http://orcid.org/0000-0002-6463-7719
![Sample our Computer Science journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5928/TOC-Subject-Sample-2021-Computer-Science.jpg"})
ABSTRACT
Technical tools dominate the cyber risk management market. Social cybersecurity tools are severely underutilised in helping organisations defend themselves against cyberattacks. We investigate a class of non-technical risk mitigation strategies and tools that might be particularly effective in managing and mitigating the effects of certain cyberattacks. We call these social-science-grounded methods Defensive Social Engineering (DSE) tools. Through interviews with urban critical infrastructure operators and cross-case analysis, we devise a pre, mid and post cyber negotiation framework that could help organisations manage their cyber risks and bolster organisational cyber resilience, especially in the case of ransomware attacks. The cyber negotiation framework is grounded in both negotiation theory and practice. We apply our ideas, ex post, to past ransomware attacks that have wreaked havoc on urban critical infrastructure. By evaluating how to use negotiation strategies effectively (even if no negotiations ever take place), we hope to show how non-technical DSE tools can give defenders some leverage as they engage with cyber adversaries who often have little to lose.
Acknowledgements
The authors would like to thank the Internet Policy Research Initiative (IPRI) at the Massachusetts Institute of Technology for funding this important effort. The authors would also like to thank Adam Hasz for his contributions to the study of Defensive Social Engineering and our broader research effort. Finally, the authors would like to thank the urban critical infrastructure operators who agreed to be interviewed for this research and for reviewing the manuscript.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes on contributors
Gregory Falco is a hacker and critical infrastructure cybersecurity expert. He is a postdoctoral scholar at MIT's CSAIL and Stanford's FSI having earned his PhD from MIT in Cybersecurity, Urban Science and Infrastructure Management.
Alicia Noriega is an energy infrastructure expert having earned her Masters in Urban Planning, Environmental Policy and Energy Planning from MIT's DUSP.
Lawrence Susskind is the Ford Professor of Environmental and Urban Planning at MIT's DUSP. He was one of the Co-founders of the interuniversity Program on Negotiation at Harvard Law School, where he now directs the MIT-Harvard Public Negotiations Program, serves as Vice Chair for Education, and co-directs the Negotiation Pedagogy Initiative.
ORCID
Gregory Falco http://orcid.org/0000-0002-6463-7719
Notes
1 GDPR is a regulation that replaces the Data Protection Directive established in 1995. The Data Protection Directive set a minimum level of requirements concerning personal data privacy, and in 2012 the directive was recommended for overhaul based on the modern digital age. The GDPR is a more robust mechanism to protect data privacy built for today’s pervasive technology environment. In addition to reinforcing previous data privacy rights, the GDPR provides the right to data portability, the right not be profiled using your data, and the right to be forgotten, among others. GDPR also requires large-scale private and public organisations to appoint a Data Protection Officer to ensure compliance with GDPR (European Data Protection Supervisor. Citation2018). GDPR requires data protection for all EU citizens, regardless of where the data is stored or where the company is based. Perhaps the most impactful component of GDPR is that there will be fines and penalties levied for non-compliance.