Human-Centric Cybersecurity Partnership (HC2P)

SSHRC Partnership Grant

The Human-Centric Cybersecurity Partnership (HC2) leverages a transdisciplinary group of scholars, government and industry partners to generate and mobilize knowledge that will help create a safer, more secure and more democratic digital society.

A broad and increasing range of online harms are undermining the benefits that derive from our easy access to the internet. From election interferences to massive data breaches affecting millions of consumers, and from destructive cyberattacks targeting critical infrastructures to low-end phishing emails landing daily in Canadians' inboxes, not a day goes by without media headlines highlighting the perils of digital technologies.

The main challenges faced by governments, businesses and individuals to address cyber-risks are their complexity (many public and private stakeholders are involved and work in silos), their unpredictability (cyber attackers innovate constantly in their exploitation of technical and human vulnerabilities), and their inevitability (digital products and services are designed without considering security as a core feature, making them intrinsically vulnerable and easy to hack). As a result, governments lag in the policies and intervention strategies that they use to protect citizens against online harms, businesses have limited economic incentives to improve their posture, while individuals need more effective advice and guidance on how to adopt the good digital habits that will reduce their exposure to online risks.

The HC2 Partnership contends that cybersecurity is not an exclusively technical problem anymore, but as a social problem that needs human-centred solutions. Its research program explores the two defining features of human-centric cybersecurity: the complex interactions between humans and machines, on one hand, and the new configurations of public, private and not-for-profit stakeholders, on the other hand.

To do so, the HC2 Partnership brings together 29 social science and computer science scholars and 29 government, industry and not-for-profit partners that serve millions of users across Canada. Together, they examine the role that the human factor plays in cybersecurity, both as a source of vulnerability and as a formidable and under-used asset to improve the protection of our digital systems. Ten research projects organized in three clusters will study how public policies and institutions need to adapt to this new risk landscape, what legislative and regulatory tools are needed to deliver both cybersecurity and privacy, and what behavioural change approaches can support individual users.

The HC2 Partnership will train the next generation of human-centric cybersecurity professionals through a Massive Open Online Course, an annual international summer school, an internship program, a professional development program, and K-12 cybersecurity literacy content.

The HC2 Partnership will pursue the three following objectives:

  1. Map the various configurations in which the human factor contributes to the emergence of cyber-risks at various levels of analysis (individual, organizational, societal);
  2. Identify and develop human-centred policies, strategies, interventions, and technical solutions that can address and mitigate the online harms experienced by Canadian users, institutions, and companies, as well as assessing their expected or demonstrated effectiveness;
  3. Design, implement, and evaluate translational cybersecurity methodologies that accelerate the pace of knowledge mobilization and increase its research impact

The HC2 Partnership is structured around three main research clusters (Society, Regulations, and Users) and ten research projects that have in common their exploration of two core issues that define human-centric cybersecurity: the complex interactions between humans and machines and the new configurations of public and private stakeholders.

The Society cluster examines institutional adaptions to the changing risk landscape created by malicious online actors and identify additional steps that can be taken to enhance responses and increase protection of individuals. Particular interest is given to cooperation between public and private institutions in mapping the organizational innovations (such as reconfigured intergovernmental relations or creation of new institutions) required to address new risks effectively.

The Regulatory cluster adopts a more focused approach in investigating the diverse range of regulatory responses that can be harnessed to improve cybersecurity and privacy outcomes for individual and corporate users. A pluralistic approach examines state-based coercive forms of regulatory interventions, seen as an important form of governance, as well as the self-regulatory practices, such as standards and norms, developed by private and quasi-public institutions. The focus is on the effect of regulatory outcomes on privacy, transparency, accountability, and responsibility for effective security.

The Behavioural cluster focuses on the individual level to understand the mechanisms through which interactions between humans and machines deliver negative or positive outcomes. The 'user' label encompasses a broad range of individuals, such as cyber-offenders of different kinds, victims, and everyday users who display risky behaviours, leading to examination of both the social structure and dynamics of online risks and malicious interactions as well as how poorly designed machines and applications can trigger biased decisions that may result in online harms. The goal is to produce design principles that improve intervention strategies, empower everyday users, and make computer interfaces more usable.

The ten projects will tackle the following issues:

1. Defending democracy

(the cybersecurity of elections)

How can we guarantee the integrity of democratic processes in a digital society where cyber-threats, ranging from dis-information to faulty technology are omnipresent?

2. Enhancing cyber-resilience

How can the flows of data and energy provided by critical infrastructures and that sustain modern societies be maintained in the face of cyber-attacks?

3. Adapting institutions

Lead: Christian Leuprecht

How can existing institutions adapt their policies and practices to the new risk landscape and what new mechanisms or institutions are needed to make public interventions more effective?

4. Supporting evidence-based policies

How do we develop cybersecurity and cybercrime prevention policies that are supported by a strong evidence base and how do we disseminate these policies to end users?

5. Protecting privacy

How do privacy and cybersecurity legal frameworks interact in the current risk landscape and how are these interactions likely to develop as new technologies such as big data, AI and quantum computing reach maturity?

6. Increasing transparency and accountability

What new regulatory tools will be needed to improve the accountability and transparency of public and private institutions that deliver cybersecurity without stifling innovation?

7. Standardizing cybersecurity

What role do technical and regulatory standards play in promoting cybersecurity practices and fostering cyber-resilience?

8. Disrupting cybercrime networks

How do computer-facilitated communications impact the structure of organized crime networks and what are the implications for law enforcement interventions?

9. Enabling user behavior change

How can behavioral economics approaches be leveraged to enhance cybersecurity and how can social psychology principles be embedded into digital technologies to enable interventions that can scale?

10. Designing more usable machines and interfaces

How should machines be designed to enhance the quality of the human decision-making processes that are related to cybersecurity practices?