ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks

Researchers and practitioners have acknowledged human-related risks among the most important factors in cybersecurity, e.g. an IBM report (2014) shows that over 95% of security incidents involved "human errors". Responses to human-related cyber risks remain undermined by a conceptual problem: the mindset associated with the term 'cyber'-crime which has persuaded us that that crimes with a cyber-dimension occur purely within a (non-physical) 'cyber' space, and that these constitute wholly new forms of offending, divorced from the human/social components of traditional (physical) crime landscapes. In this context, the unprecedented linking of individuals and technologies into global social-physical networks - hyperconnection - has generated exponential complexity and unpredictability of vulnerabilities.

In addition to hyperconnectivity, the dynamic evolving nature of cyber systems is equally important. Cyber systems change far faster than biological/material cultures, and criminal behaviour and techniques evolve in relation to the changing nature of opportunities centring on target assets, tools and weapons, routine activities, business models, etc. Studying networks and relationships between individuals, businesses and organisations in a hyperconnected environment requires understanding of communities and the broader ecosystems. This complex, non-linear process can lead to co-evolution in the medium-longer term.

The focus on cybersecurity as a dynamic interaction between humans and socio-technic elements within a risk ecosystem raises implementation issues, e.g. how to mobilise diverse players to support security. Conventionally they are considered under 'raising awareness', and many initiatives have been rolled out. However, activities targeting society as a whole have limitations, e.g. the lack of personalisation, which makes them less effective in influencing human behaviours.

While there is isolated research across these areas, there is no holistic framework combining all these theoretical concepts (co-evolution, opportunity management, behavioural and business models, ad hoc technological research on cyber risks and cybercrime) to allow a more comprehensive understanding of human-related risks within cybersecurity ecosystems and to design more effective approaches for engaging individuals and organisations to reduce such risks.

The project's overall aim is therefore to develop a framework through which we can analyse the behavioural co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviours of a range of actors in the ecosystems in order to reduce human-related risks. To achieve the project's overall aim, this research will:
(1) Be theory-informed: Incorporate theoretical concepts from social, evolutionary and behavioural sciences which provide insights into the co-evolutionary aspect of cybersecurity/cybercrime ecosystems. (2) Be evidence-based: Draw on extensive real-world data from different sources on behaviours of individuals and organisations within cybersecurity/cybercrime ecosystems. (3) Be user-centric: Develop a framework that can provide practical guidance to system designers on how to engage individual end users and organisations for reducing human-related cyber risks. (4) Be real world-facing: Conduct user studies in real-world use cases to validate the framework's effectiveness.

The new framework and solutions it identifies will contribute towards enhanced safety online for many different kinds of users, whether these are from government, industry, the research community or the general public.

This project will involve a group of researchers working in 5 academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at 4 UK research institutes, and be supported by an Advisory Board with 12 international/UK researchers and a Stakeholder Group formed by 12 non-academic partners (including LEAs, NGOs and industry).

The Je-S form's "Academic Beneficiaries" field explains the expected academic impact in detail, so here we focus on economic and societal impact.

The project will benefit citizens and communities they belong to by providing 1) better protection against human-related cyber risks leading to victimisation or harm; 2) better feeling of being safe and secure in cyber(-physical) space due to improved engagement; 3) better education about cyber risks due to more personalised, contextualised and thus easier-to-understand guidelines and recommendations; 4) better value of their personal data via controlled data sharing with trusted stakeholders. As a whole, the project can help foster a better culture of more active collaboration between individuals, communities and other stakeholders to reduce the whole society's risk level to cyber threats.

Product/system/service/social innovation designers will benefit from the project, which will provide clearly-defined and practical design principles and knowledge/understanding based on research and theory, hence improved capacity to generate plausible crime preventive innovations, and integrate security with other requirements.

The project can benefit businesses who are end users of cybersecurity products and services, which include financial institutes, online (not limited to payment) service providers, transportation service (e.g. transportation service, railway and road network) operators and vehicle vendors. Those businesses are key stakeholders of the two use cases in the project, and our work will help them better protect their customers and infrastructures via reduced cyber risks from their customers and employees and increased capacity of engaging users to behave more securely.
NGOs managing cybersecurity and cybercrime awareness activities such as Neighbourhood and Home Watch Network (our research partner) will benefit from the project as the developed framework will provide a more effective way to engage human users and organisations working with government to raise awareness of individual citizens and businesses.

LEAs and governments will benefit from the project in a number of ways: 1) improved policing capacity and efficiency due to more contextualised information received from individual citizens and other organisations via more active engagement of stakeholders; 2) improved relationship with citizens, communities, businesses and NGOs by collaborating with them more closely; 3) better information collection and knowledge presentation tools which can help operation, decision making and internal staff training on cybersecurity and cybercrime.

Policy and law makers will also benefit from the project because the socio-technical framework when applied (widely) to real world will help produce better insights about what is going on in the cybersecurity and cybercrime ecosystems, thus making them more informed to design policies and adapt regulations which will fit more into its purpose and encourage compliance.

Another group of stakeholders who will benefit from the project is cybersecurity product vendors and service providers such as IBM and NCC Group on our Stakeholder Group. They can benefit due to two main reasons: 1) new opportunities to improve/adapt existing products and services; 2) opportunities to create completely new products and services e.g. new data management and user engagement systems which can be used by all the above beneficiaries listed.

Economically speaking, the project can help 1) prevent or reduce costs from user side by reduced victimisation and more informed decisions of end users; 2) enhance trust between consumers and cybersecurity products and services due to improved user experience (which can encourage consumption of such products and services); 3) reduce costs of investigating and pursuing criminals by LEAs with improved policing tools and procedures; 4) create new business opportunities that contribute to the economy directly.