Monday, October 05, 2020

Why do we need cybersecurity awareness? (Day 5 of Cybersecurity Awareness Month 2020)

As Cybersecurity Awareness Month gets rolling it seems reasonable to ask: why do we need cybersecurity awareness? The short and simple answer is that we humans need many kinds of security awareness to avoid or reduce the chances of bad things happening in life. For example, by the time we are adults, most of us have some level of road security awareness as well as physical security awareness. We teach children abduction awareness as well as personal hygiene.

We often think of these different "awarenesses" in terms of the phrases that awareness campaigns have used: phrases like stranger danger and see something, say something

The point is: some humans tend to do bad things, but knowing what those bad things are can help us to begin thinking about how to avoid them. And if we can get practical advice on how to avoid becoming victims of those bad people, even better.

That was the point of the "Take a bite out of crime" awareness campaign that launched in 1980 with a series of public service announcements "educating citizens on personal security measures" (Wikipedia). 

Featuring "McGruff the Crime Dog," the initial campaign was largely TV-based and proved very successful, garnering "over $100 million in free air time donated in the first year [and] reaching over 50% of adults." 

McGruff's early messages—such as lock your doors and put your lights on timers in order to reduce crime—might sound simplistic, just as the advice to "use strong passwords" sounds simplistic in the context of cybercrime today; however, a lot of crime prevention is pretty basic stuff, whether in cyberspace or meatspace. That doesn't mean it's not effective. 

Here's an example: some bad people steal cars. If you have a car and you park it in a locked garage overnight, it is more likely to be there in the morning than if you parked it on the street. That's not just a guess on my part, numerous studies have shown this to be the case. (Believe me, I spent two years studying in the School of Criminology at the University of Leicester and I've read the studies.)

Awareness of the risks related to car theft, and of ways to reduce them—for example, a steering wheel clamp will reduce the risk of theft for cars parked on the street—helps you to avoid the unpleasantness of having your car stolen. 

Equally as important in the larger scheme of things: your awareness of all these things also helps your local law enforcement agency to avoid all the work they are supposed to if your car is stolen. Just as any proper doctor would prefer there to be less illness, good law enforcement agencies would like there to be less crime, and not just because that would mean less paperwork. Think of all the good things that we could do with the money we save from reducing the number of bad things people do.

Property crimes rates in America started to drop after 1980So, encouraging the public to "do their bit" in preventing crime makes a lot of sense, and can be a  useful component in crime reduction programs, as this graph would appear to suggest.

You can see that during the 1960s and into the 70s, the level of property crimes in America started to rise quite dramatically, despite a general increase in the standard of living. McGruff' was introduced in 1980, which is where the dark side of the chart ends and the crime rates start to fall. I am NOT suggesting that this was all down to McGruff, but the timing is interesting. It marked a shift towards "situational crime prevention" programs in many communities (I will have more on SCP in a later post). 

So, will history show that Cybersecurity Awareness Month has been having a similar effect on cybercrime? 

I am sure it is responsible for preventing some security incidents, and we should continue awareness efforts. (Maybe we could enlist McGruff—we would only need to change one letter of the classic slogan.)

Unfortunately, cybercrime is not quite the same as traditional property crime perpetrated in meatspace. Some of the important ways in which computer crime differs from traditional crime were enumerated by Brenner’s landmark 2004 law journal article on cybercrime metrics (PDF). 

When things are digital they can be scaled massively, automated, performed remotely, with scan forensic evidence: one person can break into thousands of computers in a matter of hours from 5,000 miles away. Your traditional house-breaker can only burgle one home at a time, in person, and with a relatively high probability of detection, capture, prosecution, and conviction.

There is another factor that makes some digital crimes different from physical crimes, a factor that I don't recall anyone writing about: I can steal your music collection without you losing it (assuming that your collection exists as files in digital storage). As I see it, this phenomenon really messed with the emergence of moral standards around digital technology abuse in the 1990s. I would even argue that it led too many people to ignore the rise of more directly harmful crimes in cyberspace in the early 2000s.
So, cybercrimes can seem to be very different from, and more complex than, traditional crimes. They may well deserve their own awareness programs. But there are some serious factors in play right now that make a dip in the level of cybercriminal activity unlikely, at least in the near future. 

However, I heartily agree with Brenner when she concluded that “cybercrime is, after all, simply crime.” So, maybe now is the time to raise awareness about crime in general. After all, these days it is true to say that, in general, most crime involves some amount of digital technology. 


No comments: