Abstract
The application of social research methods in cybersecurity requires a multidisciplinary combination since the security of technologies and communication networks is made up of a set of uses, techniques, and results directly conditioned by the parameters of confidentiality, data availability, integrity, and privacy. However, each of these technological concepts is prepared and subject to conditions of use that involve ethical, sociological, economic, and legal aspects. Firstly, social engineering techniques in cybercrime tend to combine social investigation techniques with computational engineering and telecommunications elements. Secondly, research on cybersecurity phenomena in industrial environments implies the adaptation to the organizational specificity of each sector. In this chapter, the social research topics commonly addressed by leading companies and researchers in cybersecurity at a global level are analyzed from a comparative point of view, extracting a taxonomy of social research on cybersecurity.
TopIntroduction
Universal access to Information and Communication Technologies (ICT) and, significantly, global access to the Internet have increased our dependence on the normal functioning of accesses, data manipulation, and transmission of data. It is unnecessary to point out how this dependency has reached critical values for people or organizations. Consequently, we must be aware that security has become a substantial element of the digital society and economy. As Ulrich Beck anticipated in the 1980s, the growing social concern about the risks humans had created made the risk of new technologies one of the main interests in the social sphere (Beck, 1992). The 'risk society' predicted by Beck was becoming a reality in the 'digital society' (Lupton, 2016). Beck, Castel, or Luhmann led the sociological analysis of the end of the past century on uncertainty and fear of risk (Castel, 1991; Luhmann et al., 2017). These authors stand out in a broad theoretical movement that puts the concept of risk at the center of sociological theory (Adam et al., 2000). This debate highlights the relationships between concepts such as risk, technology, social communication, or uncertainty management. As a whole, this debate allows us to verify that our post-industrial society has had an accelerated dependence on technology in recent decades, notably represented by cybersecurity.
COVID-19 pandemic has boosted the consumption of digital services, including remote working or education and electronic leisure, pushing consumption patterns that will consolidate to a great extent among users even after the recovery of normality (Ting et al., 2020; Papadopoulos et al., 2020). But the displacement of traditional consumption and economic activity to the digital world also drives the motivations of attraction to cybercriminals, whose guidelines for action have become more sophisticated (Lallie et al., 2021).
Cybersecurity is an area of technological risk management that combines purely technical aspects with behavioral issues about how people use information and communication technologies regarding confidentiality, integrity, and data availability. Otherwise, the fact that 95% of the technological risks related to suffering a cyberattack by cybercriminals ’are human-enabled’ (Nobles, 2018), implies that the relevance of social research has had exponential growth in the last decade.
Given this perspective, the importance acquired by the social study of cyber risks is understood, which has only recently received the necessary academic recognition. The existence of a disciplinary field such as cybersecurity barely acquired a birth certificate a decade ago. In 2010 the MITRE corporation commissioned the JASON Advisory Group to write a report on a possible scientific disciplinary area named cybersecurity. The group of experts linked the successful development of the new discipline to the joint effort of an academic, industrial, and laboratory network that should feed with knowledge an authentic research body (JASON, 2010: 6-7). Although initially, they conferred a secondary role to the social sciences, they recognized that their observational methods should establish synergies with those based on the technological field. But social research had already begun its journey within the framework of studies promoted by specialized companies and government agencies with interests in this field, establishing two different lines of work.
In the last decade, large consulting firms such as Gartner or Forrester and multinationals such as Microsoft, IBM, Cisco, Deloitte, or Accenture, which have developed business divisions specialized in the research, have monopolized knowledge production on cybersecurity. This fact is part of a corporative strategy to maintain the necessary competitiveness within the framework of the technology industry. (Walton et al., 2021). Often in collaboration with academia, these research centers have proven essential to contribute to the generation of research on risks and threats and their impact on society and the economy at a global and regional level. However, they are not exempt, as we will see, from the controversy over their possible biases in impartiality (Maschmeyer et al., 2021).
On the other hand, the role in social research of government agencies as the reference centers for cybersecurity in developed countries has proven fundamental to promote cybersecurity research about public issues. Although enabling different regulatory and strategic frameworks, American, European, and Australian institutions have strategic research agendas to consider (Wang et al., 2016).
Key Terms in this Chapter
Availability: It is the capacity of a service, data, or a system, to be accessible and usable by authorized users (or processes) when they require it.
Confidentiality: The quality that a document or file must have so that it is only accessible in an understandable way or is read by the authorized person or system.
Social engineering: It can be defined as the mechanism to obtain information or data of a sensitive nature. In essence, they are persuasive tactics that tend to use the goodwill and lack of caution of users.
Non-Repudiation: Or inalienable, it is a security service closely related to authentication, and that allows to prove the participation of the parties in a communication. For example, when someone has sent us a message if they are who they say they are.
DDoS: The use of malicious software to organize automated attacks through IoT devices, specifically denial of service attacks (DDoS), is currently another effective new formula of cyber-activism, in which a large volume of traffic is directed towards a specific service or website (normally governmental but not exclusively) to make it inoperative.
Integrity: It is the quality of a document or file that has not been altered. That also makes it possible to verify that there has been no manipulation in the original document.
CIDAN: The concepts of confidentiality, integrity, authenticity, availability, and non-repudiation are prevalent in the field of cybersecurity and appear as fundamental in any information security architecture, either in the area of current regulations related to the protection of personal data, such as in the application of codes of good practices or recommendations on information security management and prestigious international certifications such as that relating to the ISO 27000 family of standards.
Botnet: Software artifacts built by cybercriminals as basic infrastructures to support different variants of cyberattacks, allowing multiple remote computers to infect and control up to millions of computer computers without their owner's knowledge, being controlled to launch denial of access attacks, theft of information, and bank credentials or means of payment and sending millions of messages with harmful content.
Security Controls: The principles of control of systems, devices, and connectivity were established early in the global standards, mainly through the COBIT guides or the ISO 27000 family standards. They imply the need to guarantee security through instruments for monitoring unwanted behavior that detects and prevents unwanted use by third parties.
Threat: A threat is understood to be any action that tends to be harmful. It triggers a security incident that can eventually lead to material damage or immaterial loss of assets.
Authentication: It is the situation in which it can be verified that a document has been prepared or that it belongs to whom the document claims to belong. Authentication occurs when the user can provide some way to verify that said person is who he claims to be; from that moment he is considered an authorized user.