Applying Anthropology to Cybersecurity

Introduction

This second post in the Anthropology series is about  how anthropology can be applied to cybersecurity. Applied anthropology refers to the application of the method and theory of anthropology to the analysis and solution of practical problems. When applied to the discipline of cybersecurity the methods of data collecting that are used in anthropology with the aim to help solve problems with the field of study. The primary methods used in applied anthropology are work shadowing, contextual interviews and semi-structured interviews. These can also be supported by literature reviews and surveys of relevant groups of people. These are done to gather qualitative and quantitative data in order for the anthropologist to provide recommendations or guidelines. 

Where and How Anthropology can be applied to Cybersecurity

The categories of cybersecurity that applied anthropology can be applied to include:

  • Human Factors
    • security training
    • security culture
    • communication of security issues
  • Organizational factors
    • risk management
    • open environment and academic freedom
    • lack of budge
    • security as a secondary priority
    • tight schedules
    • business relationships with other organisations
    • access control to sensitive data
    • size of the organisation
    • top management support
  • Technology
    • the complexity of the systems
    • vulnerabilities in systems and applications
    • mobile and distributed access
    • the efficiency of security tools
The aim of the anthropologists is to understand the following in these areas of cybersecurity between the professionals and their tools include:
  • nature of security management teams
  • workplace characteristics
  • types of tasks performed by analysts
  • usage of different skills like inferential analysis, pattern recognition and bricolage
  • recommendations for usable tools. 

The end-goal of anthropologists is to improve cybersecurity within organisations.


Case Study 1 - Cyberextortion

Cyberextortion is a form of online crime which occurs when a person uses the Internet to demand money or other goods or behaviour (such as sex), from another person by threatening to inflict harm to their person, their reputation or their property. When we have something of value, it becomes a target. And, the more we entwine our lives with technology, the more valuable those 1s and 0s become to us. An example of a cyberextortion is the Cryptolocker attack that hijacked people's data and then requiring money to unlock it and regain access to it. 


What does this all mean for the home user? It should heighten their awareness of cybersecurity and the very real threats that exist out there today. How do we mitigate these threats? We do what we can to protect our data. Following is a simple list of steps users can take immediately to avoid becoming a victim. They are based off basic but simple cybersecurity best practices. 
  1. Back up your data: This means not only data you physically have access to like your financial documents, family photos/videos, or your music – but also your online presence. Many social networks let you download the entire contents of your user profile. You should also consider redundant backup options such as physical backups and off-site backups. Just remember to make sure both are secure.
  2. Use 2-Factor Authentication: Facebook, Gmail, Twitter, Paypal and more utilize 2-factor authentication. 
  3. Hide Sensitive Information: While sites may require you to provide a birthday or email address, the also usually give you the ability to keep this information private. Those who need to know the year you were born or your private email address already has that information or can ask for it. There is no need for it to be out in the open for everyone to see. Also, don’t let sites save your credit card information. While it is an added convenience, as the case of data breaches have demonstrated, it can be used against you. 
  4. Be Wary of Strangers: This may sound odd as the whole allure of the internet is connecting with strangers. However, if you don’t know someone, you should be very cautious about letting them into any social network circle where they can find out more information about you as this can be used against you.
  5. Be Careful Online: Don’t click on anything you can’t easily identify. Don’t submit information to sites you are not familiar with. Don’t trust things just because they come from people you know. Don’t download things to your computer without some sort of software protection installed.
In summary, treat your digital property much like you would treat your physical property. 


Case Study 2 - Cultural of Cybersecurity


The value of data, a commodity of which companies have a tremendous amount of is only increasing, and as such, securing that data becomes ever more intrinsic to business success. There is added value in the role of culture when it comes to cybersecurity. This is an area where anthropologists with ones with expertise in studying cultures should be able to provide a uniques angle from which to consider cybersecurity. This has become a key problem area as mobile technologies,  cloud applications and continuous online capabilities allow the blurring of the lines between home life and work. 


The value of culture in organisational communication, for example, can be applied to phishing attacks and its various offshoots that thrive upon communicational triggers and vulnerabilities. It has described that “The real trick is to understand how to communicate and apply influence across a variety of different cultures in your organisation to both compel them to be vigilant and to help them understand what to be vigilant for”. Without the right tailoring to the cybersecurity message to staff, its been warned that “all too often, the right cyber security messaging is dismissed or resisted because of how it’s presented, the language used or the tone used”.

The culture of the business has wider reaching effects in a cybersecurity sense than just phishing attacks, however, and understanding the value of business culture is a tremendous asset in ensuring data is successfully protected. A cultural understanding can help in deterring cybercrime, with the solutions associated with overcoming or avoiding the human factor of cyber security are often not the failsafe solution they claim to be – instead of bypassing the human element, embracing and understanding it is preferable. Because by only engaging workers and employees with cybersecurity will they react positively to required actions and policies when instead it is forced upon them the more likely they are either ignore these messages or participate unenthusiastically which could lead to mistakes being made. 

With the right culture in place as it has been suggested, the cybersecurity message is able to be propagated through the business, and data security is increased, especially prominent given the ever-increasing value of data in all industries and services. 

Conclusion

Hopefully, this post has shown how an anthropologist could improve the cybersecurity within an organisation or the potential role they could play. It is not about suggesting that companies should employ anthropologists within there cybersecurity teams but if they are looking for a fresh perspective to either improve their cybersecurity or identify a potential area for enhancement bringing in an anthropologist to offer an outsiders perspective could be of use. Though in order for the anthropologist to be most effective it requires the organisation to not hold anything back and to be prepared to open the closet with the skeletons in and to peel back the net curtains.


References

https://cybersecuritysummit.co.uk/cyber-insider/digging-cyber-security-talk-chris-rivinus-tullow-oil/
http://www.cyber-anthro.com/2014/01/cyber-extortion/
http://people.cs.ksu.edu/~sathya/anthro_reading.html
https://www.applied-anthropology.com/

Comments

Popular posts

Balancing functionality, usability and security in design

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects