at RISCS meeting and contributing to the RISCS website |
| Collaborator Contribution | RISCS has provided access to cyber security professionals for research as part of WP1. |
| Impact | n/a yet. Disciplines are computer science and psychology / behavioural science. |
| Start Year | 2017 |
| Description | Advice to Facebook US about security and communication |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Discussion with Facebook US about identification of satire (23rd August 2018) Discussion and sharing of research with new Privacy and Data Group in Facebook US (29th January 2019 - Liz Keneski) |
| Year(s) Of Engagement Activity | 2018,2019 |
| Description | Cheltenham Science Festival talk |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Public/other audiences |
| Results and Impact | Talk at Cheltenham Science Festival on social media and cyber security (10th June 2017). Second talk given 6th June 2018 on young people and technology |
| Year(s) Of Engagement Activity | 2017,2018 |
| Description | Communicating cybersecurity workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Workshop on 13th March at One Birdcage Walk on communicating about cybersecurity with cSALSA outputs from all elements to participants from NCSC, DCMS, HomeOffice, RICU, Nominet, and others. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Computing Cybersecurity conference keynote |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Keynote on 'how to change cybersecurity behaviour' to around 150 cybersecurity professionals. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Cyber UK presentation on behaviour change and cyber security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentation at NCSC CyberUK conference in Liverpool (April 2017). Title: Behaviour and CyberSecurity. In panel with Angela Sasse on the 'people are the strongest link' theme. |
| Year(s) Of Engagement Activity | 2017 |
| Description | Cyber resilience workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | "Citizen-Centred Cyber Resilience: Building Resilient Communities from the Ground up" co-hosted with NCSC at Nova South. This workshop brought together experts on cyber security and community resilience to discuss how to build cyber-resilient communities. We began by framing the issue and introducing the different perspectives-community resilience in contexts other than cyber security and cyber resilience. Following a lunch break, participants engaged in round-table discussions on what a cyber-resilient community would look like, how it can be achieved, and what needs to be considered. The discussions were followed by presentations on existing citizen-centred cybersecurity initiatives. Attendees were from industry, government and academia. |
| Year(s) Of Engagement Activity | 2020 |
| Description | DCMS discussion / co-working on segmentation & metrics |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | opening discussions with Eva at DCMS re. cyber-security segmentation and metrics. Follow ups in late 2018 / early 2019 Update: Engaged with DCMS via: Secure by design consumer guidance workshop (2nd Aug 2018) 1-2-1 meetings with Eva and Laura from the Cyber team on metrics, segmentation (1st Feb 2019) |
| Year(s) Of Engagement Activity | 2018 |
| Description | Discussion with DCMS re. Security by Default |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Discussion / Interview with John Blythe at DCMS re. security by default project (11th May 2017). Follow up discussions regarding guidance documents, and visit to DCMS in August 2018 to discuss IoT guidance for consumers. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/6860... |
| Description | Discussion with Nominet re. Human Aspects of Cybersecurity |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Discussion by phone with Simon Staffell (Nominet) about plans to begin research on human aspects of cybersecurity (29th January 2019). Connected with RISCS for potential commissioning. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Home Office briefing |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Presentation to Home Office cybercrime unit on CSALSA work |
| Year(s) Of Engagement Activity | 2019 |
| Description | IE Conference presentations w/NCSC on phishing |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentations (x2) as part of NCSC / CPNI launch of phishing guidance to IE18 (information exchange) conference in Nottingham (Jan 2018) |
| Year(s) Of Engagement Activity | 2018 |
| Description | Interview / talk to PeerSec virtual summit |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentation / expert interview with Oz Alashe for PeerSec |
| Year(s) Of Engagement Activity | 2018 |
| URL | https://www.peepsec.com/prof-adam-joinson/ |
| Description | MACG |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Presentation on CSALSA work to the Mult-Agency Commissioning Group at City of London Police (the group run national cybersecurity awareness campaigns) |
| Year(s) Of Engagement Activity | 2019 |
| Description | Meeting / workshop with Airbus Newport |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Airbus / NCSC workshop (4th August 2018) at Airbus Newport to discuss Human Factors in Cybersecurity, and setting up of potential centre of excellence / UK focus on human aspects. |
| Year(s) Of Engagement Activity | 2018 |
| Description | Men's Sheds |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Public/other audiences |
| Results and Impact | Cybersecurity talk given to Men's Shed (Warmley) in exchange for data collection (WP1) |
| Year(s) Of Engagement Activity | 2017 |
| Description | Present cSALSA to RISCS community |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Other audiences |
| Results and Impact | Present cSALSA research at RISCS community meeting (22nd June 2017) |
| Year(s) Of Engagement Activity | 2017 |
| Description | Present to Babcock International Security Conference |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentation to security professionals from Babcock International Plc on human aspects of cyber security (Oct 4th 2017) Update: follow up presentation on 16th August 2018 to Babcock security professionals. |
| Year(s) Of Engagement Activity | 2017,2018 |
| Description | Presentation at Newcastle University PhD cybersecurity winter school |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Postgraduate students |
| Results and Impact | Presentation at Winter Cybersecurity School (Jan 2020) |
| Year(s) Of Engagement Activity | 2020 |
| Description | Skype discussion with Benjamin Greenstone, Private Secretary to the Minister for Digital and the Creative Industries, DCMS |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | CSaP Policy Fellowship - Benjamin Greenstone, Private Secretary to the Minister for Digital and the Creative Industries, Department for Digital, Culture, Media and Culture Skype meeting to discuss security, privacy and data (8th Nov 2018) |
| Year(s) Of Engagement Activity | 2018 |
| Description | Talk on 'the humans are coming' for Nimbus Ninety |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Gave talk on human aspects of cyber, and cSALSA When Mon 19 Nov 2018 6pm - 9:30pm Where The Cavalry and Guards Club, London |
| Year(s) Of Engagement Activity | 2018 |
| URL | https://blog.nimbusninety.com/blog/the-humans-are-coming-cybersecurity-evening |
| Description | presentation to Symantec R&D |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | 1 hr presentation on cSALSA research to Symantec R&D in UK, Germany and USA. |
| Year(s) Of Engagement Activity | 2019 |