A Socio-Technical and Co-Evolutionary Framework for Reducing Human-Related Risks in Cyber Security and Cybercrime Ecosystems

The focus on cyber security as an interaction between technical elements and humans has typically confined consideration of the latter to practical issues of implementation, conventionally those of `human performance factors' of vigilance etc., 'raising awareness' and/or 'incentivization' of people and organizations to participate and adapt their behavior. But this is far too narrow a view that seriously constrains the ability of cyber security as a whole to adapt and evolve to keep up with adaptive, innovative attackers in a rapidly-changing technological, business and social landscape, in which personal preferences of users are also dynamically evolving. While there is isolated research across different research areas, we noticed the lack of a \emph{holistic} framework combining a range of applicable theoretical concepts (e.g., cultural co-evolution such as technological arms races, opportunity management, behavioral and business models) and technological solutions on reducing human-related risks in the cyber security and cybercrime ecosystems, which involve multiple groups of human actors including offenders, victims, preventers and promoters. This paper reports our ongoing work in developing such a socio-technical framework 1) to allow a more comprehensive understanding of human-related risks within cyber security and cybercrime ecosystems and 2) to support the design of more effective approaches to engaging individuals and organizations in the reduction of such risks. We are in the process of instantiating this framework to encourage behavioral changes in two use cases that capture diverse and complicated socio-technical interactions in cyber-physical systems.