Building Cybersecurity Awareness: The need for evidence-based framing strategies

The article covers some of the reasons it is difficult for government, policymakers, companies, and individuals to act on cybersecurity, either through increased awareness, spending, or law enforcement. These difficulties are mainly caused by paradoxes in policy-making. For example, the government has the goal of citizen protection and privacy, but at the same time, this requires backdoor access to detect terrorism, which then compromises the feeling of privacy. Companies can increase cybersecurity strength through spending, but spending too much might leave a negative public image since people might suspect the company as a cyberattack target. Individuals need to educate themselves and follow proper cybersecurity measures, yet the motivation is lacking since the impact of the threats and attacks usually falls on someone else. In order to increase awareness and strength of cybersecurity on an international level, nations need to collaborate, and yet most do not trust each other. It also becomes difficult to place blame and form accusations when the nature of the Internet allows for ease of anonymity. It is these contradicting ideas that limit progress towards a stronger and more aware world of cybersecurity. The author suggests that we need to use a persuasion tactic called message framing to increase awareness. Message framing is the strategy of communicating an idea with easy-to-understand main arguments that are difficult to challenge; i.e., to reduce the complexity of some problem. In many cases, cyberattacks are quiet and difficult to detect, making the impact of potential threats less ominous than it should be, compared to say, very physical threats in traditional war and terrorism. The reverse is also true—often times, cyberthreats are exaggerated to the point of unrealism. To effectively increase awareness and thus action on cybersecurity, we need to use message framing with a few particular points in mind. One is to avoid a dystopian view of cybersecurity, since it promotes the idea that dealing with cyberthreats is beyond our control. Another is to make it clear who the “heroes” and “villains” are. We need to put a face to the organizations, companies, and individuals behind the deployment of state-of-the-art cybersecurity systems that increase our protection. We also need to show recognizable adversaries who unambiguously are responsible for cybercrime. In addition, it’s important to present how cybersecurity can benefit other areas than security alone. For example, stressing the economic boost of building up expertise in cybersecurity (and thus adding economic value and job availability) might convince some policymakers to take action. Personalization also helps the relatability of a message frame about cybersecurity. People come from different environments and institutions, each of which may be affected by cyberthreats differently, so a uniform approach to explaining aspects of cybersecurity usually won’t cut it. Finally, we should connect easily recognizable problems with cybersecurity to increase its perceived importance. For instance, combatting terrorism can be done through the Internet, and acts of terrorism themselves are often orchestrated over the Internet. Keywords: cybersecurity, information security, cyberphysical system, cyberphysical society, cyberwar, Internet of Things, framing, communication, evidence-based policymaking