Social science should be at the centre of cyberspace management "at all levels of national policy, enterprise development and human welfare", according to a new report from the Social Cyber Institute.
The report, Creating Cyber Social Value [PDF], proposes that a social science perspective could help mitigate what it calls the "Five I" problems. Failing to address these problems could cost vast amounts of money. They are:
- Cyber insecurity: Shipping giant Maersk lost $300 million to the NotPetya ransomware attack in 2017, for example.
- Cyber incompetence: Australia's financial crime investigation agency, the Australian Transaction Reports and Analysis Centre (AUSTRAC), hit the Commonwealth Bank with a AU$700 million fine for failing to monitor for possible money laundering.
- Cyber intransigence: A 2014 report [PDF] from PwC estimated that slow digital transformation and slow uptake of related technologies is estimated to be costing Australia $37 billion over a decade.
- Cyber ignorance: In 2013, a hoax tweet sent via the official Associated Press account claimed there'd been an attack on President Obama in the White House. It crashed the stock market in mere minutes.
- Cyber insensitivity: Facebook's share price dropped 44% in 2018 and 2019 as it struggled to adapt to new global expectations for privacy and security. Facebook was eventually forced to pay fines of $5 billion.
Security in cyberspace has already expanded well beyond the technical sphere, according to the report's authors. Cyber incompetence is "largely unstudied outside the technical realm", they write, but it may be even more costly and far more common than high-profile cyber attacks.
"No one is tracking the number of deaths caused by computer error in hospitals and on our roads, much less framing a comprehensive policy response", said Greg Austin, who's also professor of Cyber Security, Strategy, and Diplomacy with the University of New South Wales Canberra.
"Behind each death by computer error is a human mistake, usually caused by faults in management of the cyber ecosystem."
See also: Medical device cybersecurity will be rubbish for 20 more years
Austin's co-author, professor Glenn Withers, and immediate past president of the Academy of Social Sciences of Australia, says that we need a new concept: "Social cyber value".
Social cyber value would be a measure of "optimised information ecosystem performance", he said. It's about maximising benefit while minimising insecurity and incompetence.
"We have to recognise human use and misuse of relevant technology as central."
In all organisations, decisions about digital transformation can either undermine or enhance security, and the effectiveness of those decisions depends on the competence levels of the decision-makers.
Leaders, managers, and users might also be "swayed by disinformation generated by the media or even vendors in fast-moving situations", something the authors call an "equally important threat to business and security".
They see the problem as "lying well beyond the traditional positioning of cybersecurity as a separate domain of largely defensive activity led by a class of technically qualified 'cyber guardians'".
Read: Human Services claimed people wouldn't pay debts if informed about its IT systems
"In the same way that national security depends on deeper social and economic realities of a country, so too security in cyber space, either for a large corporatised entity or a country, depends on harmonisation of the social, ethical, and economic aspects of cyber space with the technical."
The authors call for a radical shake-up in organisational structures, recommending for reporting lines to be reorganised to a new post -- a Senior Vice President for Cyber Ecosystems.
That position would have four direct reports: the VP for Human Resources to manage the "digital human capital"; the chief information officer (CIO), concerned with the functionality of current IT systems; the chief information security officer (CISO), concerned with the security of those systems; and the VP Strategy, focused on "seizing profit gains from future IT transformation".
"A central assumption of this idea of optimised social cyber value is that solutions will be unique to each organisation and that each organisation needs to invest in longitudinal social science research by in-house teams to devise optimal outcomes," the report says.
"The field of activity is simply too complex to leave to the imagined leadership judgement of senior executives uninformed of detailed consequences."
The authors even ask whether countries might need a "Bureau of Software Safety to prevent spiralling numbers of deaths by computer error".