How to improve research on cybersecurity
Cybercriminality and cybersecurity are hot topics, in the academic world as well as elsewhere. But there is room for improvement in this research, says Bibi van den Berg, Professor of Cybersecurity Governance at Leiden University. Inaugural lecture 8 June.
Every time you open the newspaper you come across a story about cybercriminality or cybersecurity. It's often about leaked personal data or the latest phishing mails trying to empty your bank account, or about Russian or Iranian hackers who are after our state secrets. In short: the worldwide web has all kinds of advantages, as well as numerous threats, and we are becoming more aware of them.
Broadening the definition
Scientists are always engaged in research on cybersecurity, but there is room for improvement in that research. In her inaugural lecture Van den Berg shows that the present focus on scientific research on cybersecurity is too narrow.
In current research on cybersecurity the focus is primarily on cybersecurity as ‘the protection of systems against intentional threats using risk management’. There are good reasons for broadening this definition, according to Van den Berg.
‘In the first place we need to look not only at intentional threats, but also at accidental dangers,' Van den Berg explains. 'Some of the threats come from hacks and other deliberate attacks, but things can also go wrong as a result of human error or system faults. So far these kinds of accidents have been almost completely ignored as subjects for research. That's worrying because the consequences are often just as serious as with deliberate attacks.’ Take, for example, last November's disruptions to the air traffic control system, which resulted in Schiphol having to cancel hundreds of flights.
Misinformation and fake news
Another problem according to Van den Berg is that the research focuses too much on systems. Research has, for example, concentrated too much on disrupting, manipulating or infiltrating systems (hacking or malware) or on criminal activities via different methods (like phishing or fraud). Van den Berg: ‘In recent years we have also seen a new cyber threat that doesn't fit into this research focus, namely misinformation and fake news. As this increases, it becomes clear that the focus on hardware and software is too narrow; we will have to develop new ways of protecting content.'
Van den Berg says that the solution for cybersecurity issues is currently being sought in risk management, continuously monitoring and dealing with potential threats. ‘Although risk analyses of cybersecurity generally contain a lot of uncertainties, politicians and government officials treat the reports as if they are incontrovertible facts.'
‘Once these supposedly objective numbers have reached the desk of the decision-maker, it's unbelievably difficult to have a debate about other information that could probably be relevant for a well-informed decision.’
And finally, science needs to better define and conceptualise the field. That's important, in Van den Berg's opinion, because study cybersecurity is currently mainly about applied, empirical work from the perspective of technology. 'But empiricism without theory is meaningless. We need clarity to guide the choices we are making in the field of legislation and product design.’