Faculty, staff, and students from across the UMD iSchool are pushing the boundaries of thought in sociotechnical cybersecurity.
Sociotechnical aspects of cybersecurity considers the human element that interacts with the technological for the creation, maintenance, and operation of cybersecurity. STC includes organizational, economic, social, legal, educational, psychological, political, policy, cultural, ecosystem, and other approaches engaging the human and technology interactions needed to secure the space, infrastructure, people and systems within the cyber environment.
Purely technical solutions to cybersecurity are insufficient as they do not wholly account for the complex range of users and environments those solutions must address. The U.S. 2016 federal cybersecurity R&D strategic plan named sociotechnical approaches as the path forward for the cybersecurity of systems and infrastructure. The plan called further investigations of STC research, transition to practice, and workforce development.
In the STC name, we bridge two fields of study--sociotechnical studies and cybersecurity studies. For a primer on the sociotechnical space, we recommend Sawyer & Jarrahi (2014) Sociotechnical approaches to the study of Information Systems (pdf). For cybersecurity grounding, we recommend Craigen et al. (2014) Defining Cybersecurity (pdf).
STC holds a guest lecture series and a summer reading group. All live STC events will be held in a recorded Zoom webinar with meeting information shared after registration. All times are Eastern Standard Time. (Scroll down to view past events)
Trusting Infrastructure: The Emergence of Computer Security Incident Response, 1989-2005
Speaker: Rebecca Slayton
Thu, Mar 11, 2021 @ 2:00 pm
A Playbook for Effective Corporate Communication After Cybersecurity Incidents
Speaker: Jason Nurse
Wed, Apr 21, 2021 @ 12:00 noon
Upcoming Event Details
Speaker: Dr. Rebecca Slayton
Historians have tended to analyze maintenance as an intrinsically local activity, something very unlike the development of large technological systems. This article challenges this historiographic dichotomy by examining efforts to construct a global infrastructure for maintaining computer security. In the mid-1990s, as the internet rapidly grew, commercialized and internationalized, a small community of computer security incident responders sought to scale up their system of coordination, which had been based on interpersonal trust, by developing trusted infrastructure that could facilitate the worldwide coordination of incident response work. This entailed developing not only professional standards, but also institutions for embodying and maintaining those standards in working infrastructure. While some elements of this infrastructure became truly global, others remained regionally bounded. We argue that this boundedness resulted not from the intrinsically local nature of maintenance, but from the historical process of infrastructure development, which was shaped by regionally based trust networks, institutions, and needs.
Read the full paper here: https://preprint.press.jhu.edu/tec/sites/tec/files/Slayton_Clarke_preprint.pdf
Dr. Slayton is an Associate Professor in the Department of Science and Technology Studies at Cornell University. Dr. Slayton’s research and teaching examine the relationships between and among risk, governance, and expertise, with a focus on international security and cooperation since World War II. Some of her recent work includes two book projects supported by a five-year NSF CAREER award, “Enacting Cybersecurity Expertise.” Shadowing Cybersecurity, examines the emergence of cybersecurity expertise through the interplay of innovation and repair. The other book, in progress, examines tensions intrinsic to the creation of a “smart” electrical power grid. Dr. Slayton received the United States Presidential Early Career Award for Scientists and Engineers, for her NSF CAREER project. She was an AAAS Mass Media Science and Engineering Fellow and previously worked as a science journalist. Dr. Slayton earned a PhD in physical chemistry from Harvard University.
Speaker: Dr. Jason Nurse
A cybersecurity incident can cripple an organization, particularly because of the related risk of significant reputational damage. As the likelihood of falling victim to a cyberattack has increased, so too has the importance of understanding what effective corporate communications and public relations look like after an attack. Key questions that need immediate answers include: What messages should be communicated to customers? How should correspondence be released? Who should speak to the media and public? In this talk, Dr. Nurse presents recent research into a playbook to support companies in deciding how to answer these questions and more. This work is grounded in real-world case studies and academic insights and has been validated and refined through interviews with senior security and crisis response industry professionals.
The published article can be found here: https://doi.org/10.1016/j.cose.2020.102036
Jason R.C. Nurse is an Associate Professor in Cyber Security at the University of Kent, and a Visiting Academic at the University of Oxford. His research explores the interdisciplinary nature of cybersecurity, privacy and trust. This especially considers the impact of new technologies on these areas. As a result of this broad remit, Dr. Nurse has had the pleasure of working across various domains including cybersecurity, psychology, and computational social science. Dr. Nurse has authored over 100 peer-reviewed articles, and he regularly speaks on cybersecurity in mainstream media including the Wall Street Journal, The BBC (and BBC Radio 4), Newsweek, Wired, Infosecurity Magazine, The Register, Naked Security and The Conversation. He can be reached on Twitter @jasonnurse or online at https://jasonnurse.github.io.
Join the conversation, request events, share research, readings, and more on the STC Discord server.
Professor and Dean, iSchool
Associate Professor, iSchool
Assistant Professor, iSchool
Web Content Coordinator, iSchool
PhD student, iSchool
Adjunct Lecturer, iSchool
Software Engineer, Johns Hopkins University School of Medicine
Assistant Professor, iSchool
Postdoctoral fellow, Cornell Tech Digital Life Initiative
Professor Emeritus, University of Maryland Baltimore County School of Public Policy
STC Guest Speaker
Member of the Maryland Bar
PhD student, University of Maryland Baltimore County School of Public Policy
STC Guest Speaker
Professor, University of California, Irvine School of Law
STC Guest Speaker
Assistant Professor, Institute for Security and Global Affairs, University of Leiden
Fellow, Cyber Statecraft Initiative at the Atlantic Council
STC Guest Speaker
Senior Associate, Booz Allen Hamilton
Professor, Smith School of Business
Usable Cybersecurity Researcher, NIST
Speaker. Dr. Shauhin Talesh
Existing research suggests an increasing prevalence and reliance on data and technology across significant segments of society. This often takes the form of datafication, information capitalism, and involves data brokers. However, there has been less focus on the processes and mechanisms through which data and technology influence particular industries. Using cybersecurity as an area of focus, this study explores how data and technology influence how the insurance industry operates. We focus on cyber insurance, an area where insurers historically have lacked large actuarial data and have faced challenges on how to manage this risk. Drawing from interviews with over sixty persons in the insurance industry, analysis of big data, insurance applications, and industry materials, we find that technology is the mechanism through which insurers regulate. In addition to risk management, we explore how technology and managed security influence the underwriting, pricing, advertising, and purchase of insurance. We explore the implications of the rise of insur-tech for the insurance industry, cybersecurity, and society.
Professor Talesh is an interdisciplinary scholar whose work spans law, sociology, and political science. His research interests include the empirical study of law and business organizations, dispute resolution, consumer protection, insurance, and the relationship between law and social inequality. Professor Talesh’s most recent empirical study addresses the intersection between organizations, risk, and consumer protection laws, focusing on private organizations' responses to and constructions of laws designed to regulate them, consumers' mobilization of their legal rights and the legal cultures of private organizations. Professor Talesh’s scholarship has appeared in multiple law and peer-reviewed social science journals including Law and Society Review and has won multiple awards in Sociology, Political Science and Law & Society.
Please contact Professor Talesh about copies of the presentation slides or his working paper.
Speaker: Dr. James Shires
Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal" — deliberate attempts to direct moral judgment against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.
James Shires is an Assistant Professor at the Institute for Security and Global Affairs, University of Leiden, and a fellow with the Cyber Statecraft Initiative at the Atlantic Council. He has written many articles and policy papers on cybersecurity, disinformation, and international politics, and has won awards from the Hague Program on Cyber Norms, the German Marshall Fund and the International Institute for Strategic Studies. His forthcoming book "The politics of cybersecurity in the Middle East" will be available from Hurst/Oxford University Press in summer 2021.
Author's article related to this talk:
Shires (Fall 2020) The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. politics. Texas National Security Review 3(4): 10-29
Click here for the article on the TNSR website.
Click here for the article as pdf.
Speakers: Dr. Donald Norris & Laura Mateczun
This talk discussed data and results from the first nationwide survey of cybersecurity among local or grassroots governments in the United States and examined how these governments manage this important function. As we have shown elsewhere, cybersecurity among local governments is increasingly important because these governments are under constant or nearly constant cyberattack. Due to the frequency of cyberattacks, as well as the probability that at least some attacks will succeed and cause damage to local government information systems, these governments have a great responsibility to protect their information assets. This, in turn, requires these governments to manage cybersecurity effectively, something our data show is largely absent at the American grassroots. That is, on average, local governments fail to manage cybersecurity well. After discussing our findings, we conclude and make recommendations for ways of improving local government cybersecurity management.
Donald F. Norris is Professor Emeritus, School of Public Policy, University of Maryland, Baltimore County. His principal field of study in public management, specifically information technology in governmental organizations, including electronic government and cybersecurity. He has published extensively in refereed journals in these areas. He received a B.S. in history from the University of Memphis and an M.A. and a Ph. D. in political science from the University of Virginia.
Laura Mateczun is a graduate of the University of Maryland Francis King Carey School of Law, and a member of the Maryland Bar. She is currently a Ph.D. student at the University of Maryland, Baltimore County School of Public Policy studying public management. Her research interests involve local government cybersecurity, criminal justice, and the importance of equity in policy analysis. She received her B.A. in Public Policy and Political Science from St. Mary's College of Maryland.
One of the authors' papers using this research:
Norris, Mateczun, Joshi, & Finin (2020) Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs
Aug. 20 - Talesh (2018) Data Breach, Privacy, and Cyber Insurance (pdf)
Aug. 13 - Lawson & Middleton (2019) Cyber Pearl Harbor: Analogy, fear, and the framing of cyber security threats in the United States, 1991-2016 (pdf)
Aug. 6 - Shires (2020) Cyber-noir: Cybersecurity and popular culture (pdf)
Jul. 23 - Zhang-Kennedy et al. (2016) The Role of Instructional Design in Persuasion: A Comics Approach for Improving Cybersecurity (pdf)
Jul. 16 - Norris et al. (2019) Cyberattacks at the Grass Roots: American Local Governments and the Need for High Levels of Cybersecurity (pdf)
Jul. 9 - Chatfield & Reddick (2017) Cybersecurity Innovation in Government: A Case Study of U.S. Pentagon’s Vulnerability Reward Program (pdf)
Jul. 2 - Matatji et al. (2018) Socio-technical Systems Cybersecurity Framework (pdf)
Jun. 25 - Haber & Kandogan (2007) Security Administrators: A Breed Apart (pdf)
Jun. 18 - Botta et al. (2007) Towards understanding IT security professionals and their tools (pdf)
Aug. 14 - Clark-Ginsberg & Slayton (2019) Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards (pdf)
Aug. 7 - Porter et al. (2019) Just This Once: Predicting When Work Pressures Lead to the Circumvention of Security Practices (pdf)
Jul. 31 - Wolff (2016) Perverse Effects in Defense of Computer Systems: When More Is Less. (pdf)
Jul. 24 - Elish (2019) Moral Crumple Zones: Cautionary Tales in Human-Robot Interaction (pre-print) (pdf)
Jul. 17 - Blythe et al. (2013) Circumvention of Security: Good Users Do Bad Things (pdf)
Jul. 10 - Craigen et al. (2014) Defining Cybersecurity (pdf)
Jul. 3 - Sawyer & Jarrahi (2014) Sociotechnical approaches to the study of Information Systems (pdf)