Cyber-Security across the Life Span
In early January, PaCCS Communications Officer Kate McNeil sat down Professor Pam Briggs, to discuss her work as part of the Cyber-Security across the Life Span (cSaLSA) team. This project received funding through the EPSRC Human Dimensions of Cyber Security Grants under the Cybersecurity Theme of PaCCS.
Kate McNeil: Thank you for taking the time to speak with me today. Would you mind getting started by telling me a bit about your research background, and what brought you to this project?
Professor Pam Briggs: I am a psychologist by training, and my past work has focused on identity management and the way that people authenticate themselves online. I studied how various groups, including minority ethnic groups, those with disabilities, refugees, and those with mental health problems, manage online authentication.
For several years there has been a growing interest in what people have sometimes termed ‘human-centred cybersecurity.’ In the early days of cybersecurity work, a lot of the focus was on the automated ways of improving protection. Then there was a suggestion that humans are the weakest link in cybersecurity, followed by a well-known paper which argued that the only reason humans are the weakest link is because the systems are not designed to be very useable for people. Unless you design cybersecurity systems, campaigns, and support systems that help people stay secure online and which are sensitive to the way people think, you are not going to be able to create a secure ecosystem. I became interested in the specifics of the human in the cyber ecosystem, including their vulnerabilities and what kind of support different users might need.
The cybersecurity across the lifespan project has given me the opportunity to explore the needs and behaviours of particular groups of internet users. The project is predicated on the idea that the kinds of behaviours and activities that younger people undertake online and the kinds of advice they are given in schools is very different from what happens when you are working age and are possibly getting workplace training, and that is different again from the way older adults manage and get advice about their security online.
Particularly with respect to aging populations, there is so much diversity in people’s experiences of cybersecurity and using the internet. Some people might get a retirement package and buy a whole new raft of products that come with support and advice, while others might struggle with money, have hand-me-down equipment that does not have the same kind of security protection, and may not have access to the same sorts of support and resources.
What has the project entailed thus far, particularly from the Northumbria perspective?
This project has been conducted in partnership between academics at the universities of Bath, Cranfield, Portsmouth and Northumbria. The Bath group focused on younger adults, children and families. The Cranfield/Portsmouth team looked at working age internet users, and here at Northumbria we focused on older adults. At the start of the project, the teams worked together, trying to understand more about how the language of cybersecurity changes over the lifespan. Led by Bath University, we developed a cybersecurity dictionary which gave a comprehensive overview of the ways in which people were talking about cybersecurity.
We found that the whole language of cybersecurity for young people is really framed in schools, and a lot of it is around cyber bullying and ‘Stranger Danger’. But as young people move into independence and open bank accounts, there is not really support at that transition to teach young people about other online threats such as phishing activities. They were not being prepared for independent adult life where people start to worry about their finances and loss of identity. We did not find that same disconnect between working adults and older adults.
Since then, the Northumbria team has focused more exclusively on the cybersecurity issues of older adults. We have conducted qualitative research interviewing older adults about where they get their cybersecurity advice from, how they keep updated on advice, how they hear about different threats, and how they hear about the kinds of protective measures they should adopt. Our research was guided by “Protection Motivation Theory” which had been developed and used to understand how people respond to health emergencies. The motivation to protect yourself is based on a combination of how personally threatened you feel, how severe you think a threat is, and how vulnerable you feel in terms of that threat, plus judgements about how capable you feel in dealing with the threat and what actions you might take that might make a difference.
We found that for older adults, information about threats often comes from the radio, but there are few reliable sources of advice about what steps to take – i.e where they might learn to cope with threats, manage passwords, spot phishing emails etc. There simply aren’t enough good sources of ‘coping information’ that reach older adults. PhD students and postdocs on our team then looked at the retirement transition and what changes during retirement can create vulnerabilities. For example, the way your social environment changes and whether in your immediate social group you have people with technical knowledge that you can turn to.
At the same time, the other project teams were conducting parallel research on younger adults and how families share information with younger children, and how children might report their vulnerabilities or talk to their parents about these threats. We also realized that whilst there is a lot of human-centered cybersecurity work going on within the workplace, there is not an awful lot of training or support on vulnerabilities that arise in the home, away from workplace support. One of the interesting things which emerged from our later research was a discussion on what makes people more resilient. A lot of this understanding comes from the health literature, but we were able to use it to understand more about the factors that make people more resilient and able to bounce back in the aftermath of a cyber-attack. In part, that relates to whether they have procedures and routines, or mastery and expert knowledge to hand that will enable them to put the right things in place. But there is also something about attitudes to disaster – whether you try to rise to the challenge or end up sticking your head in the sand. Self-efficacy, the belief that you can cope, and your willingness to learn and bounce back from bad experiences all matter.
What comes next for this project, and how is your team planning to take some of the things you have learned thus far and translate them into practice?
We have developed this resilience scale and doing a lot of quantitative work to help refine it. We are planning to see whether we can get some data from outside of the UK to make the comparisons which would shed light on how robust this scale could be internationally. We are also interested in how resilience correlates with other measures. We are exploring some of the security dynamics in households, particularly those that have different generations or age groups within the household, asking how information is shared within the household, and what kinds of everyday security practices the household adopts. So, we are opening to exploring household ideas about who takes control? Who does the backups in a house, or updates the systems regularly? Who in the household is likely to open up the system to vulnerabilities?
Throughout the project, we have been keen to communicate our results to key stakeholders. We have had two workshops targeted at government departments, for example. And we have tried to communicate our findings to the National Cybersecurity Centre, the Home Office, and DCMS, the Met Police and smaller cybersecurity organizations across the UK.