While organizations and governments can take different measures to maximize cybersecurity protection and deterrence, the issue is actually individual humans unwittingly making mistakes, which helps aid cyber attackers. Regular citizens do not have access to the training and protections employed by the government against cyber attacks, so they often make mistakes that make them vulnerable to cyber attackers.
Because of this, governments are taking a new approach to cyber security: responsibilization. Essentially, instead of governments solely taking on all responsibility of ensuring cyber protections for its citizens, governments are training citizens to be in part responsible for their own cyber security. However, there is the concern that with this ideology comes the assumption that citizens who do not manage risk in the way they were instructed to by their government deserve the cyber attacks that come their way.
Australia is one country that takes the approach of responsibilization. They state “We are all responsible for our own activities in cyberspace, including being aware of the risks and how to protect ourselves and those who we are connected to”.
Some issues with the inherent assumptions made by the responsibilization approach are that there is no obvious route for cyber security advice from the government to reliably reach every citizen, risk perceptions do not necessarily guarantee adoption of precautionary cyber security behaviors, citizens will not always necessarily act on cybersecurity advice even if given it by the government, and that citizens will not always report attacks or know when they have been attacked.
Because there is still relatively little known about cyber threats and cyber attacks, it is still not known whether responsibilization, or assumption of all cyber security responsibilities by the government is the best approach to protecting the people.
Author:
Karen Renaud, Craig Orgeron, Merrill Warkentin, P. Edward French