Sociotechnical Cybersecurity (STC) Interest Group
Faculty, staff, and students from across the UMD iSchool are pushing the boundaries of thought in sociotechnical cybersecurity.
Sociotechnical aspects of cybersecurity considers the human element that interacts with the technological for the creation, maintenance, and operation of cybersecurity. STC includes organizational, economic, social, legal, educational, psychological, political, policy, cultural, ecosystem, and other approaches engaging the human and technology interactions needed to secure the space, infrastructure, people and systems within the cyber environment.
Purely technical solutions to cybersecurity are insufficient as they do not wholly account for the complex range of users and environments those solutions must address. The U.S. 2016 federal cybersecurity R&D strategic plan named sociotechnical approaches as the path forward for the cybersecurity of systems and infrastructure. The plan called further investigations of STC research, transition to practice, and workforce development.
In the STC name, we bridge two fields of study–sociotechnical studies and cybersecurity studies. For a primer on the sociotechnical space, we recommend Sawyer & Jarrahi (2014) Sociotechnical approaches to the study of Information Systems (pdf). For cybersecurity grounding, we recommend Craigen et al. (2014) Defining Cybersecurity (pdf).
STC holds a guest lecture series and a summer reading group. All live STC events will be held in a recorded Zoom webinar with meeting information shared after registration. All times are Eastern Standard Time. (Scroll down to view past events)
Our guest lecture series is off for the summer, but our annual summer reading group is back!
Upcoming Event Details
This summer, the reading group will meet via Zoom. Please email Shawn Janzen (email@example.com) to receive the Zoom meeting link.
Due to STC group availability, we will alternate meeting times every other week this summer between Wednesdays 12:00-1:00 pm and Thursdays 1:00-2:00 pm. See the weekly reading schedule below.
Wed Jul 7 (12-1p): Andrade & Yoo (2019) Cognitive security: A comprehensive study of cognitive science in cybersecurity. (pdf)
Thu Jul 15 (1-2p): David et al. (2020) Knowledge absorption for cyber-security: The role of human beliefs. (pdf)
Wed Jul 21 (12-1p): Watson et al. (2020) “We hold each other accountable”: Unpacking how social groups approach cybersecurity and privacy together. (pdf)
Thu Jul 29 (1-2p): Demjaha et al. (2021) You’ve left me no choices: Security economics to inform behaviour intervention support in organizations. (pdf)
Thu Aug 12 (1-2p): Quigley et al. (2015) ‘Cyber Gurus’: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection. (pdf)
Wed Aug 18 (12-1p): Boletsis et al. (2021) Cybersecurity for SMEs: Introducing the human element into socio-technical cybersecurity risk assessment. (pdf)
Thu Aug 26 (1-2p): Wang & Wang (2021) A sociotechnical systems analysis of knowledge management for cybersecurity. (pdf)
Join the conversation, request events, share research, readings, and more on the STC Discord server.
Contact STC Coordinator Shawn Janzen (firstname.lastname@example.org) for Discord access.
Faculty, staff, and students are examining the human context of privacy and cybersecurity to develop real-world solutions.
Professor and Dean, iSchool
Associate Professor, iSchool
Assistant Professor, iSchool
Web Content Coordinator, iSchool
PhD student, iSchool
Adjunct Lecturer, iSchool
Software Engineer, Johns Hopkins University School of Medicine
Assistant Professor, iSchool
Postdoctoral fellow, Cornell Tech Digital Life Initiative
Professor Emeritus, University of Maryland Baltimore County School of Public Policy
STC Guest Speaker
Member of the Maryland Bar
PhD student, University of Maryland Baltimore County School of Public Policy
STC Guest Speaker
Professor, University of California, Irvine School of Law
STC Guest Speaker
Assistant Professor, Institute for Security and Global Affairs, University of Leiden
Fellow, Cyber Statecraft Initiative at the Atlantic Council
STC Guest Speaker
Senior Associate, Booz Allen Hamilton
Professor, Smith School of Business
Usable Cybersecurity Researcher, NIST
Associate Professor, Dept. of Science & Technology Studies, Cornell University
Galina Madjaroff Reitz
Faculty Program Director & Senior Lecturer, iSchool
Jason R.C. Nurse
Associate Professor in Cyber Security, University of Kent
Visiting Academic, University of Oxford
Director, Unconventional Weapons and Technology Division (UWT), UMD START
Assistant Professor, New Jersey Institute of Technology
Affiliate, Center for Social Media and Politics at NYU
Soon joining the UMD iSchool
Speaker: Dr. Kevin Fu
Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What’s special about medical devices and cybersecurity? What’s hype and what’s real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will provide a glimpse into the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software. This talk will also explore current and potential uses for sociotechnical approaches to medical device security, including identifying human-domain security challenges, and how these uses complement current practices.
Kevin Fu is Associate Professor of EECS at the University of Michigan where he direct the Security and Privacy Research Group (spqrlab1.github.io). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity
, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf. The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.
Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing. He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org). He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT. He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.
Speaker: Dr. Jason Nurse
A cybersecurity incident can cripple an organization, particularly because of the related risk of significant reputational damage. As the likelihood of falling victim to a cyberattack has increased, so too has the importance of understanding what effective corporate communications and public relations look like after an attack. Key questions that need immediate answers include: What messages should be communicated to customers? How should correspondence be released? Who should speak to the media and public? In this talk, Dr. Nurse presents recent research into a playbook to support companies in deciding how to answer these questions and more. This work is grounded in real-world case studies and academic insights and has been validated and refined through interviews with senior security and crisis response industry professionals.
The published article can be found here: https://doi.org/10.1016/j.cose.2020.102036
Jason R.C. Nurse is an Associate Professor in Cyber Security at the University of Kent, and a Visiting Academic at the University of Oxford. His research explores the interdisciplinary nature of cybersecurity, privacy and trust. This especially considers the impact of new technologies on these areas. As a result of this broad remit, Dr. Nurse has had the pleasure of working across various domains including cybersecurity, psychology, and computational social science. Dr. Nurse has authored over 100 peer-reviewed articles, and he regularly speaks on cybersecurity in mainstream media including the Wall Street Journal, The BBC (and BBC Radio 4), Newsweek, Wired, Infosecurity Magazine, The Register, Naked Security and The Conversation. He can be reached on Twitter @jasonnurse or online at https://jasonnurse.github.io.
Speaker: Dr. Rebecca Slayton
Historians have tended to analyze maintenance as an intrinsically local activity, something very unlike the development of large technological systems. This article challenges this historiographic dichotomy by examining efforts to construct a global infrastructure for maintaining computer security. In the mid-1990s, as the internet rapidly grew, commercialized and internationalized, a small community of computer security incident responders sought to scale up their system of coordination, which had been based on interpersonal trust, by developing trusted infrastructure that could facilitate the worldwide coordination of incident response work. This entailed developing not only professional standards, but also institutions for embodying and maintaining those standards in working infrastructure. While some elements of this infrastructure became truly global, others remained regionally bounded. We argue that this boundedness resulted not from the intrinsically local nature of maintenance, but from the historical process of infrastructure development, which was shaped by regionally based trust networks, institutions, and needs.
Read the full paper here: https://preprint.press.jhu.edu/tec/sites/tec/files/Slayton_Clarke_preprint.pdf
Dr. Slayton is an Associate Professor in the Department of Science and Technology Studies at Cornell University. Dr. Slayton’s research and teaching examine the relationships between and among risk, governance, and expertise, with a focus on international security and cooperation since World War II. Some of her recent work includes two book projects supported by a five-year NSF CAREER award, “Enacting Cybersecurity Expertise.” Shadowing Cybersecurity, examines the emergence of cybersecurity expertise through the interplay of innovation and repair. The other book, in progress, exami
nes tensions intrinsic to the creation of a “smart” electrical power grid. Dr. Slayton received the United States Presidential Early Career Award for Scientists and Engineers, for her NSF CAREER project. She was an AAAS Mass Media Science and Engineering Fellow and previously worked as a science journalist. Dr. Slayton earned a PhD in physical chemistry from Harvard University.
Speaker. Dr. Shauhin Talesh
Existing research suggests an increasing prevalence and reliance on data and technology across significant segments of society. This often takes the form of datafication, information capitalism, and involves data brokers. However, there has been less focus on the processes and mechanisms through which data and technology influence particular industries. Using cybersecurity as an area of focus, this study explores how data and technology influence how the insurance industry operates. We focus on cyber insurance, an area where insurers historically have lacked large actuarial data and have faced challenges on how to manage this risk. Drawing from interviews with over sixty persons in the insurance industry, analysis of big data, insurance applications, and industry materials, we find that technology is the mechanism through which insurers regulate. In addition to risk management, we explore how technology and managed security influence the underwriting, pricing, advertising, and purchase of insurance. We explore the implications of the rise of insur-tech for the insurance industry, cybersecurity, and society.
Professor Talesh is an interdisciplinary scholar whose work spans law, sociology, and political science. His research interests include the empirical study of law and business organizations, dispute resolution, consumer protection, insurance, and the relationship between law and social inequality. Professor Talesh’s most recent empirical study addresses the intersection between organizations, risk, and consumer protection laws, focusing on private organizations’ responses to and constructions of laws designed to regulate them, consumers’ mobilization of their legal rights and the legal cultures of private organizations. Professor Talesh’s scholarship has appeared in multiple law and peer-reviewed social science journals including Law and Society Review and has won multiple awards in Sociology, Political Science and Law & Society.
Please contact Professor Talesh about copies of the presentation slides or his working paper.
Speaker: Dr. James Shires
Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” — deliberate attempts to direct moral judgment against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.
James Shires is an Assistant Professor at the Institute for Security and Global Affairs, University of Leiden, and a fellow with the Cyber Statecraft Initiative at the Atlantic Council. He has written many articles and policy papers on cybersecurity, disinformation, and international politics, and has won awards from the Hague Program on Cyber Norms, the German Marshall Fund and the International Institute for Strategic Studies. His forthcoming book “The politics of cybersecurity in the Middle East” will be available from Hurst/Oxford University Press in summer 2021.
Author’s article related to this talk:
Shires (Fall 2020) The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. politics. Texas National Security Review 3(4): 10-29
Click here for the article on the TNSR website.
Click here for the article as pdf.
Speakers: Dr. Donald Norris & Laura Mateczun
This talk discussed data and results from the first nationwide survey of cybersecurity among local or grassroots governments in the United States and examined how these governments manage this important function. As we have shown elsewhere, cybersecurity among local governments is increasingly important because these governments are under constant or nearly constant cyberattack. Due to the frequency of cyberattacks, as well as the probability that at least some attacks will succeed and cause damage to local government information systems, these governments have a great responsibility to protect their information assets. This, in turn, requires these governments to manage cybersecurity effectively, something our data show is large
ly absent at the American grassroots. That is, on average, local governments fail to manage cybersecurity well. After discussing our findings, we conclude and make recommendations for ways of improving local government cybersecurity management.
Donald F. Norris is Professor Emeritus, School of Public Policy, University of Maryland, Baltimore County. His principal field of study in public management, specifically information technology in governmental organizations, including electronic government and cybersecurity. He has published extensively in refereed journals in these areas. He received a B.S. in history from the University of Memphis and an M.A. and a Ph. D. in political science from the University of Virginia.
Laura Mateczun is a graduate of the University of Maryland Francis King Carey School of Law, and a member of the Maryland Bar. She is currently a Ph.D. student at the University of Maryland, Baltimore County School of Public Policy studying public management. Her research interests involve local government cybersecurity, criminal justice, and the importance of equity in policy analysis. She received her B.A. in Public Policy and Political Science from St. Mary’s College of Maryland.
One of the authors’ papers using this research:
Norris, Mateczun, Joshi, & Finin (2020) Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs
Aug. 20 – Talesh (2018) Data Breach, Privacy, and Cyber Insurance (pdf)
Aug. 13 – Lawson & Middleton (2019) Cyber Pearl Harbor: Analogy, fear, and the framing of cyber security threats in the United States, 1991-2016 (pdf)
Aug. 6 – Shires (2020) Cyber-noir: Cybersecurity and popular culture (pdf)
Jul. 23 – Zhang-Kennedy et al. (2016) The Role of Instructional Design in Persuasion: A Comics Approach for Improving Cybersecurity (pdf)
Jul. 16 – Norris et al. (2019) Cyberattacks at the Grass Roots: American Local Governments and the Need for High Levels of Cybersecurity (pdf)
Jul. 9 – Chatfield & Reddick (2017) Cybersecurity Innovation in Government: A Case Study of U.S. Pentagon’s Vulnerability Reward Program (pdf)
Jul. 2 – Matatji et al. (2018) Socio-technical Systems Cybersecurity Framework (pdf)
Jun. 25 – Haber & Kandogan (2007) Security Administrators: A Breed Apart (pdf)
Jun. 18 – Botta et al. (2007) Towards understanding IT security professionals and their tools (pdf)
Aug. 14 – Clark-Ginsberg & Slayton (2019) Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards (pdf)
Aug. 7 – Porter et al. (2019) Just This Once: Predicting When Work Pressures Lead to the Circumvention of Security Practices (pdf)
Jul. 31 – Wolff (2016) Perverse Effects in Defense of Computer Systems: When More Is Less. (pdf)
Jul. 24 – Elish (2019) Moral Crumple Zones: Cautionary Tales in Human-Robot Interaction (pre-print) (pdf)
Jul. 17 – Blythe et al. (2013) Circumvention of Security: Good Users Do Bad Things (pdf)
Jul. 10 – Craigen et al. (2014) Defining Cybersecurity (pdf)
Jul. 3 – Sawyer & Jarrahi (2014) Sociotechnical approaches to the study of Information Systems (pdf)