New EPSRC research project on addressing human-related risks in cybersecurity/cybercrime ecosystems

SCCS just got a new research project “ACCEPT: Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks” granted by EPSRC. It will involve a group of researchers working in five academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at four UK research institutes (University of Surrey, UCL, University of Warwick, and TRL). It has an overall budget of £~1.1m, with 80% (£~881k) funding from EPSRC. It is expected to start in April 2017 and will last for 24 months.

This interdisciplinary and inter-institutional project’s overall lead will be Dr Shujun Li, a Deputy Director of Surrey Centre for Cyber Security (SCCS) and a Senior Lecturer of Surrey’s Department of Computer Science. At Surrey the project will involve Dr Michael McGuire of the Department of Sociology, Prof Roger Maull of Surrey Business School’s Centre of the Digital Economy (CODE), and Dr Helen Treharne of the Department of Computer Science and Surrey Centre for Cyber Security (SCCS), as co-investigators. Co-investigators from other partner institutes include Dr Hervé Borrion, Dr Gianluca Stringhini and Prof Paul Ekblom of UCL, Prof Irene Ng, Dr Xiao Ma and Dr Ganna Pogrebna of the University of Warwick, and Prof Alan Stevens of the TRL.

A public summary of the project is as follows:

Researchers and practitioners have acknowledged human-related risks among the most important factors in cybersecurity, e.g. an IBM report (2014) shows that over 95% of security incidents involved “human errors”. Responses to human-related cyber risks remain undermined by a conceptual problem: the mindset associated with the term ‘cyber’-crime which has persuaded us that that crimes with a cyber-dimension occur purely within a (non-physical) ‘cyber’ space, and that these constitute wholly new forms of offending, divorced from the human/social components of traditional (physical) crime landscapes. In this context, the unprecedented linking of individuals and technologies into global social-physical networks – hyperconnection – has generated exponential complexity and unpredictability of vulnerabilities.

In addition to hyperconnectivity, the dynamic evolving nature of cyber systems is equally important. Cyber systems change far faster than biological/material cultures, and criminal behaviour and techniques evolve in relation to the changing nature of opportunities centring on target assets, tools and weapons, routine activities, business models, etc. Studying networks and relationships between individuals, businesses and organisations in a hyperconnected environment requires understanding of communities and the broader ecosystems. This complex, non-linear process can lead to co-evolution in the medium-longer term.

The focus on cybersecurity as a dynamic interaction between humans and socio-technic elements within a risk ecosystem raises implementation issues, e.g. how to mobilise diverse players to support security. Conventionally they are considered under ‘raising awareness’, and many initiatives have been rolled out. However, activities targeting society as a whole have limitations, e.g. the lack of personalisation, which makes them less effective in influencing human behaviours.

While there is isolated research across these areas, there is no holistic framework combining all these theoretical concepts (co-evolution, opportunity management, behavioural and business models, ad hoc technological research on cyber risks and cybercrime) to allow a more comprehensive understanding of human-related risks within cybersecurity ecosystems and to design more effective approaches for engaging individuals and organisations to reduce such risks.

The project’s overall aim is therefore to develop a framework through which we can analyse the behavioural co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviours of a range of actors in the ecosystems in order to reduce human-related risks. To achieve the project’s overall aim, this research will:

  1. Be theory-informed: Incorporate theoretical concepts from social, evolutionary and behavioural sciences which provide insights into the co-evolutionary aspect of cybersecurity/cybercrime ecosystems.
  2. Be evidence-based: Draw on extensive real-world data from different sources on behaviours of individuals and organisations within cybersecurity/cybercrime ecosystems.
  3. Be user-centric: Develop a framework that can provide practical guidance to system designers on how to engage individual end users and organisations for reducing human-related cyber risks.
  4. Be real world-facing: Conduct user studies in real-world use cases to validate the framework’s effectiveness.

The new framework and solutions it identifies will contribute towards enhanced safety online for many different kinds of users, whether these are from government, industry, the research community or the general public.

This project will involve a group of researchers working in five academic disciplines (Computer Science, Crime Science, Business, Engineering, Behavioural Science) at four UK research institutes (University of Surrey, University College London, University of Warwick, Transport Research Lab), and be supported by an Advisory Board with 12 international/UK researchers and a Stakeholder Group formed by 13 non-academic partners in both the public and private sectors (including law enforcement agencies, industry and NGOs).