How to get away with cyberattacks: An argumentative approach to cyberattacks’ legitimization ...

Anna Spagnolli Ph.D

24 Jun 202208:01

Summary

TLDRThis presentation by Anna Spagnolli from the University of Padova explores the human side of cybersecurity, focusing on how cultural beliefs can legitimize cybercrime. The research reveals that common citizens, not just cybercriminals or experts, can sometimes justify participating in or supporting cyberattacks based on cultural premises. By analyzing university students' responses to various cyberattack scenarios, the study identifies key factors influencing these attitudes. The findings highlight the need for cybersecurity interventions that challenge these misbeliefs, emphasizing the importance of addressing human factors in cybersecurity.

Takeaways

😀 Cybersecurity should address both technical and human components in a socio-technical approach.
😀 Human vulnerabilities in cybersecurity are often overlooked and can involve ordinary citizens, not just skilled criminals.
😀 Lay citizens may participate in cyberattacks due to cultural premises that legitimize such behavior, rather than inherent deviance.
😀 Profiling potential attackers based on personality traits is ineffective, as it ignores the cultural factors that support cybercrime participation.
😀 A cultural approach, focusing on misbeliefs and arguments rather than individual profiles, helps identify the conditions under which cybercrime is legitimized.
😀 Discursive psychology highlights that culture provides shared premises for and against controversial behavior, such as cyberattacks.
😀 The study presented a method to analyze the arguments used by individuals to justify or oppose cyberattacks, based on cultural premises.
😀 University students were interviewed on four types of cyberattacks (profit, revenge, ideology, recreation), helping to understand how they justify such attacks.
😀 A reflexive dramatic analysis was used to identify 18 categories of premises, which were refined into 15 key premises after thorough coding and analysis.
😀 Some justifications for cyberattacks included ideals like the right to express one’s opinion, or victim-blaming, and these premises can influence people's support for attacks.
😀 Practical cybersecurity interventions can be informed by understanding these cultural justifications, helping to target human factors and increase awareness of risks and ethical/legal implications.

Q & A

What is the main focus of the presentation?
-The presentation focuses on addressing the human component of cybersecurity through a socio-technical approach, exploring how ordinary citizens, without technical expertise, may legitimize or support cyberattacks.
How does the speaker distinguish human vulnerabilities in cybersecurity?
-The speaker distinguishes human vulnerabilities by challenging the common belief that they stem from negligence or ignorance. Instead, the focus is on how cultural premises can legitimize cyberattacks, even among non-expert citizens.
What is the problem with profiling potential attackers based on personality?
-Profiling based on personality is problematic because sporadic participation in cyberattacks does not necessarily stem from deviant traits, and such profiling may conflict with privacy protection rights.
How does the speaker propose to address the issue of laypeople's involvement in cybercrime?
-The speaker proposes addressing the issue by identifying and analyzing the cultural premises that legitimize cyberattacks within mainstream society, rather than profiling specific individuals based on deviance.
What method did the researchers use to analyze opinions on cyberattacks?
-The researchers used a reflexive dramatic analysis, categorizing interview responses into 18 themes. This approach aimed to identify the premises behind participants' positions on cyberattacks, not necessarily which position was most common.
What were the four narratives presented in the study's interviews?
-The four narratives presented in the study were: 'attack for profit' (ransomware), 'attack for revenge' (bank website attack), 'attack for ideology' (pro-environmental protest), and 'attack for recreation' (prank malware).
What demographic did the study sample consist of?
-The study sample consisted of 16 university students, aged 21 to 29, from a variety of disciplines, including computer engineering, law, economics, pharmacy, and political science.
What process did the researchers follow to analyze interview responses?
-The researchers categorized interview responses by identifying the premises participants used to support or oppose cyberattacks. They then grouped similar premises and refined their categories through an inductive and deductive process to ensure consistency.
What is the significance of the 15 premises identified in the study?
-The 15 premises represent conditions that could influence how a cyberattack is viewed, either making it more or less acceptable. These premises provide insight into the rationalizations people use to justify or oppose cyberattacks.
How do the findings relate to the concept of neutralization techniques in criminology?
-The findings align with neutralization techniques in criminology, where individuals legitimize antisocial behavior by denying the victim's status, denying the actor's responsibility, or prioritizing other norms over those breached by the crime.
What are the practical implications of these findings for cybersecurity?
-The findings highlight the importance of addressing the cultural premises that may legitimize cyberattacks. By exposing these premises, cybersecurity interventions can better target human factors and increase awareness of the risks involved in supporting such behavior.
What risks are associated with legitimizing cyberattacks based on good intentions?
-Legitimizing cyberattacks based on the perceived good intentions of the attacker could lead to the normalization of cybercrime. This could potentially be seen as just another job, undermining the seriousness of cybercrime and its legal implications.
What distinction does the speaker make between moral and legal evaluations of cyberattacks?
-The speaker emphasizes that while a lay citizen may morally justify a cyberattack, this does not diminish the legal consequences. Understanding the difference between moral and legal evaluation is crucial when deliberating participation in cyberattacks.
What is the broader aim of this study on cybercrime?
-The broader aim is to provide a perspective on cybercrime that acknowledges its complexity and ambivalence, focusing on how lay citizens can be involved and the cultural resources that can support or oppose such involvement.