Cybersecurity as a Social Science

Cybersecurity is typically conceived as a technical topic. In reality, the topic is multidisciplinary, and some aspects of the topic are best understood through a social science lens.  This course addresses the social, political, legal, criminological, and economic dimensions of cybersecurity through a social science framework.  Students are introduced to a human-factors approach to understanding cybersecurity threats.  Attention is given to the social factors that contribute to cyber incidents and the political and legal mechanisms that are developed to control the behaviors of those who create risks cybersecurity incidents.  The class also explores how cybersecurity is studied by social scientists in psychology, political science, criminology, economics, sociology, international studies, and other social science disciplines.

Learning Outcomes

After completing this class, students will be able to:

  1. Compare how basic psychological, sociological, criminological, political, economic, and legal theories and models explain cybersecurity.
  2. Identify the strengths and weaknesses of those theories in understanding the connections between human behaviors and cybersecurity.
  3. Define key concepts including cybersecurity, cybercrime, cyber criminology, cyber law, digital forensics, human factors, cyber policy, cyber risk, cyber threats, and cyberwar.
  4. Identify how professionals in various cybersecurity careers apply these multidisciplinary concepts in their daily routines.
  5. Describe how hypotheses and research questions are formed in studies addressing cybersecurity through a social science lens.
  6. Describe how data are collected, measured, and analyzed in studies addressing cybersecurity through a social science lens.
  7. Identify how marginalized groups have confronted challenges and concerns related to cybersecurity as well as how these groups have contributed to our understanding about the topic.
  8. Explain how the application of social science theories, principles, and research strategies have contributed to our understanding of cybersecurity at the societal level.

Journal Entries

Journal Entry 5

Prompt: Review the articles linked with each individual motive. Rank the motives from 1 to 7 as the motives that you think make the most sense (being 1) to the least sense (being 7). Explain why you rank each motive the way you rank it.

  1. multiple reasons 
  2. Entertainment 
  3. Money 
  4. Boredom 
  5. Revenge 
  6. Political
  7. Recognition 

For 1. I chose multiple reasons because obviously there could be other reasons as to why a person do what they do we don’t know the inside of a persons mind it’s impossible 

  1. I chose entertainment because it’s one of those ones where people just would rather see you suffer solely off the fact they know they can do it. I’ve seen people laugh while actively hacking someone on stream 
  2. Money is a driver for anything when you have no real skills to pay the bills 
  3. Boredom is one I chose for 4 because I see people just abuse their power because they know they either won’t get caught or it’s get them a dopamine rush from ruining other peoples day 
  4. Revenge is one I place in the middle because genuinely anyone who is hacking to get revenge has no life unless they are in a active hacktivist group or something 
  5. Political is super common (anonymous) but they aren’t really the biggest drivers as the ones at the top for me 
  6. Recognition… no one wants to get caught doing a crime. So I don’t have to explain further that’s just my opinion 

Journal entry 1 

Prompt: Review the NICE Workforce Framework. Are there certain areas that you would want to focus your career on? Explain which areas would appeal the most to you and which would appeal the least. 

IfI really had to choose where to focus my career based on what interests me most in this NICE Framework, it’d have to be the technical side of things – specifically security operations and incident response. That’s the stuff I think is just so cool. 

I love getting hands-on and figuring out how attacks actually work on the network and system level. It’s like solving a puzzle trying to trace back what happened. I find it way more engaging than compliance stuff or project management. Don’t get me wrong, those things are important too, but they’re just not what gets me excited.

Responding to incidents is where all the technical skills come together. You’ve gotta analyze logs, investigate strange behavior, contain damage – it really lets me put my technical chops to work. And I think helping organizations recover from attacks and prevent future ones is extremely rewarding. Plus it’s always interesting to see the new tricks hackers come up with.

So for me, focusing on operations and incident response first would let me play to my strengths as someone interested in the nuts and bolts of cybersecurity. Down the line I may broaden out more, but for now this area is definitely where I’d want to sink my teeth in if I could choose. It’s just the most engaging for someone with my background.

Journal entry 6

Prompt: How can you spot fake websites? Compare three fake websites (don’t access those sites, of course) to three real websites. What makes the fake websites fake?

Off rip I look for these 

Spelling/grammar mistakes are a big red flag. Real companies put time into proofreading. 

Formatting/design – real sites have consistent looks while fake ones look thrown together. 

Contact info – if there’s no real address, phone number or social links that’s SUS. 

Domain name – big brands use their name, fakes try diff variations. 

Security – no https or weird self-signed certs is weird.

An example being – that fake shopping site with lots of typos and auto-generated products vs Amazon. Or that janky streaming link versus a real one like Netflix. Also seen fake bank sites just trying to phish info, they just looks shady and ask you to log in right away. 

Real sites gotta build trust so they have professionally written content and secure connections. Fakes are usually only trying to steal your stuff so they cut corners on design and security. Just use common sense and be cautious of any sites asking for private info right off the hop.

Journal entry

Prompt: Explain how the principles of social science relate to cybersecurity.

Social science is super important for cybersecurity because people are often the weak link. Hackers use psychology to trick folks, whether it’s email scams or phishing calls. Understanding how we think helps attackers manipulate behavior. It also helps defense – if we wanna change habits, social principles can guide better training. Whether targeting or strengthening people, social science provides keys to both. It’s an underrated part of staying secure.

Journal entry 3 

Prompt: Visit PrivacyRights.org to see the types of publicly available information about data breaches. How might researchers use this information to study breaches? Enter a paragraph in your journal. 

I looked at PrivacyRights.org  and was surprised by the depth of info they have on data breaches. They’ve compiled reports going back years on breaches in the US, with details on what type of data was involved, how many people were impacted, and what company it was. Seems like a goldmine for any researchers studying trends in breaches over time( I can use that for other classes, thank you) . You could analyze how certain industries or attack methods are more common, how breach sizes have increased or regulations impacted things. It would also give insight on the effects of individual big breaches. Privacy advocates could use it to push for stronger laws too. Pretty cool they’ve made this large dataset available – definitely think security and privacy scholars could gain a lot analyzing the patterns in their reports.

Journal entry 4

prompt: Review Maslow’s Hierarchy of Needs and explain how each level relates
to your experiences with technology. Give specific examples of how
your digital experiences relate to each level of need.

Physiological needs: I use food delivery apps (Doordash and instacart) when I’m too busy to grocery shop or cook. Streaming services and ebooks entertain me when im bored. Wearable devices track my activity levels and health stats.

Safety needs: home security systems and cameras provide peace of mind to families. I keep an emergency contact app on my phone in case I ever break down or get lost somewhere unfamiliar. Backing up files to the cloud protects my data in the event of hardware failure (like the random crashes with social medias apps).

Love/belonging: Social media lets me stay connected to friends and family near and far. Video chat keeps relationships strong despite physical distances. Messaging apps gives companionship and support during lonely or difficult times.

Esteem: Sharing accomplishments and thoughts online, whether through social media post, photos or reviews, gives me a sense of contribution and recognition from my networks. Completing online courses boosts my sense of competence.

Self-actualization: The internet opens up endless opportunities for personal growth and development through online education programs. Remote work flexibility supports my lifestyle and values which what I want to do in my career.

Journal entry 7

choose 3 memes and explain how they relate

The first meme is an example of cyberbullying and how people can see what you post or share information about and use it against you in a negative way

the second meme is showing how people who share to much on the internet can be subject to people who are looking to exploit. I added the “Hand rub” piece to indicate mischievous acts this person is trying to conjure

The third meme shows how people who overshare can be susceptible to danger from online predators. this is also very common for people who share a lot about their locations or family members on the daily.

Journal entry 8

Prompt: Write a journal entry about how you think the media influences our understanding about cybersecurity.

the media plays a huge role in shaping what people think about cybersecurity. But we’ve gotta remember that how they cover it isn’t perfect. A lot of times they focus on the really scary hacks and breaches because that’s what gets more clicks, right? But by doing that they have a tendency to blow things out of proportion and really fuel fear instead of actually educating us. Their focus is all on the threats, so we start to only associate cybersecurity with risk rather than also thinking about the smart practices we can do to stay safe. Plus, let’s be real – many of the reporters writing about this stuff don’t have the technical background themselves. So their explanations probably gloss over details or nuances that people with more experience would catch. And we can’t forget that the media is a business too, so if they’re getting ads from big tech companies that could influence how objective their coverage is. Long story short, while their goal is to raise awareness, by hyping things up or oversimplifying, the media runs the risk of spreading misinformation, unfairly blaming people, and making us feel shame instead of empowered with knowledge. In the end, their approach distorts the real picture and presents cybersecurity in a way that isn’t always faithful to the facts on the ground.

Journal entry 9

prompt: Complete the Social Media Disorder scale. How did you score? What do you think about the items in the scale? Why do you think that different patterns are found across the world?

I had a 2/9 sadly, I tend to be a little irresponsible at times with my social media use even though I only have 1 hour a day on all of my socials together due to my timer. For others social media can be addicting specially those who are attention seeking (needing views and clicks) or people that can not stop scrolling

Journal entry 10

 Prompt: Read this and write a journal entry summarizing your response to the article on social cybersecurity: https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/Mar-Apr-2019/117-Cybersecurity/b/

This article was eye-opening and quite concerning professor DuVall. I had no idea that countries were weaponizing social media and online information in such an aggressive way. It’s alarming how they are deliberately trying to divide societies and undermine trust in institutions. We really need to make people more aware of how to identify disinformation and propaganda online. And our governments need to develop strong policies to address this new form of warfare. If we don’t, it seems our entire democratic system is at risk. Our shared social values and national unity could be seriously eroded if these information attacks aren’t countered. It was good to learn more about this emerging threat, but also unsettling to realize how vulnerable we have become in the online world.

Journal entry 11

Prompt: Watch this video. As you watch the video https://www.youtube.com/watch?v=iYtmuHbhmS0, think about how the description of the cybersecurity analyst job relates to social behaviors. Write a paragraph describing social themes that arise in the presentation.

One of the key social aspects of being a cybersecurity analyst discussed in the video is the collaborative nature of the work. Analysts must work closely with others on a team to analyze threats and vulnerabilities. They also communicate findings with other departments to help protect organizations. This highlights how cybersecurity involves both independent problem-solving skills but also strong social and cooperative abilities. Another theme is how analysts act as the first line of social defense against malicious cyber attacks aimed at stealing data or disrupting networks. By identifying threats, they play a role in protecting organizational reputation and helping maintain social trust in institutions that could be undermined by cyber incidents. Additionally, the video notes how analysts may interact with law enforcement or deal with human error vulnerabilities, showing the important social and human factors within their technical roles. Overall, the job seems to require both individual technical acumen combined with excellent social and communication skills.

Journal entry 12

Prompt: Read this https://dojmt.gov/wp-content/uploads/Glasswasherparts.com_.pdf and describe how two different economics theories and two different social sciences theories relate to the letter.

Economic Theory #1: Information Asymmetry Theory – This letter helps address information asymmetry. Previously, customers were unaware their payment data may have been compromised. By notifying them, it empowers customers to take actions to protect themselves financially.

Economic Theory #2: Principal-Agent Theory – The letter acknowledges the company engaged a third-party platform provider as its “agent” to handle payments. However, the agent failed to adequately protect customer data, violating the principal’s trust. This notification works to remedy some of that trust by informing customers of remedial actions taken.

Social Science Theory #1: Social Identity Theory – By informing customers of the breach, it helps restore some of their social identity and security that may have been threatened by unknown exposure of private financial information. This strengthens customers’ bond and identification with the company.

Social Science Theory #2: Social Control Theory – The letter exercises social control by outlining steps customers can and should take to protect themselves from financial harm. This establishes expectations for appropriate responsive behavior and helps regulate the potential social problems the breach could enable.

Journal entry 13

Prompt: A later module addresses cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration
testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true and write a summary reaction to the use of the
policies in your journal. Focus primarily on the literature review and the discussion of the findings.

This study shed new light on bug bounty programs and responsible disclosure policies. The literature review gave good background, but acknowledged gaps in our understanding due to data limitations. I was glad to see them leverage a large proprietary dataset to help address endogeneity concerns plaguing past research.

The findings were pretty interesting. I wasn’t expecting hackers to be so price insensitive – good to know smaller companies can still benefit. And the fact that company size/brand didn’t really matter went against my initial assumptions. Though some industries getting fewer reports is worth unpaid closer attention.

Overall, seeing the empirical evidence that bug bounties effectively improve security across the board was reassuring. The research methods set a good bar for continued evaluation as these programs grow. I hope we can build on this work to help shape disclosure policies in a way that benefits all companies and keeps improving cybersecurity. There’s certainly more to understand, but this study advanced the discussion in useful ways.

Journal entry 14

prompt: Review what the author says and write a paragraph describing the five most serious violations and why you think those offenses are serious.

  1. Collecting info about children – Disgusting and repulsive… I simply do not tolerate anything of any kind that could potentially put the babies at risk of danger from creeps out there. I am an uncle who loves their nieces to the core of my being and I could not imagine if my little bugs were put in danger because people are sick in the head.
  2. Bullying and trolling – I do not tolerate bullying and feel it is also detestable. I was bullied before and it is not a good feeling, it messes with your mental state and your self esteem after a while and I can not stand that there are kids who felt the way I did when I was young.
  3. Recording calls – I believe recording calls unless for professional reasons is weird enough and is a major breach of privacy. I can hardly stand when people put me on speaker phone let alone someone RECORDING ME SPEAK WITHOUT ME KNOWING.
  4. Identity fraud – I have seen people get their Instagram accounts hacked and the person who had taken over the account would ask people for money or personal info pretending to be them to their loved ones. This is a major problem that is hard to control but can be spotted
  5. Sharing others information – I do not like when people give out my number to people without me asking so if someone gave other personal info like where I lived or my passwords I would rightfully be angry as hell. It not something to play around with and can put people in danger.

Journal entry 15

prompt: Watch this video (https://www.youtube.com/watch?v=Pf-JnQfAEew) and think about how the career of digital forensics investigators relate to the social sciences. Write a journal entry describing what you think about the speaker’s pathway to his career.

That talk by Davin Teo was really interesting. I liked how he seemed to just fall into digital forensics almost by accident. He was studying computer engineering in school but got hooked on using those skills to help solve crimes.

Instead of just doing internships for credit like most students, Teo really took advantage by interning at law firms and for the government. That hands-on experience is what really drew him in and got him interested in pursuing it as a career. Can’t blame him – how cool would it be to work on huge investigations while still in school?

It was brave of him to strike out on his own with his own business straight out of college too. Most people want a safe job at an established company. But Teo knew the field was changing so fast that the traditional ways may not cut it anymore. You’ve got to respect someone who takes a risk like that.

Clearly it paid off for him in the long run too. Now he’s at the top of his field and helping lead the way with new techniques. Teo’s story shows how exploring different paths and opportunities early can really help you figure out what you love. It made me think I should look for more ways to test things out beyond just classes.

Article 1 review

Jessiah Davis

Cybersecurity and the social sciences

Teresa Duvall

2/11/2024

Article Review

This article examines how digital literacy, online privacy concerns, and cybersecurity awareness impact cybersecurity behaviors. This relates to social science principles as it investigates how human behaviors and attitudes are influenced by technology use, literacy, and perceptions of privacy and security.

The study looked at the correlations between digital literacy, privacy concerns, and cybersecurity activities, as well as whether knowledge influences these relationships. The hypothesis was that digital literacy and privacy concerns positively impact protective behaviors, while awareness strengthens these impacts.

The data was gathered using an online survey, which was implemented to collect self-reported data from 235 adult internet users in Saudi Arabia on their digital skills/literacy, privacy concerns, cybersecurity awareness, and behaviors. Regression analysis was conducted to analyze the relationships between the given variables.

The data also included empirical assessments of people’s technical capabilities and attitudes, which were statistically evaluated to see how these aspects predict security practices. The regression models helped to identify the direct and indirect impacts of awareness about the research topics.

This relates directly to the concepts we go over in class, like the digital divide impacting access and literacy. It also connects to challenges for marginalized communities who may face greater privacy and security risks due to lower digital skills or awareness. Improving online security for everyone could help reduce inequalities.

Overall, the study contributes to understanding how to encourage secure behaviors. For example, raising cybersecurity awareness could help address not just skills but also empower individuals to translate privacy concerns into action. The findings offer insight into the public policy aims of developing a digitally literate society that is security-conscious. Continued research in this area could further benefit socially disadvantaged or at-risk online populations.

Sources

https://cybercrimejournal.com/menuscript/index.php/cybercrimejournal/article/view/205/76

Article 2 review

Jessiah Davis

Professor Duvall

CYSE 201S

03/21/2024

Article Review 2

            This research relates directly to some key ideas in social science. First, it takes a social constructionist perspective to understand how employees make sense of and learn about cybersecurity when working from home during the pandemic. This ties into the principle that human behavior and knowledge are shaped by our social and cultural surroundings. Second, it draws from Vygotsky’s theories about learning, which emphasize learning through social interaction and collaboration. This connects to the view in social science that cognitive development is socially influenced. Third, it examines how psychological and sociological factors impacted employees’ ability to practice good cybersecurity. This touches on the concept of the relationship between individuals and society.

The study clearly lays out its research questions and hypotheses. The overall goal is to understand people’s experiences adopting cybersecurity practices while working remotely during COVID-19. More specific questions inquire about their transition, what cybersecurity meant to them, how they learned about it, and recommendations for organizations. The hypothesis is that personal and environmental factors impact cyber behaviors, and we need Vygotsky’s perspective to understand learning in this new context.

The method used, interpretative phenomenological analysis, or IPA is explained in detail. IPA’s focus is to understand individuals’ lived experiences and how they make sense of things. The procedures for recruiting participants, conducting semi-structured interviews, transcription, and coding are outlined clearly. Using IPA is justified as it focuses on meaning-making rather than generalizations, fitting the research aims.

The data analysis section goes into thorough detail. Five overarching themes emerged from coding, each with descriptive sub-themes. Significant quotes from interviews show the themes. The implementation of IPA’s thematic analysis is shown, concentrating on interpretation rather than frequencies or generalizations.

Vygotsky’s zone of proximal development and social learning are applied here. The potential effect of stress, trauma, and mentality on learning and decision-making relates to ideas around individual and environmental influences. But how does this relate to class? In module seven we learn that there are “Various social Institutions that exist through interactions between one another and the members of social systems” these being directly related to Peer networks which can also be known as co-workers. People are way more inclined to work hard alongside like-minded people, being alone can subside these outcomes and make it hard for people to feel motivated to work.

The challenges faced by non-traditional or marginalized workers are highlighted. Employees suddenly had to balance jobs with responsibilities like homeschooling and having trouble separating work and home spaces. Others lacked equipment or internet access due to digital or financial struggles caused by COVID-19 or other outside factors.

The study provides helpful insights for both cybersecurity and social science. It brings a more human-centered lens to consider how personal lives are linked with technology use and security. The findings can inform more thoughtful policies and training. It also adds to research applying sociocultural learning theories to understanding adult experiences.

Sources

https://doi.org/10.1093/cybsec/tyae001

Thank you for an amazing semester Professor Duvall…