Thursday, April 29, 2021

From cyber-crime metrics to cyber-harm stories: shifting cybersecurity perspectives and cybercrime strategies

Is measuring the amount of cybercrime important? I have argued that it is, and for several different reasons which I have presented in many places; for example, in this article: Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy

For me, the most pressing reason to pursue accurate and objective cybercrime metrics is the potential of those numbers to persuade governments and world leaders to do more to counter cybercrime (as in: detect, deter, disrupt, prosecute and sanction perpetrators). The persuasion goes like this: 
  1. Here's how big the cybercrime problem is.
  2. Here's how fast it is growing despite current efforts to solve/reduce it.
  3. Can you see how bad things will get if you don't do more to solve/reduce it?
A similar persuasion strategy has long existed in the cybersecurity industry as part of its efforts to make technology safer (while selling more security products and services—a reality that has undermined the value of industry metrics in policy debates). 

The efficacy of this strategy—"look at these numbers, that's how bad the cyberbadness is, it's time you did more to protect us/you"—has been been disappointing to say the least, given the rate at which the cybercrime problem keeps growing. 

Back in 2014, I decided to research this lack of efficacy, exploring risk perception as it relates to crime and technology. I delved into cultural theory of risk, cultural cognition, white male effect, identity protective cognition, and the science of science communication. One thing I learned was that some people are unmoved by statistics and data. 

Relying on stats+facts to convince everyone that there is an urgent problem, one which merits attention and action, is a mistake. For whatever reason, some folk are relatively immune to stats+facts; however, they may be moved by stories.

Ironically, this was a phenomenon that I had already experienced in my early days of promoting security solutions. For some audiences there was nothing more effective than a case study, a story of how some person or organization had become a victim, or how someone had avoided becoming a victim. Even before then, when I was writing my first computer security book, I had made sure that I included stories from which people could learn the value of security policies and practices (The Stephen Cobb Handbook of PC and LAN Security, 1991). 

The problem you run into when you try to use victim stories to pitch security is that, historically, very few people have been willing to share their stories. This may be due to embarrassment or, ironically, for operational reasons. (As a CISSP, I would advise organizations not to share the helpful story of "how Acme firewall is keeping us safe," or the helpful tale of "how our network was penetrated despite Acme firewall.")

All of which leads to some helpful coincidences. If you investigate the amount of harm caused by cybercrime, rather than just count the number of cybercrimes committed, you get more than just persuasive data, you get moving stories. 

Furthermore, you get a fresh perspective on the problem of cybercrime and the challenge of getting more people to take it more seriously, at four different levels:
  1. Personal: understand how I, or my organization, could be victimized and steps I can take to minimize the risk of that happening.
  2. Political: grasp the level of pain and suffering caused by digitally enabled or enhanced crimes, and calculate their impact on society, down to the medical and social care burdens that victimization generated.
  3. Strategic: use this perspective to argue that funding for medical and social care should include cyber-harm reduction initiatives because fewer people scammed  = smaller care burden.
  4. Professional: pursue both qualitative and quantitative research into the harms caused by rampant cyberbadness, from criminal successes to cybersecurity fails.
Moving forward, I want to explore all four levels and share what I find. The process took a step forward this week when I talked myself into delivering a training session about scam avoidance to a community support group. I've done this in the past, but in America. This session will be delivered to a UK audience, specifically people who support carers. 

The Carer Factor

Since we moved back to the UK in 2019, we have found that the importance of social care and the work of unpaid carers is widely-recognized. These carers—who tend to be known as caregivers in America—are people who have become part-time or full-time unpaid carers for relatives and friends. (As you can imagine, part of that care work may include technical support, and that may include several aspects of cybersecurity.)

Local governments and charities in the UK make a concerted effort to support unpaid carers, both practically and emotionally. Let me give you an example: thanks to a charity called Carers Trust,  I am formally registered as the designated carer for my partner Chey, and for my mother. That means, among other things, that if I get hit by a bus and first responders check my wallet, they will find a card that says I care for these two people plus a number to call if I am incapacitated. 

That call triggers several services. Carers Trust will step in to provide care to my carees if I cannot be there for them. The organization already has a comprehensive file on the needs of my carees, their circumstances, and so on. Furthermore if the bus misses me, but I feel like I could really use a break from caring, the carers' support group can cover for me.

I'm sure you can imagine what a huge weight this care group has lifted from my shoulders, and how much peace of mind it has provided to my carees, now they know that there is backup help available. On a less dramatic, but still very important level, the care group provides me a place to meet with other carers and I find this helpful, both psychologically and practically.

My involvement with the care community has led me to consider fresh lines of inquiry into the reduction of cybercrime and technology abuse. Indeed, I can see this care group, and the many others like it around the country, becoming a valuable resource in the quest to reduce the harms caused by scammers and fraudsters.

If you check back here in the latter part of May there should have a link to the training session content. (Like all of my content these days, it is free and suitable for sharing.) In the meantime, here are some links that might be of interest:
  • A detailed look at the impact of fraud in general, 24-page PDF of a chapter from the book Cyber Frauds, Scams and Their Victims by Cassandra Cross and Mark Button, 2017.
  • The Fight Cybercrime website which has a lot of helpful info for victims of online fraud, in 12 languages!
  • The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — PDF of Age UK report, 2016.
  • The website of Carers Trust in the UK: "a major charity for, with and about carers".

Note: If you found this page interesting or helpful or both, please consider clicking the button below to buy me a coffee and support a good cause while fueling more independent research and ad-free content like this. Thanks!

Button says Buy Me a Coffee, in case you feel like supporting more writing like this.

No comments: