Cyber Harm: Concepts, Taxonomy and Measurement

Saïd Business School Research Papers

August 2016

Cyber Harm: Concepts, Taxonomy and Measurement

Ioannis Agrafiotis Dept. of Computer Science, University of Oxford

Maria Bada Global Cyber Security Capacity Centre, University of Oxford

Paul Cornish Global Cyber Security Capacity Centre, University of Oxford

Sadie Creese Global Cyber Security Capacity Centre, University of Oxford

Michael Goldsmith Global Cyber Security Capacity Centre, University of Oxford

Eva Ignatuschtschenko Global Cyber Security Capacity Centre, University of Oxford

Taylor Roberts Global Cyber Security Capacity Centre, University of Oxford

David Upton Saïd Business School, University of Oxford

Saïd Business School RP 2016-23 The Saïd Business School’s working paper series aims to provide early access to high-quality and rigorous academic research. Oxford Saïd’s working papers reflect a commitment to excellence, and an interdisciplinary scope that is appropriate to a business school embedded in one of the world’s major research universities.. This paper is authorised or co-authored by Oxford Saïd faculty. It is circulated for comment and discussion only. Contents should be considered preliminary, and are not to be quoted or reproduced without the author’s permission.

Cyber Harm: Concepts, Taxonomy and Measurement Ioannis Agrafiotis*, Maria Bada§, Paul Cornish§, Sadie Creese§, Michael Goldsmith§, Eva Ignatuschtschenko1,§, Taylor Roberts§, David Upton† Abstract Coherent, adaptable and durable cybersecurity capacity-building requires a comprehensive and in-depth understanding of harms that can be caused by cyber-events. At the national level, the avoidance and reduction of harm is a central feature in all efforts to develop cybersecurity policy, strategy and capacity. This article offers a taxonomy of cyber harm, which enables a better understanding of how harm is manifested within and outside of cyberspace, and proposes an initial set of metrics and methods to assess cyber harm in national contexts. Based on this framework, a national Cyber Harm Model (CHM) would form the basis for a comprehensive and durable cybersecurity policy by contextualising and validating cybersecurity capacity research that has resulted in the development of the National Cybersecurity Capacity Maturity Model (CMM).

Introduction The Global Cyber Security Capacity Centre (hereinafter Capacity Centre) aims to increase the scale and effectiveness of cybersecurity capacity-building through the application of rigorous analysis and by making the fullest use of emerging global expertise in capacity-building. A major output of this research is the Capacity Centre’s National Cybersecurity Capacity Maturity Model (CMM).2 A comprehensive understanding of harms threatened or caused by cyber-events3 is required if cybersecurity capacity-building around the world is to be coherent, adaptable and durable. At the national level, the avoidance and reduction of harm is a central feature in all efforts (in public policy as much as in the private sector) to develop cybersecurity policy, strategy and capacity. For cybersecurity capacity to be both relevant and efficient, and for efforts at harm reduction and avoidance to be credible, an understanding of the sources, scale and consequences of plausible cyber harm is essential. Hence, as well as the CMM exercise, the Capacity Centre is 1

Corresponding author, eva.ignatuschtschenko[at]cs.ox.ac.uk.

* Department of Computer Science, University of Oxford § Global Cyber Security Capacity Centre, University of Oxford † Saïd Business School, University of Oxford 2

Global Cyber Security Capacity Centre, University of Oxford (2014). Cybersecurity Capacity Maturity Model. Available at https://www.sbs.ox.ac.uk/cybersecurity-capacity/content/national-cybersecuritycapacity-maturity-model-cmm. 3 In the context of the CHM, cyber-event (also: cyber-incident) shall be defined as the projection of an ICT operation resulting in kinetic or non-kinetic consequences that threaten or otherwise destabilize national security; harm economic interests; create political or cultural instability; or hurt individuals, devices or systems (adapted from: http://www.afcea.org/content/?q=incoming-what-cyber-attack).

1

developing a complementary model for the systematic assessment of harm – in the first instance at the national level. This article sets out an initial model for national cyber harm assessment and measurement, as the basis for a comprehensive and durable cybersecurity policy. The article begins by exploring the distinctive nature of cyber harm.

Cyber harm Cyber harm is generally understood as the damaging consequences resulting from cyberevents, which can originate from malicious, accidental or natural phenomena, manifesting itself within or outside of the Internet.

The idea of cyber harm is commonly associated with the damaging consequences of cyberevents, which can be caused not only by deliberate and malicious action but can also be the unanticipated result of accidental action or natural phenomena. And the ‘damaging consequences’ need not be limited to ICT; physical and emotional harm – both material and personal – can also be envisaged. In other words, where cyber harm is concerned, the spectra of both cause and consequence are unusually wide. The article offers a preliminary taxonomy of cyber harm as well as a set of metrics. By these means, the national Cyber Harm Model (CHM) will contextualise and validate the cybersecurity capacity-building exercise presented in the CMM. Furthermore, in order to facilitate the development of effective and durable cybersecurity policy and strategy the CHM will enable a more incisive understanding, both quantitatively and qualitatively, of Value at Risk in Cyberspace (VaRiC).4 The model will assess VaRiC not only in the classic sense of threat/hazard on the one hand and vulnerability/ dependency on the other, but also in terms of a more qualitative ‘cascade’ of harm to a wide variety of cyber-assets, stakeholders and dependencies, many of which might at first glance seem to be disconnected (actually and figuratively) from the digital world. This enhanced understanding will in turn prompt a more nuanced approach to conceptualising harm management, providing a utility/benefit test with which to assess the actual and projected merits of a national cybersecurity posture in general, and in particular the quality and credibility of investments made in cybersecurity capacity and harm reduction. Disadvantages of a threat-centric approach A distinctive feature of the CHM is its focus on cyber harm rather than cyber-threats, attack types and vectors, which are emphasised in most conventional approaches. To date, attempts to identify and measure the harm caused by inadequate cybersecurity have used various devices to express the severity of the attack: the scale of the direct financial loss incurred; the value to the national economy of stolen intellectual property; the damage to national security caused by the loss of classified material; most simply of all the number of people affected by 4

For a discussion of the VaRiC (or cyber VaR) approach, see chapter 3.1.3.

2

an attack (e.g. the number of victims of a large-scale e-fraud scheme in the retail-banking sector). In most such cases, harm analysis usually begins with often rather uncritical assumptions about a given threat; its source, sophistication and severity. These measurements, and the assumptions upon which they are based influence how governments and organisations devise harm management frameworks and mitigation strategies. Yet with new types of cyber-attack5 methods and vectors being discovered with alarming regularity, harm management frameworks and mitigation strategies which focus too closely on identifying known threats and attack methods and defending against them must always be reactive rather than adaptive and anticipatory. Moreover, a threat-based approach too often lends itself to a linear, cause-and-effect analysis in which tangential and/or secondorder harms to individuals, organisations and even society itself might be overlooked, even though these consequences might be more severe than the immediate harm. Cascading consequences and effects might also be overlooked if one or another organisational perspective assumes exclusive importance, such that a broader delta of effects, including the psychological effect upon individuals, is simply overlooked and not therefore considered relevant to the respective harm management strategy. Furthermore, cyber harm to individuals need not be limited to psychological or financial impacts. In the past, the possibility of physical harm to individuals caused by cyber threats has been dismissed as science fiction. Yet with ever more sophisticated, networked information technologies appearing in such sectors such as health care, hackers are increasingly able to inflict serious physical damage to human health by bypassing the often absent or weak security of these new products. Analysing harm too narrowly, in terms of the nature of the attack or the intent of the attacker, risks overlooking the second- and even third-order effects of an attack and may prevent a comprehensive understanding of significant interdependencies within vulnerable systems. A threat-based approach to harm assessment and management is unlikely to be sufficient to meet the flexible and dynamically changing environment of cybersecurity; unlikely, in other words, to cover the spectra of cause and consequence referred to above. Relationship between cyber harm and cyber risk Although the term cyber risk6 is commonly used in national cybersecurity strategies,7 its definition varies. For instance, Finland’s Cyber Security Strategy defines cyber risk as “the possibility of an accident or vulnerability in the cyber domain which, if it materialises or is being utilised, can damage, harm or disturb an operation that depends on the functioning of the cyber domain.” 8 The Institute of Risk Management applies a narrower notion of cyber risk by focusing on organisations and their financial loss or reputational disruption or damage.9 A common element in these is the relationship between the probability and impact of a 5

In the context of the CHM, cyber-attack shall be defined as a deliberate cyber-event. Cyber risk refers to the possibility of an accident or vulnerability in the cyber domain which, if it materialises or is being utilised, can damage, harm or disturb an operation that depends on the functioning of the cyber-domain. 7 For example, the UK Cyber Security Strategy identifies a risk-based approach as one of the core principles of cybersecurity. 8 Finland, Secretariat of the Security and Defence Committee (2013). Finland’s Cyber Security Strategy. Ministry of Defence. 9 The Institute of Risk Management (2014). Cyber Risk: Executive Summary. London: The Institute of Risk Management. 6

3

detrimental cyber-event, which corresponds to general risk analysis models. Cyber harm can thus be seen as a core component of cyber risk analysis, as it describes the negative impact upon an entity, whether individual, organisational or national. A comprehensive understanding of cyber harm will therefor allow for a more accurate analysis of cyber risks, and, eventually, enable more effective risk management approaches. Thus, an assessment of cyber harm needs to take place before any grounded discussion of cyber risk. One method to bridge current risk assessment and management practices is to adapt the Value at Risk concept to cybersecurity (see chapter 3.1.3). This article proposes a modified version of Value at Risk in Cyberspace (VaRiC), which takes account of variation both in value (quantitative and qualitative) and in vulnerability (including physical, reputational, psychological, etc.), and both direct and through dependency networks). Operationalisation of the harm model In order to contain the adverse consequences of cyber-attacks – lost revenue, competitive disadvantage, reputational damage, psychological impairment and reduction of shareholder value, for example – it is essential for governments and organisations to enhance their cybersecurity capacity in such a way that they can adapt in a timely fashion to changes in the cybersecurity risk environment. To this end, governments and organisations with value at risk in cyberspace should all seek to base their adaptive policy and strategy on a common vision and culture, enabling the efficient, cross-domain transfer of best practice and eliminating sector-specific weaknesses and vulnerabilities. As well as practical considerations, if it is to serve as the basis for policy and strategy which are credible, coherent and durable, a cyber harm assessment framework should also adopt a normative position consistent with the values and interests it is designed to protect. An operationally applicable model for cyber harm assessment should therefore have the capacity to undertake the following tasks: a) Determine whether a perceived or anticipated cyber harm can be mitigated appropriately through sufficient cybersecurity capacity/resilience; and if not b) Judge whether or not foreseeable harms were intended by the attacker; and if so c) Gauge the proportionality of various forms of defensive response; and finally d) Assess how much (if any) of an adversary’s rights should be forfeit as a result of having threatened or caused such harm. From a governmental point of view, a cyber harm model would significantly improve political and strategic assessments of assets and interests that might be vulnerable and should assist in prioritising investments in cybersecurity capacity. Further, a cyber harm model should help build business cases for strategic investment in cybersecurity capacity in order to mitigate harm which cannot be avoided (i.e. in spaces where it is important for society and organisations to continue operating despite apparent risks). A CHM should also enable a critical gap analysis; revealing potential harms which can be neither avoided nor mitigated. Research design In contrast to the CMM, which is a primarily operational model and tool for national cybersecurity capacity maturity reviews, this article, proposing an initial approach for a national CHM, applies a more theoretical focus on exploring cyber harm. The discursive style

4

was chosen deliberately to form a robust and scientifically rigorous foundation for the development of a universal CHM, even though the format might not translate directly into policy response. Instead, this article lays the groundwork for establishing comprehensive measurements for cyber harm assessment and creating a model that will serve as a policymaking tool through future work and conversion of the research results into an operational framework. The research question governing the development of the CHM is straightforward: what are the specific characteristics of cyber harm and how can it be identified, described and measured? In order to address this question, the CHM adopts a largely qualitative yet empirically-based approach, using a grounded theory framework.10 Further development of the CHM will draw upon a series of interviews and focus group consultations (key informant, structured, semi-structured and open-ended) with recognised experts in cybersecurity and cyber harm in government, the private sector, academia and other relevant sectors. Structure of the article The following part of the article provides a brief elaboration of the research design underpinning the development of the CHM, addressing the grounded theory approach in detail. The third part catalogues the main streams of research and analysis relating to cyber harm, beginning with a discussion of the meaning of ‘harm’ in the broadest sense and as it has developed in various fields such as legal philosophy, drug harm reduction and criminology. The fourth part of the article provides a taxonomy of cyber harm together with a framework of cyber harm assessment metrics. Finally, the article concludes by discussing the link between cyber harm and cybersecurity capacity, thereby creating a framework for strategically approaching cybersecurity investments and interventions at the national level.

10

Strauss, A. and Corbin, J.M. (1990). Basics of qualitative research: Grounded theory procedures and techniques. Sage Publications, Inc.

5

Research Design: Grounded Theory Without a reference point of some kind, the notion of cyber harm is a mere abstraction, lacking both substance and authority. In response to the question ‘harm to what?’, the article offers a hypothetical, ideal-type baseline; an ordered and stable e-society where everything is open to everyone, with no security policies or constraints required to protect anything. The grounded theory approach makes it possible to construct a model out of empirical data, which will be collected by a rapid evidence assessment and by conducting interviews with focus groups of stakeholders.11 This method is building the groundwork for constructing the Cyber Harm Model through inductive and systematic research, although alternative or supplementary methodologies could be considered. Grounded theory takes an iterative approach: the coded and anonymised transcripts of the first interviews and their analysis will underpin the design of the second round of interviews, and so on. First- and second-round interview questions will be designed in order to understand how societies and governments perceive harm in different contexts and how (and when) it is believed that harm might actually occur. Third-round interview questions will focus on how societies, governments and people measure and prioritise harm in its various categories. To date, a comprehensive and in-depth model that allows the identification and management of national cyber harm has not been established. The authors of Understanding Cyber Harm for Organisations12, however, have proposed a five-step model to reason about cyber harm which organisations may experience. Adopting the same five-step model, the CHM conceptualises cyber harm with specific emphasis on nations in all its different forms and considers cascading effects in both cyberspace and the physical world. Applying grounded theory, we suggest the following five lines of inquiry as the basis of a comprehensive cyber harm assessment in order to identify: 1) 2) 3) 4)

Who and what can be harmed (individuals, groups, entities, etc.); Different types of harm (physical, psychological, economic, etc.); Stakeholders and their different priorities and perceptions of harm; Potential measurements of harm, and analytical categories (including severity, likelihood, immediacy and direct vs. indirect harm); and 5) Who is responsible for acting upon different forms of harm (mandates).

11

Glaser, B.G. and Strauss, A.L. (2009). The discovery of grounded theory: Strategies for qualitative research. Transaction Publishers. 12 Agrafiotis, I., Nurse, J.R.C., Goldsmith, M., Creese, S., Upton, D. (2016). Understanding cyber harm for organisations. To appear in Saïd Business School WP 2016.

6

1. Who/what is harmed •Mapping of potentially harmed parties

5. Mandates

2. Taxonomy of harm

•Identify who acts upon the different types of harm

•Different types of harm •Direct and indirect forms of harm

4. Measuring harm

3. Stakeholders

•Define quantitative and qualitative measurements for different classes of harm

•Identify and interview stakeholders

Figure 1: A Five Step Cyber Harm Assessment

This five-step approach offers a better understanding of direct, i.e. immediate and first-order, and indirect, i.e. successive and second-order/third-order, forms of harm. It generates a taxonomy of harm classes, while recording the significance of different stakeholders’ perspectives and priorities and allowing for an assessment and measurement of the different classes of harm, which in turn enable the determination of responsibilities and mandates for preventative and responsive action. The entry-point in this approach is to identify who or what could be harmed. The five-step model allows for the fact that harm can take place at several different levels, such as individual, group, organisational, cultural and societal. Initial analysis also makes it possible to identify key actors or parties affected by cyber harm; information that can be reviewed at subsequent points in the model’s evolution. The second step is to identify the different classes of harm which could affect stakeholders on the various levels discussed above. We should observe that the harm model is recording origin and intention of threats, rather than the different types of cyber-attack, focusing on the outcome as it concerns each respective stakeholder (i.e. critical national infrastructure can be destroyed, or put out of order, or made to leak sensitive information, etc.). The third component is to acknowledge that different stakeholders are likely to have different perspectives upon and sensitivity to cyber harm. At the national level, for example, there will be individuals who work on critical infrastructures; corporate bodies and organisations which

7

invest in and manage critical infrastructures; governments which take responsibility for the functioning of these networks and assets; and broad society that relies on the infrastructures. Each stakeholder is likely to perceive harm differently and will form their own views as to the consequences of harmful actions. For each stakeholder we will therefore identify different evaluative criteria, which they would use to perceive the various notions of harm. For example, if part of a network infrastructure is out of order there may be at least three different stakeholders for whom harm is relevant:   

The people who are responsible for supervising the network; The company which manages the network; and The nation/government which depends on the network.

We would then consider the different perspectives of each stakeholder to assess the various notions of harm. For employees we could consider the financial consequences of job loss. An organisation would be susceptible to reputational damage and perhaps cultural damage if the security posture of the organisation is required to become more stringent. For a government, there may be broad political and/or strategic considerations (harm to the nation’s reputation, provocation from a rival country) as well as societal implications (loss of trust within society, civil disorder). Having established the harmed entities, the applicable classes of harm and relevant stakeholders, the model offers metrics and methods to assess the identified cyber harm with respect to the different types and subjects of harm. This exercise draws on existing measurements and metrics, and points to novel forms of data collection and analysis in support of a comprehensive and anticipatory identification of different cyber harm classes and their extent. The fifth step is to identify the persons and organisations that have the mandate to act upon the different identified types of harm on various levels. This last step determines who would respond to a cyber-attack and in what way, but also what kind of proactive measures can be implemented to mitigate and reduce harm. The five-step approach allows for an informed elaboration of the initial understanding of harm.

8

Research Context Current approaches towards assessing cyber harm In the context of cybersecurity and cyber-attacks, the concept of harm, as distinct from the notion of impact, has been a largely under-researched topic; concrete definitions, conceptualisations or frameworks of cyber harm are still lacking. Accordingly, methods to understand and evaluate harm are not elaborated in great detail, although several publications (see below) suggest that there needs to be a more nuanced study of potential harms facing countries and companies through cyberspace. The authors of Mapping and Measuring Cybercrime13 claim that the assessment of harm would require agreement on the manifestations of harm, evidence of which would constitute an incident for the purposes of measurement. However, the authors do not delve into how these manifestations of harm should be evaluated. On the other hand, when focusing on specific manifestations and scenarios of cyber harm, Alastair Stevenson draws attention to the potentially disastrous harms that could emerge from cyber-threats in the future, such as physical harm, but does not investigate their relationship to organisational asset management.14 Other approaches to address cyber harm recognise the different ways that cyberspace enables, modifies, or amplifies traditional reflections of harm, but do not go into detail as to how this new transmission mechanism for harm changes approaches to harm assessment and management. For instance, Hargreaves and Prince15 demonstrate that harm can be amplified through ICTs, such as in the case of fraud that is committed through means of spam. Other publications observe how traditional harms within society, such as bullying and self-harm, have been affected by cyberspace, but does not achieve quantifiable results.16 Conversely, some authors focus on harms posed to networks, but these initiatives tend to observe only vulnerability interdependencies in order to map key network assets and do not extend to larger non-network related harms.17 Identifying interdependencies of network assets is crucial to assess the most critical harms posed to assets that do not have a traditional harm model to draw from. In this way, such studies are a first step towards a comprehensive approach to overall cyber harm calculation and mitigation. Current good practices in the organisational field of cybersecurity management involve adoption of information risk management processes. These were first developed for the information and network-security, and later information assurance. Herein the focus lies on impact assessment, which typically refers to the negative impact or consequences that result 13

Fafinski, S., Dutton, W.H. and Margetts, H. (2010). Mapping and Measuring Cybercrime. Oxford: Oxford Internet Institute (University of Oxford). 14 Stevenson, A. (2013). “Cyber attacks will cause real world harm in next seven years,” V3. Accessed at http://www.v3.co.uk/v3-uk/analysis/2296357/cyber-attacks-will-cause-real-world-harm-in-nextseven-years. 15 Hargreaves, C. and Prince, D. (2013). Understanding Cyber Criminals and Measuring Their Future Activity: Developing cybercrime research. Lancaster: Lancaster University. 16 Goldblum, P.B., Espelage, D., Chu, J. and Bongar, B. (eds.) (2014). Youth suicide and bullying: Challenges and strategies for prevention and intervention. New York: Oxford University Press; Englander, E. (2012). Digital Self-Harm: Frequency, Types, Motivations and Outcomes. Bridgewater, MA: Massachussets Agression Centre. 17 Singhal, A. and Ou, C. (2011). Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. NIST InterAgency Report. Gaithersburg: National Institute of Standards and Technology , U.S. Department of Commerce.

9

from cyber-attacks. However, there is no commonly accepted definition of impact within cybersecurity literature. Varying conceptualisations of impact across different disciplines and a limited consensus around best practices make the development of a consolidated methodology for measuring impact a challenging task. Nevertheless, the measurement of impact is essential if social, environmental and economic cyber harm indicators are to be credible. Currently, at least three approaches to assessing harm and impacts of cyber-attacks can be identified. Costs of cybercrime and cyber-attacks There is a variety of literature on costs associated with cybersecurity and cybercrime. Reports such as The Economic Impact of Cybercrime and Cyberespionage18 and Measuring the Cost of Cybercrime19 seek to quantify in financial terms the impact of cyber-incidents on the economy of a nation. Yet, while both acknowledge the difficulties of quantifying the indirect and intangible costs of cybercrime, they do not propose a definitive way to overcome these issues. Also, while the latter report acknowledges the differences between traditional crimes with a cyberspace or computer component and new crimes that arise from the advent of the Internet in their measurement of cybercrime, the authors draw attention to the various types of crimes rather than the harms posed to particular assets. These reports, along with a variety of security-vendor outputs, have focused on assessing cyber harm in terms of the “dollar damage”. Harm as a component of cyber risk Other approaches look at cyber harm identification and management as a component of overall cyber risk management.20 While cyber-incidents may have positive impacts, whether intentional or unintentional, the concept of risk mainly concerns the negative consequences. Hence, the management of risk is focused on prevention and mitigation of negative impacts, such as financial losses, impacts on the organisation’s strategy or operational activities and stakeholder concerns. The International Standards Organisation (ISO) proposes a framework for qualifying cyber risk (ISO27005) that “takes business drivers and maps it against technology in terms of the business impact levels,”21 and seeks to understand the technological enablers behind key business processes in order to assign an impact level if that asset is compromised. Most commonly, the aim of a risk assessment is to consider a situation, event or decision and identify where risks fall within the two axes of likelihood (low-high) and impact (low-high). 18

Center for Strategic and International Studies (2013). The Economic Impact of Cybercrime and Cyber Espionage. Santa Clara: McAfee. 19 Anderson, R. et al. (2012). “Measuring the Cost of Cybercrime,” in: The Economics of Information Security and Privacy (265-300). Berlin and Heidelberg: Springer. 20 The Institute of Risk Management (2014). Cyber Risk. London: The Institute of Risk Management; Peckman, A. (2014). Cyber Risk Quantification – five ways organisations can benefit from quantifying cyber risks. London: Aon UK Limited; Roberts, P.F. and Kielstra, P. (2013). “Measuring the cost of cybercrime.” The Economist. Accessed at http://www.economistinsights.com/technologyinnovation/analysis/measuring-cost-cybercrime; Coalfire (2015). Cybersecurity Framework: A Complete Framework for Managing Risk.” Coalfire. Accessed at http://www.coalfire.com/Solutions/Cyber-Risk-Management/Cybersecurity-Framework. 21 Day, G. (2015). “Measuring Success in Cybersecurity,” FireEye. Accessed at https://www.fireeye.com/blog/executive-perspective/2015/03/measuring_success.html.

10

When building models to understand cyber risk in organisations, authors have applied different approaches. These models commonly analyse the behaviour of the attacker, attacktrees and graphs, and security metrics to develop risk-analysis procedures. The Cyber Attack Modeling and Impact Assessment Component (CAMIAC)22 expands on these models by suggesting an ‘anytime approach’, which will create results through a set of algorithms with different timelines and precision. Kundur et al. (2011),23 on the other hand, focus their model on the relationship between cyber and physical grid entities in an electric smart grid. In this context, risk of a given failure is defined through plausibility and severity of system vulnerabilities, threats, and attack-processes causing the failure, as well as the impact, which represents quantified consequences of the failure. Both approaches have in common that they base their attack and impact assessment models on given classes of cyber-threats and a given network or system, such as the electrical grid. As regards national-level risk assessments, the ENISA Analysis Report of 201324 identifies best practices, common approaches, as well as lessons learned and key challenges. Harm is represented as one dimension of the risk concept, through notions of ‘consequence’ and ‘impact’. Vulnerabilities and threats form the other two dimensions of the conceptualisation. Although the understanding of the consequences goes beyond mere impact on infrastructure and also includes society and economy as affected entities, the individual levels are disregarded. Moreover, the assessment of risk is conducted through a threat-centric lens, which can lead to marginalisation of consequence, impact and harm concepts. Indeed, the 2014 and 2015 ENISA Threat Landscape reports25 merely mention impact, without embedding or expanding the concept within the proposed threat-assessment process. These existing frameworks include harm and its relation to critical assets as an initial step toward mitigating cyber risk, but often do not provide a methodology for the relationship between the selection of these assets and the potential harm posed to them. They neither draw from conventional models of harm, which may create a bias based on identified cyberthreats, thereby disregarding the offline environment, in which harm manifests itself. Value at Risk in Cyberspace (VaRiC) Finally, there have been attempts to adapt the Value at Risk (VaR) financial management model to cyber risk. According to the World Economic Forum (WEF), cyber VaR26 is “envisioned to transcend traditional investment value at risk, unifying technical, behavioural and economic

22

Kotenko, I. and Chechulin, A. (2013). “A Cyber Attack Modeling and Impact Assessment Framework,” Proceedings of the 5th International Conference on Cyber Conflict, Tallinn: 1-24. 23 Kundur, D., Feng, X., Mashayekh, S., Liu, S., Zourntos, T. and Butler-Purry, K.L. (2011). “Towards modelling the impact of cyber attacks on a smart grid,” International Journal of Security and Networks 6 (1): 2-13. 24 Trimintzios, P. and Gavrila, R. (2013). National-level Risk Assessments: An Analysis Report. Heraklion: European Union Agency for Network and Information Security (ENISA). 25 Marinos, L. (2014). ENISA Threat Landscape 2014: Overview of current and emerging cyber-threats. Heraklion: European Union Agency for Network and Information Security (ENISA); Marinos, L., Belmonte, A. and Rekleitis, E. (2016). ENISA Threat Landscape 2015. Heraklion: European Union Agency for Network and Information Security (ENISA). 26 In the context of this article, cyber VaR and VaRiC are considered synonyms.

11

factors from both internal (enterprise) and external (systemic) perspectives.”27 Key components of this concept are: 1. Existing vulnerabilities and defence maturity of an organisation; 2. Value of the assets; 3. Profile of an attacker. The WEF also asserts that the cyber VaR approach should incorporate both direct and indirect cybersecurity costs, as well as threat type and frequency.28 The end goal of achieving cyber value at risk is certainly commendable, but the steps necessary to assess the direct and indirect costs of cyber harm have not been appropriately understood so as to produce a sufficient result. A clear gap in contemporary research can be identified: currently, there is no methodology that allows an entity to assess the multitude of harms that are posed to critical assets. As previously demonstrated, there are publications that address particular cyber harms (technical, social, etc.), but do not develop a methodological framework for measuring harm comprehensively. Nor does the existing work on cyber risk provide a sufficiently robust methodology for the identification of assets according to the harm that could emerge from the malfunction of assets caused by cyber-incidents. If a model for assessing cyber harm can be produced, it can feed into VaRiC models to provide an accurate assessment of riskexposure for organisations and thus strengthen cybersecurity capacity. To this end, this article provides the first steps towards identifying specific categories and parameters of cyber harm, which will inform the establishment of a comprehensive VaRiC approach, taking into account the specific nature and constant change of the cyber risk environment.

Understanding harm – a multi-disciplinary view This chapter reviews the ways in which harm is understood and discussed in different contexts (e.g. social, professional, private), different sectors (e.g. governmental, industrial, academic) and different functional areas (e.g. financial, legal, medical). In some cases the relevance of the Cyber Harm Model might seem immediate and self-evident, but in other cases rather less so. Nevertheless, by taking the broadest possible sample of ideas, definitions and applications it will be possible not only to locate our discussion of cyber harm within a familiar context but also to ensure that any definition of cyber harm is itself robust and durable. Such an approach also avoids potential bias from a cyber-centric perspective that focuses on known cyberattacks and threats and can lead to marginalisation or neglect of forms of harm that are less immediate or are indirect in nature. Standard definitions Physical damage, cost or consequences are commonly associated with the general concept of harm. Indeed, the Oxford English Dictionary even defines the term harm as physical injury.29 27

World Economic Forum and Deloitte (2015). Partnering for Cyber Resilience Towards the Quantification of Cyber Threats. Cologny/Geneva: World Economic Forum. 28 Hall, K. and Ramasubramanian, G. (2013). “How do you measure cyber risk?” World Economic Forum. Accessed at http://www.weforum.org/agenda/2013/11/how-to-measure-cyber-risk/. 29 “Harm”. Oxford Dictionaries. Oxford University Press, n.d. Web. 28 January 2016.

12

Other dictionaries incorporate mental or psychological damage within a (general) definition of harm.30 Summary: standard definitions of cyber harm In the most basic linguistic context, (cyber) harm is associated with injury or damage, which can manifest itself both physically and emotionally. The understanding of cyber harm needs to recognise how cyber-attacks can cause physical and psychological harm. Legal-philosophical approaches Harm has been a defining concept within legal philosophy to determine which actions should be criminalised and which should not be considered offences. An analysis of the core theoretical concepts of harm in the legal-philosophical context allows for an assessment of the applicability of cyber harm within legal frameworks, i.e. does cyber harm classify as a form of harm in a legal sense? The harm concepts advanced by John Stuart Mill and Joel Feinberg have been the most discussed within this debate. Both authors are viewing harm within a moral conceptualisation. Mill’s harm principle, as laid out in On Liberty,31 is an exclusive one, i.e. only actions that result in harm can justify the criminalisation of conduct. Hence, the prevention of harm is identified as the sole purpose for which power can be rightfully exercised over a member of society. Within his argumentation, the concepts of harm and wrongdoing are strongly connected. However, Mill does not attempt to provide a clear definition of what constitutes harm. Turning to Feinberg,32 we find a two-fold definition of harm. As a first step, harm is defined as a serious set-back of interests, whereas interests are “all those things in which one has a stake” and that define one’s wellbeing. These interests include physical health and vigour, absence of obsessive pain, intellectual competence, emotional stability, economic sufficiency and political liberty. Hence, Feinberg’s harm principle goes beyond physical and psychological harm, but acknowledges the validity of broader interests of individuals. Harm in this sense does not need to be caused by human actions, but could also be induced by external influence, e.g. through natural causes. Moreover, the intent underlying the human actions causing harm is irrelevant, which implies that actions that are not viciously motivated, such as accidents, can be included as sources of harm. In the further development of the harm principle, Feinberg adds a second notion of harm to the initial definition: harm as a wrong to another person. The ‘wronging’ in this context is to be understood as a violation of another person’s rights. In order to establish a profound and effective criminalisation framework, Feinberg asserts that harm should be defined as consisting of both elements. Thus, harm constitutes a serious set-back of interests that is also wronging the other person. It is noteworthy that harm according to Feinberg does not apply to:

30

“Harm.” Merriam-Webster.com. Merriam-Webster, n.d. Web. 28 Janunary 2016; “Harm.” Cambridge Advanced Learner’s Dictionary & Thesaurus. Cambridge University Press, n.d. Web. 28 Janunary 2016; “Harm.” Collins English Dictionary, n.d. Web. 28 Janunary 2016. 31 Mill, J.S. (1869). On Liberty. London: Longman, Roberts & Green. 32 Feinberg, J. (1984). Harm to Others: The Moral Limits of the Criminal Law, Vol. 1. New York: Oxford University Press.

13

a) set-backs of malicious or morbid interests; b) cases where the victim consents; c) minor physical or mental hurts. Both Mill and Feinberg apply a primarily individualistic definition of harm. Harm to groups of people or society at large is not integrated into the general definition and has only been introduced in later work and the academic discourse. In addition, critiques of Mill’s and Feinberg’s models have inter alia noted that the harm principle is too vague, that it invites speculative attributions of harm and that it does not capture the full range of Feinberg’s ‘morally wrongs’, such as murder or torture with consenting victims.33 The applicability of Mill’s and Feinberg’s harm principle to a potential cyber harm model is limited in various ways. Firstly, consent is considered to negate harm within the framework. A person who has suffered abuse online could hence be classified as not harmed if he or she consented to the activities, just as, controversially, consent to physical abuse in the physical world is in some contexts considered to exonerate the abuser. Secondly, while intangible cyber harm, such as reputational harm to an individual due to data breaches, would be considered harm according to Feinberg, the same event, when affecting a business as a whole, might not be classified as harm, as it might only affect the organisation’s reputation, but not the reputation of specific individuals. Moreover, the harm principle is not suitable to capture harm to society or a nation as a whole. However, despite these limitations, some key insights can be drawn from legal-philosophical approaches towards harm. Summary: cyber harm in legal philosophy When approaching cyber harm from a legal-philosophical perspective, the ‘interests’ of the users of ICT need to be considered. Similarly to the ‘offline world’, users are engaging with technologies or the Internet to pursue certain interests, such as finding emotional support, looking for information, sharing political views, etc. Setting back these interests, for instance when attackers are bullying their victims online and causing emotional distress, is intuitively perceived as harm and would be classified as harm in the legal-philosophical tradition of Mill and Feinberg. The classification of interests according to Feinberg (physical, psychological, economic and political) can similarly be applied to harm induced by cyber-attacks. A distinction can be made between interests that exist independent of the environment, such as psychological wellbeing, and interests that are pursued specifically through the use of ICT, such as finding specific information through online portals. Moreover, the significance of the interests varies. While some interests may be classified as fundamental, such as physical health, other interests may be classified as minor, such as searching for specific information online. Consequently, the harm experienced as a result of a setback of the different interests varies substantially in duration and severity. Social harm In an attempt to challenge the narrow concepts of harm common to criminological and legal frameworks an alternative, and broader concept of social harm has been developed. Although 33

Dripps, D.A. (1998). “The Liberal Critique of the Harm Principle.” Criminal Justice Ethics 17 (2): 3-18; Duff, R.A. (2001). “Harms and Wrongs.” Buffalo Criminal Law Review 5 (1): 13-45.

14

the concept cannot be located within one specific academic field, the authors share certain notions, such as a focus on broader societal interests going beyond the concerns of the individual, such as social welfare and levels of employment. Authors vary significantly in their approaches towards defining social harm, despite the common element of aiming at expanding the narrow notion of harm as being only applicable to individuals towards a model that also integrates harm to groups and to society as a whole. Some writers have approached social harm from a human-rights perspective. Schwendinger and Schwendinger34 argue that the idea of social harm is founded in a set of fundamental human rights, the infringement of which can be classified as a crime. Criger35 expands on this argument by analysing different types of crime the state could commit against society, drawing from examples such as the Holocaust, the use of Weapons of Mass Destruction and imperial wars. In addition to the active commission of crimes (both explicit and implicit), omission is also identified as a potential crime against society, as in cases where the state does not act against racial discrimination, gender inequity, etc. or does not ensure safe working conditions or adequate consumer welfare protection. In From ‘crime’ to social harm? Hillyard and Tombs36 offer a basic classification of different forms of social harm as a definitional framework, which includes: physical harm, financial/economic harm, emotional/psychological harm and harm relating to cultural safety. However, no conceptual framework for the placement and assessment of events within the four categories is provided. Summary: social cyber harm The discussion of social harm as separate from harm experienced by individuals provides added value to an understanding of national cyber harm. In particular, references to harm that affects ‘cultural safety’ have been made. This class of harm includes actions that affect autonomy, development and growth, and access to cultural, intellectual and informational resources of a given society.37 In modern societies, an increasing part of these resources are accessed through the Internet or information and communication technologies, which suggests the incorporation of cultural harm into a taxonomy of cyber harm. Public health: harm reduction in drug abuse Harm reduction is most commonly discussed in the context of reducing legal or illegal drug abuse. The underlying notion in harm reduction concepts and models is that drug abuse itself cannot effectively be prevented, and will thus continue to occur. As a consequence, harm reduction efforts aim to prevent and reduce the harm caused by drug abuse rather than preventing the drug abuse itself.38 A harm reduction approach targets the causes of risks and

34

Schwendinger, H. and Schwendinger, J. (1970). “Defenders of Order or Guardians of Human Rights.” Issues in Criminology, 5: 123–157. 35 Criger, D.W. (2011). “Critical Perspectives on Crime and Social Harm: Toward a Criminology of Human Rights.” Sociology Compass 5 (11): 984–994. 36 Hillyard, P. and Tombs, S. (2007). “From crime to social harm.” Crime Law Social Change 48: 9–25. 37 Hillyard, P. and Tombs, S. (2007). “From crime to social harm.” Crime Law Social Change 48: 9–25. 38 Buning, E.C., Drucker, E., Matthews, A., Newcombe, R., O'Hare, P.A. (1992). The Reduction of DrugRelated Harm. London and New York: Routledge.

15

harm and incorporates models of specific vulnerabilities of people or entities. Factors that exacerbate harm are identified, in order to address them strategically.39 The focus of harm-reduction models is often at the operational and practical levels.40 Where resources are limited, for example, harm-reduction approaches prefer the maximisation of benefits through low-cost and high-impact interventions, rather than high-cost and lowimpact interventions. In the same way, small gains for a large number of people are preferred over huge gains for only a few people. The rapid pace of technological and criminal advancement poses a serious obstacle to effective cybercrime prevention. Given the increasing penetration by the Internet and new technologies of society and daily life, it is hard to imagine that future cyber-attacks will ever be effectively prevented. Consequently, an approach similar to harm reduction in drug abuse could be considered for cyber harm reduction, by focusing efforts on reducing harm from cyber-attacks, as well as preventing, deterring and detecting such attacks. Harm reduction and prevention or detection are not mutually exclusive and could best be seen as complementary. To date, however, efforts have largely focused on preventing attacks from happening, by enhancing network security, by developing more sophisticated firewalls, etc. Harm reduction approaches have seldom been deployed. As with drug abuse, in certain conditions the harm caused by cyber-attacks can be exacerbated. For example, inadequate international cooperation mechanisms might aggravate the effects of cybercrime. Most cyber-attacks involve multiple jurisdictions; victims, perpetrators, ISPs and servers are rarely collocated conveniently in one country. If a country has no effective mechanisms in place to cooperate with the countries that are involved in the case, law-enforcement officers find their investigatory authority severely constrained. Summary: cyber harm reduction A harm-reduction approach to cyber harm could draw on good practice within drug harm reduction, in particular by focusing interventions aimed at cybercrime and cyber-attacks on the factors that exacerbate harm. The analysis of these factors would go beyond vulnerability assessments, which are mostly directed at networks and systems, as it also considers external effects of the broader environment. In that way, a link between a comprehensive understanding of cyber harm, factors that facilitate harm, and strategic and informed investments into cybersecurity can be established. Strategic and defence views on harm Harm is often referred to as an important component of national strategy and defence, but is rarely defined directly in national strategies. Rather, harm is primarily used as an indication of a call-to-action, or as a high-level strategic context when outlining missions or objectives. For example, most nations have developed national security strategies which determine a series of objectives that the military or ministry of defence seeks to accomplish. These objectives 39

Marlatt, A.G., Larimer, M.E., Witkiewitz, K. (2012). Harm Reduction, Second Edition: Pragmatic Strategies for Managing High-Risk Behaviors. New York: Guilford Press. 40 Marlatt, G.A. (1996). “Harm Reduction: Come as you are.” Addictive Behaviors 21 (6): 779-788; Rhodes, T. (2009). “Risk environments and drug harms: A social science for harm reduction approach.” International Journal of Drug Policy 20: 193–201.

16

are primarily placed in the context of mitigating risk to particular assets. National defence/military strategies and national risk assessments provide insights into how nations understand harm. The UK and USA serve as examples of how harm is viewed as a call-to-action in order to ensure security and mitigate risks to security interests. Out of the three objectives set out in the UK National Security Strategy,41 two objectives are defined by risks and threats, i.e. protecting the country from major direct risks, and decreasing the likelihood of threat materialisation. The incorporated UK National Security Risk Assessment, building on the original assessment in 2010, refines these objectives. A concept of harm can be detected within the definition of risk and impact. In this context, direct harm relating to a given risk defines impact, whereby the subjects of harm range from people to “territories, economy, key institutions and infrastructure.”42 In contrast, the US National Security Interests are less explicitly linked to risk management and instead refer to “the survival of the Nation; the prevention of catastrophic attack against U.S. territory; the security of the global economic system; the security, confidence, and reliability of our allies; the protection of American citizens abroad; and the preservation and extension of universal values.”43 However, the US National Strategic Risk Assessment not only makes reference to cyber-attacks, but also provides a detailed account of different forms of harm to the nation. In particular, six kinds of harm are examined, namely “loss of life, injuries and illnesses, direct economic costs, social displacement, psychological distress, and environmental impact.”44 The strategic/defence approach towards harm detailed above can also be applied in strategic approaches to cyberspace and cybersecurity. For example, in the British National Cybersecurity Strategy, the vision clearly expresses a risk-based approach to prioritising responses to cyber-incidents.45 Interestingly, the UK’s national risk register cited in the section on cybersecurity, specifically addresses harm as it relates to vulnerability: “While cyber space fosters open markets and open societies, this very openness can also make us more vulnerable to those – criminals, hackers, foreign intelligence services – who want to harm us by compromising or damaging our critical data and systems.”46 The US Department of Defence Cyber Strategy, on the other hand, specifies ‘significant consequences’ of cyber-attacks, which include deaths, damage to property, foreign policy repercussions and economic harm.47 These consequences are specifically addressed in the Department of Homeland Security’s risk assessment. When cyber-attacks compromise data and data processes, the harm is a national

41

HM Government (2015). National Security Strategy and Strategic Defence and Security Review 2015: A Secure and Prosperous United Kingdom. London: UK Cabinet Office. 42 HM Government (2010). Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review. London: UK Cabinet Office. 43 U.S. Joint Chiefs of Staff (2015). The National Military Strategy of the United States of America 2015. 44 DHS Office of Risk Management and Analysis (2011). The Strategic National Risk Assessment in Support of PPD 8: A Comprehensive Risk-Based Approach toward a Secure and Resilient Nation. 45 UK Cabinet Office (2011). The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world. London: UK Cabinet Office. Note that the UK Cyber Security Strategy is currently under revision and will be replaced by a second iteration in 2016. 46 UK Cabinet Office (2015). National Risk Register of Civil Emergencies. London: UK Cabinet Office. 47 US Department of Defense (2015). The Department of Defense Cyber Strategy. Washington DC: US Department of Defense.

17

level concern where it causes financial losses of at least one billion dollars. Conversely, if the attack is against critical infrastructure, it is considered a national harm where it is “an incident in which a cyber attack is used as a vector to achieve effects which are ‘beyond the computer’ (i.e., kinetic or other effects) resulting in one fatality or greater or economic losses of $100 Million or greater.”48 Essentially, harm in the national defence and strategic cybersecurity context is used to set out the risk-conditions under which the defence apparatus will act, and what its strategic objectives are. While the connection between harm, risk and strategy is not made explicit, the lack of specificity with relation to harm in common strategic outlook, coupled with frequent reference to risk, implies that harm is often viewed as a component of risk in national cybersecurity defence and strategy, rather than being considered directly. In the international strategic context, cyber harm is also used to define those cases in which action should or should not be taken. For example, the United Nations Group of Governmental Experts (GGE) consensus, which asserts that international law applies in cyberspace, addresses harm in the context of preventing harmful activities, such as using harmful hidden functions of ICT, harming information systems of other nations’ emergency response teams or other harmful practices.49 These norms and good practices do not define what harm consists of, but rather seem to use it interchangeably with ‘negative impact’. The Shanghai Cooperation Organisation Agreement on Cooperation in the Field of Information Security takes a different approach towards cyber harm and includes the “dissemination of information harmful to the socio-political and socio-economic systems, spiritual, moral and cultural environment of other states,” which includes spiritual, moral and cultural aspects of harm not traditionally associated with cyber harm in Western contexts.50 Finally, some experts have called for an organisation similar to the Red Cross that would provide a neutral, impartial and independent resource to reduce harm. This organisation would utilise CERTs who, according to these experts “form a growing network of like-minded groups of dedicated individuals, focused on identifying vulnerabilities in cyberspace and assisting in remediating threats when they cause harm.” 51 This humanitarian approach offers an analogy for how harm-mitigation in cyberspace could be approached. Summary: cyber harm in strategic and defence considerations In the strategic and defence sector, cyber harm concepts serve as a benchmark for military or other action and intervention. While definitions and understandings vary, cyber harm is commonly understood in relation to the notion of risk, which underlines the close link and interdependency between risk and harm. Value for the Cyber Harm Model can be drawn from

48

DHS Office of Risk Management and Analysis (2011). The Strategic National Risk Assessment in Support of PPD 8: A Comprehensive Risk-Based Approach toward a Secure and Resilient Nation. 49 UN General Assembly (2015). Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (A/70/174). New York: UN General Assembly. 50 United Nations Institute for Disarmament Research (UNIDIR) (2015). The Cyber Index: International Security Trends and Realities. Geneva: UNIDIR. 51 Hollis, D. and Maurer, T. (2015). “A Red Cross for Cyberspace,” Time. Accessed at http://time.com/3713226/red-cross-cyberspace/.

18

the use of a harm concept as a benchmark for interventions. Similarly, cybersecurity capacitybuilding can be developed as cyber harm avoidance, reduction and deterrence approaches. Political harm The conceptualisation of political harm has been inconsistent in political science and other fields. While regularly referred to, the understanding of what characterises political harm varies. Political harm might be referred to as the reputational damage a politician suffers after a public incident or political parties experiencing decreased votes in an election. Often, political harm is associated with the disruption of political processes. These may include the electoral system, the policy-making process, citizen engagement in political processes and the criminal justice system, among others. In an analysis of threats and harms caused by organised crime, Gilmour52 identifies political harm as corruption or harm to the reputation of the police or civic governance. In relation to ICTs, the political dimension encompasses a range of issues, which may be either facilitated or harmed through the proliferation of new technologies. On the one hand, the emergence of the Internet and related developments have profoundly changed how politics are conducted, as exemplified by the ‘Arab Spring’ movement in 2010 and 2011, which was substantially facilitated by social media. A large proportion of the political debate is now held on Internet platforms, blogs and social media. In this way, ICTs can encourage more parts of society to engage in political processes. On the other hand, cybercrime and cyber-attacks can have a serious impact on the functioning of the political system. The Internet can be used to disseminate propaganda against governments or recruit persons for terrorist purposes. Cybercrime can further disrupt the functioning of government networks, manipulate voting results, or be targeted at inducing political change through cyber extortion. The attack can thereby be targeted at specific individuals, such as a government leader or government official with strategic functions; at organisations and groups, such as ministries, political parties or governmental networks; as well as at the nation as a whole, as is the case in cyber-terrorist attacks. Political relationships might further deteriorate because of cybercrime incidents, for example where attacks are camouflaged so as to appear like they have been initiated by a certain country as a state-sponsored attack, although the attack originated in another country (or none). Summary: political cyber harm Political cyber harm is a broad concept that encompasses a range of effects on the government, the political system and its processes. It might be observed inter alia through a loss of public influence due to a cyber-attack, a disruption of political processes, the exclusion of parties from the political process or deterioration in international relations, and is often accompanied by reputational cyber harm. Harm in economics Economic harm can manifest in various forms, depending on who is affected (individuals, organisations or nations), the sector in which the harm occurs (banking sector, national infrastructure, etc.), and whether it is the direct or a cascaded effect of a cyber-attack. In a report in 2009, the US Department of Homeland Security notes that successful cyber-attacks 52

Gilmour, S. (2008). “Understanding Organized Crime: A Local Perspective,” Policing 2 (1): 18-27.

19

can cause economic harm to major industrial sectors, damage to critical infrastructure (such as electricity and water), including disruptions that obstruct the response and communication capabilities of first responders in emergencies.53 The most common form of economic harm from cyber-attacks, which also represents one of the most widely researched and analysed types of cyber harm in contemporary literature, is financial harm. Numerous publications54 have aimed at costing cybercrime. In The Cost of Cybercrime,55 the annual cost of cybercrime to the UK is estimated at £27 billion. The 2014 Global Report on the Cost of Cyber Crime56 calculated that, on average, cybercrime costs each organisation in the analysed countries $7.2 million annually, while some companies might suffer costs up to $61 million. While these numbers can seem alarmist and calculations and estimations can be made for individuals, organisations and nations as a whole, the accuracy and reliability of methods used in such reports is debateable. For instance, the Detica report not only reflects direct costs occurring as a consequence of cybercrime, but also costs in anticipation of cybercrime, in response to cybercrime, as well as indirect costs, such as through reputational damage.57 Variations regarding what are considered to be costs relating to cybercrime and how the costs are calculated make comparative analyses difficult. Generally, research suggests that financial harm can often be linked to physical and/or psychological harm and neglect. In addition, a number of risk factors that render adults more likely to suffer financial harm have been identified, including: social isolation; over-trusting nature; (financial) dependency on others; increased assets coupled with low cost lifestyle; and a limited awareness of risks.58 However, economic harm goes beyond financial harm. Cybercrime can have macroeconomic effects that can affect a nation’s economy as a whole. For instance, a government might experience lost taxation revenue as a result of fiscal fraud. In other cases, the confidence of overseas investors might diminish as a result of a cyber-attack. The development of an “underground economy” which operates through the DarkWeb and might be facilitated by anonymization tools and virtual currencies can attract talented individuals that are diverted from the legal economy. When considering large-scale or long-lasting cybercrime or cyberattacks, harm to a nation’s economic growth is an actual possibility. Summary: economic cyber harm Economic cyber harm can affect individuals, organisations and nations alike. It is often the immediate and direct consequence of cybercrime, such as online fraud, extortion or theft. 53

U.S. Department of Homeland Security (2009). A Roadmap for Cybersecurity Research. Washington D.C.: U.S. Department of Homeland Security. 54 See, for example: Anderson, R. et al. (2012). “Measuring the Cost of Cybercrime,” in: The Economics of Information Security and Privacy (pp 265-300).Berlin and Heidelberg: Springer; Center for Strategic and International Studies (2014). Net Losses: Estimating the Global Cost of Cybercrime. Economic impact of cybercrime II. Santa Clara: McAfee. 55 Detica and the UK Cabinet Office (2011). The Cost of Cyber Crime. Surrey: Detica Limited. 56 Ponemon Institute (2014). 2014 Global Report on the Cost of Cyber Crime. Traverse City: Ponemon Institute. 57 Detica and the UK Cabinet Office (2011). The Cost of Cyber Crime. Surrey: Detica Limited. 58 Fife Adult Protection Committee. Financial Harm: Prevention, Identification, Support and Protection. Accessed at: http://publications.1fife.org.uk/uploadfiles/publications/ c64_FinancialHarmGuidanceInformation.pdf.

20

However, economic harm can also manifest itself in less direct forms, such as the loss of workforce or diminished foreign investments. It might further be the cascading effect of reputational harm (see below), as a decrease in consumer demand or shareholder value. Business perspective: reputational harm Although reputational harm is not a new concept, it has no commonly agreed definition and the thinking on the subject is still evolving. Neither the 2004 framework for enterprise risk management proposed by the Committee of Sponsoring Organisations of the Treadway Commission (COSO), nor the Basel II international accord for regulating bank capital address the issue.59 However, in recent years, reputational harm as a consequence of cyber-attacks has gained attention, in particular in the context of cybercrime insurance.60 While often linked to economic harm, reputational harm can also affect individuals, organisations and nations as a whole. It commonly manifests itself in an adverse media event or negative publicity, which then culminates in other forms of harm, such as psychological harm (e.g. loss of confidence or depression) or economic harm (e.g. loss of revenue or consumer demand). On an individual level, reputational harm can occur in various forms. It can be a result of online defamation, for instance on social media, often involving concurrent violations of privacy.61 Individual reputational harm might also be linked to organisational or national cyberincidents, for instance if an individual, such as CEO or CSO, is publicly held responsible for the event. In the business sector, reputational harm is most likely to affect customer relationships. Reputational harm can lead to a deterioration in existing cultivated relationships, and the inability to form new customer relationships. Research suggests that risk managers perceive reputational harm to be one of the most severe and concerning consequences of cyberincidents.62 On a national scale, reputational harm can mean a severe deterioration of international relations, whether economic, political or diplomatic in nature. While still a rarely discussed topic, cybercrime does already cause harm to a country’s reputation, such as in the case of Nigeria. A survey among tertiary-education institutions revealed that the vast majority of respondents believed that cybercrime, such as online fraud, is damaging that country’s reputation.63

59

ACE Group (2013). Reputation at Risk: ACE European Risk Briefing 2013. London: ACE Group. Tokio Marine Kiln (2015). Insurance Products: Reputational Harm. London: Tokio Marine Kiln; Axis Insurance Managers Inc. (2014). “Reputational Harm Insurance” Accessed at http://www.axisinsurance.ca/commercial/policy-types/reputational-harm-insurance. 61 Law Reform Commission (2014). Issues Paper on Cyber-crime affecting personal safety, privacy and reputation including cyber-bullying (LRC IP 6-2014). Accessed at http://www.lawreform.ie/_fileupload/Issues%20Papers/ip6Cybercrime.pdf. 62 http://www.cyberrisknetwork.com/2015/06/11/rims-survey-reveals-high-interest-in-cover-forreputational-harm-business-interruption/ 63 Okeshola, F.B. and Adeta, A.K. (2013). “The Nature, Causes and Consequences of Cyber Crime in Tertiary Institutions in Zaria - Kaduna State, Nigeria,” American International Journal of Contemporary Research 3 (9): 98-114. 60

21

Summary: reputational cyber harm Reputational cyber harm can affect any subject of a cyber-attack on any scale. It can be the direct goal of an attack, as in the case of online defamation, or a concurrent or cascading effect of other forms of harm, as in the case of data breaches or online theft. Physical harm The United States Code of Federal Regulations defines physical harm as “any physical injury to the body, including an injury that caused, either temporarily or permanently, partial or total physical disability, incapacity or disfigurement”.64 For the purposes of this article, physical harm might also be understood to refer not only to harm to the body of individuals, but also to property and infrastructure. The notion that cybercrime or cyber-attacks might cause physical harm to individuals is relatively new. While physical harm could conceivably be the consequence of cyber-related psychological harm – for example, where individual victims of cyber-bullying choose to harm themselves and perhaps even to commit suicide – there have as yet been no recorded instances of physical injuries as a direct result of a cyber-attack. However, an increasing number of publications point towards the threat posed by new technologies, and the possibility that these might indeed cause direct physical harm to individuals.65 In particular, advances in the field of “smart devices”, such as home appliances and personal medical monitoring equipment connected to the Internet, have created entirely new possibilities for manipulation and intrusion. Similarly to individual physical harm, physical cyber harm inflicted on property or infrastructure is a relatively new phenomenon. In fact, to date, only two incidents have (not undisputedly) been classified as cyber-attacks involving physical damage: the Stuxnet attack on an Iranian Fuel Enrichment Plant and an advanced-persistent-threat (APT) attack against a German steel mill. While investigations into the former case have not been conclusive, the malware forced the lowering and raising of the rotor-speed of several centrifuges, leading to the (physical) malfunction of the centrifuges.66 Although the affected centrifuges were not destroyed, the case showed that physical damage induced through a cyber-attack is a real threat. A second case of physical damage has been reported by the German Federal Office for Information Security in 2014. A status report of cybersecurity in Germany states that an advanced-persistent-threat attack, which involved spear-phishing and social-engineering to gain access to a steel mill’s network, led to the failure of several control components and irregular shut down of furnaces. As a result, the steel mill suffered “severe damage”.67 Both

64

U.S. Code of Federal Regulations. 6 CFR 25.2 - Definitions. Accessed at https://www.law.cornell.edu/cfr/text/6/25.2. 65 See, for instance: Applegate, S.D. (2013). The Dawn of Kinetic Cyber. 5th International Conference on Cyber Conflict. Tallin: NATO; and Gibbons, N. (2014) “When virtual becomes reality.” Inside Cyber Summer 2014: 75-76. 66 David Albright, Paul Brannan, and Christina Walrond (2010). “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” Report by the Institute for Science and International Security. Accessed at http://isis-online.org/uploads/isisreports/documents/stuxnet_FEP_22Dec2010.pdf. 67 Bundesamt fuer Sicherheit in der Informationstechnik (2014). Die Lage der IT-Sicherheit in Deutschland 2014. Bonn: Bundesamt fuer Sicherheit in der Informationstechnik. Accessed at

22

cases show that, while physical harm to property and infrastructure might not be a commonly reported impact of cyber-attacks, it is a real possibility with potential for far-reaching damage, not only to organisations, but also to the economy as a whole. Summary: physical cyber harm Physical cyber harm can affect both individuals and property or infrastructure. While only few instances have been recorded to date, the potential severity and reach of physical harm, as well as its cascading effects, affecting individuals, organisations and society as a whole, gives a new dimension to the potential damage caused by cybercrime, cyber-attacks and negligent cyber-incidents. Psychological harm Psychological harm, according to NICE,68 can be defined as “emotional or cognitive disturbances resulting from another's actions”. Psychological harm can manifest itself in a range of negative emotions, including anxiety (warranted or unwarranted), depression, guilt, shame, embarrassment, anger, fear, suicidal feelings, extreme distress, loss of trust in others, denial and a loss of self-confidence.69 In relation to cybersecurity and cybercrime, psychological harm can be observed in various forms. Firstly, the Internet and ICTs can induce, facilitate or aggravate psychological harm that was initially suffered in the physical world. For example, an individual suffering from depression or suicidal thoughts might experience a reinforcement of these psychological conditions after engaging in online discussions. In the worst case, the individual could use the Internet to find information about methods to commit suicide, which might then culminate in self-harm (see below). In addition to facilitating pre-existing conditions of psychological harm, the Internet and ICTs can also be exploited to induce psychological harm in the first place. One prominent example is cyber-bullying, which is defined as “the use of information and communication technologies to support deliberate, repeated, and hostile behaviour by an individual or group, which is intended to harm others”.70 Cyber-bullying can occur as a continuation of real-world bullying, but may also be observed as the initial action. Another area that has gained substantial attention in psychological research in the last decade is the role of the Internet in enhancing self-harm, and including suicide. Traditionally, the term selfharm71 refers to a physical response to emotional pain of individuals against themselves, such https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht20 14.pdf?__blob=publicationFile. 68 NICE, UK National Institute for Health and Care Excellence (2004). Self-harm: The short-term physical and psychological management and secondary prevention of self-harm in primary and secondary care. 69 Whitty, M. and Buchanan, T. (2012). The Psychology of the Online Dating Romance Scam. Leicester: University of Leicester. 70 Belsey, B. “Cyberbullying: An Emerging Threat to the “Always On” Generation,” Bullying.org. Accessed at http://www.cyberbullying.ca/pdf/Cyberbullying_Article_by_Bill_Belsey.pdf; Marilyn A. Campbell (2005). “Cyber Bullying: An Old Problem in a New Guise?” Australian Journal of Guidance and Counselling 15: 68-76. 71 NICE defines self-harm as “intentional self-poisoning or injury, irrespective of the apparent purpose of the act.” The World Health Organization describes self-harm as “an act with non-fatal outcome, in which an individual deliberately initiates a non-habitual behaviour that, without intervention from others, will cause self-harm, or deliberately ingests a substance in excess of the prescribed or generally

23

as cutting oneself or substance abuse. In cyberspace, one commonly observed self-harming behaviour is best understood as bullying oneself online. There are various ways that people can deprecate themselves online. One method is to set up numerous profiles and send abusive messages to themselves. Psychologists who have studied this area assert that young people with low self-esteem behave in this way in order that comments posted by “other people” (even when it is themselves sending the abuse from pseudo-profiles) serve to confirm their own poor opinion of themselves. Individuals, in particular young people, might engage in such behaviour in order to gain attention from relatives and friends when they experience feelings of emotional vulnerability; to enhance their social status as negative comments might, perversely, be presented as evidence of jealousy; and to win compliments.72 Secondly, ICTs may be the source of psychological harm in themselves. An example is Internet addiction. With the increasing proliferation of the Internet and information and communication technologies in general, the emergence of this new form of addiction has been identified, similar to known forms of addiction, such as chemical substances or gambling. Although not all individuals who show an excessive use of the Internet can be classified as addicted, some individuals show a psychological dependence on the medium, which can lead to a range of personal, family and occupational problems. These detrimental effects, such as marital disruption or sleep deprivation, are similar to those experienced by individuals suffering from other kinds of addictions. Empirical studies have shown that men are usually more likely to be affected by Internet addiction than women and that pre-existing psychological issues, such as depression, increase the likelihood of the manifestation of Internet addiction. However, despite an increasing number of studies in this area, Internet addiction is a relatively new phenomenon. Hence, the reliability of assessment and treatment methods is still limited.73 In addition to the various types of psychological harm described above, emotional damage can manifest itself as a cascading effect of other types of harm, such as financial or reputational harm. In the latter case, in particular when affecting individuals or managers of organisations, reputational damage might lead to psychological problems if the individual experiences a loss of self-worth or a feeling of failure. These may include depression, a loss of self-confidence, substance abuse, etc. Another scenario has been recently analysed by Modic and Anderson.74 They have conducted an empirical study to determine the financial and emotional harm experienced by victims of online fraud. The results of the study show that emotional harm was not only commonly experienced by victims of online fraud, regardless of the type of fraud, but that victims perceived it as more severe than the direct financial loss suffered. Modic and Anderson conclude that emotional harm is a significant element of victimisation in online fraud and should hence be included into considerations, both as recognised therapeutic dosage, and which is aimed at realising changes which the subject desired via the actual or expected physical consequences.” (Platt, S., Bille-Brahe, U., Kerkhof, A., et al. (1992) Parasuicide in Europe: the WHO/EURO multi-centre study on parasuicide. I. Introduction and preliminary analysis for 1989. Acta Psychiatrica Scandinavica, 85 (2): 97–104). 72 The Cybersmile Foundation (2015). “Cyber Self-harm,” The Cybersmile Foundation. Accessed at https://www.cybersmile.org/advice-help/cyber-self-harm/why-would-someone-cyber-self%20%20%20%20%20%20%20harm. 73 Chou, C., Condron, L. and Belland, J.C. (2005). “A Review of the Research on Internet Addiction,” Educational Psychology Review, 17(4): 363-388. 74 Modic, D. and Anderson, R. (2015). “It’s All Over but the Crying: The Emotional and Financial Impact of Internet Fraud.” Ieee Security & Privacy, 13(5): 99-103.

24

regards policies to deter fraud and as regards the management of the impact of fraud. While the number of studies analysing emotional harm as a cascading effect of other types of harm is still very limited, Modic and Anderson’s findings show that it is an important area of concern, in particular when assessing the medium- and long-term effect of cyber-attacks. Apart from the psychological harm that is induced or facilitated by ICTs, it is important to mention that cyberspace might also function as a support mechanism for individuals suffering psychological harm, for instance when they receive help through online forums or professional services that might be easier to access online. Summary: psychological cyber harm Psychological cyber harm can manifest itself in numerous forms and can, as with general psychological harm, culminate in suicide or criminal behaviour. While almost any type of cyber-attack can lead to psychological harm, the extent and nature of the harm might vary between different individuals and is influenced by many factors, such as pre-existing mental conditions or the availability of support. Due to its potential to affect many individuals or even whole nations and to have long-lasting effects, the role of psychological cyber harm within the Cyber Harm Model needs to be carefully examined. Virtual harm The development and expansion of virtual environments,75 such as computer generated 3D property on game servers (e.g. Second Life), raises questions regarding the relationship between the ‘real’, i.e. physical, and the ‘virtual’ world. For the purposes of this article, the question is whether ‘virtual’ (or perhaps ‘artificial’ or ‘unreal’) harm can have a ‘real’ effect? Can an ‘attack’ against a virtual representation of a person, i.e. an avatar invented in order to participate in a virtual environment or game, cause actual harm to the physical person represented by the avatar? In the physical world, acts of violence (whether physical or psychological) cause harm to victims’ bodies or severely affect their mental state. When ‘violence’ takes place in virtual worlds however, the ‘injury’, such as it is, is caused to an invented and insentient string of data rather than a real, sentient persona. While academic research in this area to date is very limited, Wolfendale has argued that the attachment of individuals to their avatars is an expression of identity and self-conception and should thus be seen as morally significant, as with real-world attachment to possessions, communities or cultural objects.76 Despite self-evident differences between real and virtual environments, Wolfendale claims that the two ‘worlds’ bear significant resemblance in their social features. While the representation of bodies in virtual worlds takes a digital form, it can be argued that the virtual embodiment is intimately representative of social constructions and norms found in the real world. In other words, although the bodies and their interactions are

75

The terms virtual environment and virtual reality are not used consistently in contemporary literature. However, in the context of this article, the focus lies on virtual environments/virtual worlds, defined by Ralph Schroeder as “the sensory experience of being in a place other than the one [they] are physically in, and being able to interact with that place” (Schroeder, R., 2006). See also Young, G. (2014). Ethics in the Virtual World: The Morality and Psychology of Gaming. Abingdon and New York: Routledge. 76 Wolfendale, J. (2007). “My avatar, my self: Virtual harm and attachment.” Ethics and Information Technology 9(2): 111-119.

25

virtual, the social element of these relationships is inescapably rooted in a real world framework. Moreover, the anonymity and dissociative authority created by a perceived lack of real-world laws, authorities and social conventions in cyberspace allow for some aspects of human behaviour to “escalate and flourish”. This effect has been seen despite the widespread use of end-user licence agreements, which establish clear codes of conduct for behaviour in the various virtual environments. With attacks on avatars expected to have an effect on the psychological state of the associated individual, it is even conceivable that an attack could be intended deliberately to have a more decisive and extreme effect than the attacker would otherwise be willing to contemplate in the real world. Warren and Palmer77 challenge Wolfendale’s characterisation of virtual harm. Even though they acknowledge the legitimacy of harm in virtual environments, they reject the notion of virtual harm being ground for legal interventions, as only a real-world effect on victims could justify action against harmful online conduct. This means that individuals who have suffered harm by representation of their avatars can only be offered psychological help. Summary: virtual harm Virtual harm can be considered as a form of psychological cyber harm. Despite the fact that actions causing harm to virtual representations of individuals online might not classify as crimes in a legal sense, research has shown that virtual harm can be conceptualised as a form of harm that originates in virtual environments, but has an impact on individuals in the physical world. In particular, attacks against an avatar might result in psychological harm to the individual controlling it, such as emotional distress or fear. As such, virtual harm does not represent a distinct type of harm in itself, but rather a form of psychological harm.

77

Warrant, I. and Palmer, D. (2011) “Crime Risks of Three-dimensional Virtual Environments.” Trends & issues in crime and criminal justice 388.

26

Conceptualising Cyber Harm A taxonomy of cyber harm The analysis of the research context has shown that, while there is no comprehensive account of cyber harm in contemporary literature, it is nonetheless possible to gain a better understanding of the nature and subjects of cyber harm. This chapter draws on the observations made in Chapter 3.2 in order to present a taxonomy of cyber harm and to model the relationships and interdependencies of the different forms of harm. Subjects and nature of cyber harm

Subjects of cyber harm Subjects are defined as the persons, entities, objects, or groupings that incur the harm manifesting from a cyber-incident.

The subjects of cyber harm within a nation can be identified on four different levels: individual, organisational, infrastructure/property and national. Despite the distinct nature of each of these four subjects, there is an inherent intersection and interdependency between them, as illustrated in Figure 4.1. The nation as a whole encompasses all of the three other subjects, but is not merely a sum of these, but represents unique elements and frameworks, such as cultural values or the structure of the economic and political systems. At the most granular level, cyber-attacks can affect individual people. The nature of the harm caused can be of any kind – physical, psychological, economic (e.g. financial), political, cultural or reputational. Individuals might be the single target of an attack, such as in the case of cyberbullying, or can be harmed as part of a broader attack against a larger group, for instance through phishing attacks. At the second level, organisations can be harmed as entities, with or without harm being caused to individuals concurrently. While organisations cannot be directly harmed physically or psychologically (only indirectly through harm to employees or property and equipment), they can suffer economic, reputational, political and cultural cyber harm. Thirdly, apart from individuals and corporate entities, harm can also be inflicted on property or infrastructure. Often, this subject of harm is accompanied by concurrent harm to the affected organisation or nation, in particular when the damage disrupts business processes or destroys machines and equipment. In contrast to the other subjects, property and infrastructure can only be physically harmed. However, other types of concurrent or subsequent harms can be inflicted on individuals, organisations or the entire nation. Finally, the highest level of subjects of cyber harm is the nation as a whole. A nation might experience a loss of reputation after a cyber-attack of large scale, for instance leading to a deterioration of bilateral or multilateral political or economic relations. Similarly, nations can be harmed economically, politically or culturally. If a large proportion of the population is affected by a cyber-attack, one might even find psychological harm at this level, as is the case in widespread fear as a result of cyber-terrorism.

27

Nation

Individual

Organisation

Property/ Infrastructure

Figure 4.1: Subjects of cyber harm

In a national assessment of cyber harm, multiple subjects at different levels of national life would have to be identified. Intangible assets would have to be considered, such as values, norms, frameworks and mechanisms that form the cornerstones of society. The level of detail of these subjects would depend on the scope of the assessment. Figure 4.2 provides an illustrative, non-exhaustive list of how the affected subjects and intangible assets might be classified for this purpose, following a top-down approach based on the four broad groups of subjects. Within each category, more specific subjects might be determined, such as a specific division within a company (organisational level) or a specific part of the political system (national level). Similarly, the scope of the cyber harm assessment might suggest the grouping of certain parts of society, such as ‘children between the ages of 12 to 16’ or ‘banking sector employees’. In this context, both directly and indirectly affected parties must be identified.

28

Nation • Economy • Security • Society as a whole • Vulnerable groups • Political system • International relations • Sectors • etc.

Infrastructure/ property • Transportation systems • Power plants • Communication systems • Network infrastructure • Virtual infrastructure • Water systems • Buildings • Internet of Things (IoT) • etc.

Organisations • Company • University • School • Ministry • Political party • NGO • Hospital • Bank • SME • etc.

Individuals • CEO • Government leader • Doctor • Child • Pensioner • Citizen • etc.

Figure 4.2: Examples of cyber harm subjects

It is important to note that cyber-attacks commonly affect multiple subjects at the same time, in particular in the case of national-scale attacks, even if the primary target might have been limited to one particular subject. For instance, an attack on a power plant can cause harm on an organisational or even national level, if the attack results in other business disruptions or power cuts. As regards the nature of cyber harm, at least six distinct types can be identified from the literature: physical, psychological, economic, cultural, political and reputational.78

Types of cyber harm Types of cyber harm are defined as the classification of harm manifestations based on perceived impact in the observable world.

Figure 4.3 provides examples of how these types of cyber harm might be observed.

78

Not all academic disciplines that were analysed in Chapter 3.2 have resulted in the identification of a type of cyber harm. Instead, some provided insights regarding harm reduction approaches (public health) or were identified as a sub-form, rather than a distinct type of cyber harm (virtual harm).

29

•Bodily injury •Property damage •etc.

Physical

•Disruption of electoral system •Loss of citizen trust in government •Reduction in power projection •etc.

Political/ governmental

•Depression •Panic/stress •Anxiety •Self-harm •Virtual harm •etc.

Psychological/ emotional

•Financial loss •Loss of shareholder value •Job loss •Market degredation •etc.

Economic

•Reduced consumer base •Deteriorated international relations •etc.

•Loss of communication means •Loss of cultural property •Harm to social values •etc.

Reputational

Cultural

Figure 4.3: Types and examples of cyber harm

Physical cyber harm Within these six categories, physical cyber harm is easiest to evidence, as it is, in most cases, empirically observable. However, to date, this type of harm is also the least common, as cyberattacks resulting in bodily injury or physical damage to equipment and structures are a relatively new phenomenon, with only very few reported cases. However, even though physical harm is primarily observable as a direct and immediate impact of a cyber-attack, the cascading effects can be severe and far-reaching. For instance, an attack on a cardiac pacemaker, which leads to the death of the patient, could create fear and panic or other types of emotional distress in other patients with pacemakers. Psychological/emotional cyber harm In contrast to physical cyber harm, psychological/emotional cyber harm can be both the primary harm of an attack and have a long-term and indirect cascading effect, which either follows other types of harm or occurs in parallel. Psychological harm is also more likely than other forms of harm to have a long-term impact on individuals who become victim of a cyberattack. In this context, the significance of cyberspace can vary. Firstly, cyberspace can facilitate a psychological condition that has its roots outside the Internet. Secondly, a cyber-attack can be the primary cause of psychological harm, as in the case of cyber-bullying or cyber-stalking. Thirdly, psychological harm might be suffered because of harm inflicted upon a virtual representation of a person. Fourthly, cyberspace might be a source of psychological harm in itself in the case of Internet addiction. Finally, psychological harm can be a secondary or subsequent type of harm for victims who have suffered another type of direct or primary harm, e.g. economic harm in the form of financial losses of fraud victims. While more and more research is dedicated towards understanding and assessing psychological harm related

30

to cyberspace and cyber-attacks, this type of harm is one of the most difficult to observe in its full scale, as its development depends on numerous factors, such as the psychological predisposition of the victims, the social contexts, cultural perceptions, etc. Economic cyber harm Economic cyber harm is the third category of cyber harm, most commonly observed and measured in terms of financial losses. One of the most direct forms of financial loss is an attack whereby monetary assets are stolen, for instance by hacking a bank account. However, economic harm can occur in more complex patterns, such as in the case of cyber espionage. In cases where military technology is stolen, organisations and nations might be exposed to weakened export markets.79 Similarly, cyber espionage can lead to job losses, which can in turn cause other forms of harm. Consequently, apart from direct monetary losses, economic harm also has to be understood in terms of trade, technology and competitiveness. Reputational cyber harm Reputational cyber harm can affect individuals, organisations or entire countries alike and is often accompanied by economic and psychological cyber harm. On an organisational level, reputational harm might manifest itself through supplier mistrust, deteriorated customer relations, and decreased productivity due to reduced employee motivation, up to a general loss of trust into the organisation. While the financial or other immediate economic costs of a cyber-attack might be managed in a relatively short period of time, reputational damage can be much more difficult to mitigate and can eventually lead to bankruptcy. Moreover, a cyberattack on an organisation can simultaneously result in reputational harm to individuals, such as the CEO or CSO of a company, but also other employees associated with the organisation. Posting private, false, humiliating or shameful material about public or non-public figures is another example of a cyber-attack that can lead to reputational harm to individual victims. Finally, in particular, large scale attacks or attacks on the government of a country can further harm the economy as a whole, damaging business or diplomatic relations with other nations. Political/governmental cyber harm Political/governmental cyber harm is a broad concept that encompasses a range of effects on the government, the political system and its processes, as well as individual politicians. It might be observed, inter alia, through a loss of public influence due to a cyber-attack, a disruption of political processes, the exclusion of parties from the political process or deteriorated international relations, and is often accompanied by reputational cyber harm. Cultural cyber harm Among the six categories, cultural cyber harm is one of the least discussed forms of cyber harm in contemporary literature, perhaps as it is difficult to observe and measure. Cultural cyber harm goes beyond the psychological effects, experienced by individuals or groups of individuals as a result of cyber-attacks. This type of harm represents a significant disruption to the social stability and cultural safety of a society. For instance, cultural harm can be a result

79

Center for Strategic and International Studies (2013). The Economic Impact of Cybercrime and Cyber Espionage. Santa Clara: McAfee.

31

of damaged communication networks, which obstruct the exchange between members of society. Spreading false information or hate-speech can further cause severe social disruption. The widely used cultural values model developed by Schwartz80, which identifies ten basic values81 and establishes a dynamic relationship between them, can serve as a method to conceptualise how cyber harm can affect culture and how it differs across nations according to the country’s prioritisation of certain values. For instance, the security dimension of the model, relating to goals such as social stability, national security or social order, could be harmed through wide-spread fear as a result of cyber-terrorism. The universalism dimension, represented by goals such as equality and social justice, might be harmed through cyberattacks that are targeted at minorities or specific vulnerable groups of society. Cyber harm and ICT Having established the different types and subjects of cyber harm, a relationship between the two analytical categories can be identified. Figure 4.4 relates the different subjects and natures of cyber harm with each other. Subject Individual Organisational Property/ infrastructure National

Physical 

Psychological 

Economic  

Reputational  

Cultural  

Political  













Figure 4.4: Relationship between subjects und nature of harm

While the broad subjects and types of cyber harm might be similar to those observed as ‘general’ types of harm from any kind of attack or crime, whether ICT-related or not, the role of ICT and the Internet in the cyber harm concept varies and is not limited to a simple means of a cyber-attack (see Figure 4.5). In addition to being the tool to inflict harm, e.g. in cases of credit-card theft, hacking, distribution of malware, etc., ICT can also facilitate harm that originated in the physical world, such as in the case of bullying in schools, which is continued online as cyber-bullying. ICT can even be the source of harm in itself, as shown by the proliferation of Internet and ICT addiction. On the other hand, damage to availability, integrity and confidentiality of computer systems and networks can be observed as targeting ICT as the immediate subject of the attack. Finally, cyber harm might occur not through a direct link to ICT, but as a cascading effect or an aggregation relating to other forms of harm after a cyberattack has taken place.

80

Schwartz, S. H. (2006). “Basic human values: Theory, measurement, and applications,” Revue française de sociologie. 81 The identified values are: power, achievement, hedonism, stimulation, self-direction, universalism, benevolence, tradition, conformity, and security.

32

Indirect forms of cyber harm

Role of ICT

Methods and means to inflict harm

Facilitator of harm

Source of harm

Subject of harm

Cascading effects

Aggregation

Figure 4.5: Role of ICT and indirect forms of cyber harm

Harm from cybersecurity interventions A largely unexplored area is the harm that can emanate from cybersecurity interventions and investments themselves. Measures that aim at preventing, reducing or combatting cybercrime and cyber-attacks can have intentional or unintentional adverse effects, either on the cybersecurity environment, or on other sectors of the nation. For instance, intentional effects might be experienced where cybersecurity interventions are used to expand control over parts of society and reduce their autonomy. On the other hand, investments in cybersecurity capacity-building might be uninformed and not adjusted to the needs of a nation, hence leading to an ineffective or inefficient use of valuable resources. While these forms of harm are not the primary focus of the Cyber Harm Model, they have to be considered for a comprehensive perspective, in particular when relating the CHM to the CMM. Opportunity costs On the other hand, opportunity costs need to be considered for a comprehensive understanding of cyber harm in the context of cybersecurity and cyber risk. In this way, an enhanced understanding of cyber harm not only enables targeted interventions to avoid, reduce and deter cyber harm, but also allows nations to take advantage of the maximised benefits of ICT development and digitalisation in an informed manner. Layers and sequence of cyber harm In addition to the identification of the different forms of cyber harm and subjects, it is important to examine the interrelations and interdependencies of these forms. Existing research increasingly points towards the finding that few cyber-attacks cause only one type of harm. Although indirect and long-lasting effects are more difficult to observe and measure, they should not be neglected, as they might be even more severe than the direct and immediate harm suffered by victims of cyber-attacks. Interconnections between different types of cyber harm exist in a plethora of forms, including simultaneous harms, cascading effects or latent harm. Simultaneous harms Two or more different kinds of harm caused by one cyber-attack can be experienced in parallel. For example, economic harm, such as job loss or financial loss, is often accompanied by psychological harm, such as feelings of failure or anxiety. Cascading effects Rather than occurring in parallel, cyber harm can also cascade through the entire spectrum of cyber harm categories and subjects. This process may involve one type of harm being induced

33

by another type. In addition, harms to one victim or group of victims may result in harms to groups, organisations or the nation. An example of the latter might be a cyber-attack that causes immediate physical damage to a hospital. Such an attack might not only cause anxiety to patients and employees of the hospital, but might even lead to psychological or social harm in society in general, as fear of such grave attacks spreads. In severe and large-scale attacks, such as cyber-terrorism, or in series of attacks, psychological harm might cascade from a small group of victims to larger groups of society or the nation as a whole, which can have a longlasting effect and cause serious disruption to society. Latent harm A third connection can be observed when less severe harms lead to more severe subsequent harm. For example, as shown in the case of online fraud, victims perceive the long-term psychological impact as more severe than the direct financial loss. If the immediate harm is perceived to be minor, the ‘latent’ harm that is less immediate and potentially more severe might be overlooked and, as a consequence, appropriate counter-actions might not be taken in a timely manner. Drawing from the different insights that have been identified in the research context, a complex relationship between subjects, natures and interdependencies of cyber harm can be established. Figure 4.6 represents a non-exhaustive example of the different forms of cyber harm and their relationship in different layers or stages after a cyber-attack to property or infrastructure, causing immediate physical cyber harm, such as loss of lives, dam failure or destruction of buildings.82

82

The relationships have been identified according to research (see chapter 3). However, as new types of cybercrime emerge alongside technological advancement, and research is expanded, new relationships and connections might be identified.

34

One form of harm prompting another form One form of harm accompanying another form Figure 4.6: Layers of cyber harm

The first layer shows the immediate and direct types of harm caused by such a cyber-attack. The nature of harm at this stage can take any form and is often not limited to one type, but there are accompanying immediate harms (dotted arrows). The second layer is harm that follows the first or results from the immediate harm. The difference in time might be negligible, but there is an identifiable sequence of different forms of harm or harm proliferating to other or more victims (coloured arrows). The third layer represents longlasting indirect harm, which follows the initial two stages.

35

As can be seen, even though physical harm was identified as one of the less commonly seen types of cyber harm, the potential for successive and cascading effects is high. Damage to property or infrastructure might in some cases have a negative effect on the reputation of the owner (whether organisational or individual), while also leading to business losses, for instance caused by interference in production processes. When human bodies are injured by a cyber-attack, it is highly probable that psychological harm will be inflicted upon a wide range of people, which might in turn result in cultural cyber harm. Although environmental harm has not been discussed in this article, it is included in the graph as a potential cascading effect of physical cyber harm. Scenarios, such as the manipulation of dam functions leading to bursting or breaking of the dam, or a cyber-attack on a nuclear power plant which results in meltdown, might cause serious environmental damage, including the destruction of natural resources, floods, etc. Example: 2007 cyber-attacks on Estonia A well-known example of a nation-wide cyber-attack is the series of attacks experienced by Estonia in 2007. Among the affected entities were government institutions, such as the Estonian parliament and ministries, as well as banks, newspapers and broadcasters. The attacks followed a disagreement between Estonia and Russia regarding the relocation of a war memorial. Estonian government networks were affected by a denial-of-service attack by unknown foreign intruders, resulting in the temporary disruption of some government online services and online banking. In addition, the attack involved website defacement of political parties and the disruption of news portals through spamming. Despite the severe impact of the attacks, the Estonian government was able to relaunch some services within hours or a few days. Figure 4.7 summarises some immediate (first-order) and secondary (second-order) types of harm suffered by the various subjects. Subject type Individual

Organisation

Nation

Subjects Bank customers Citizens Government officials Government ministries Political parties Banks News agencies Schools Internet Service Providers International relations Society as a whole Political processes

Immediate harm Economic harm

Secondary harm Psychological harm

Political harm Economic harm

Political harm

Political harm Reputational harm Psychological harm

Figure 4.7: Example: Harm caused by cyber-attacks in Estonia in 2007

In the long term, the cyber-attacks on Estonia had multiple consequences, both within the nation and internationally. However, not all of these consequences represent cyber harm, but the 2007 events also initiated constructive change in the cybersecurity landscape. Within Estonia, various reforms were initiated over the course of the years following the cyberattacks, including modifications of the legislative landscape, such as through passing new cybersecurity legislation, alterations of the national security concept and increased

36

awareness-raising. Internationally, the attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine. Metrics of cyber harm Having established the various components of the cyber harm taxonomy, this chapter turns towards possible metrics which allow for both qualitative and quantitative analysis of each type of harm caused by a cyber-attack. While for some types of harm, such as in the case of economic harm, relatively reliable measurements have been developed, other types of harm are more difficult to observe and measure. In fact, for some types of harm, reliable measurements are not yet available. This is not to say that understanding the application of metrics in evaluating cyber harm is not valuable. The insurance market seeks to better understand how it might monetise potential short- and long-term harms, and law enforcement strives to use harm metrics in order to improve its cybercrime reduction capacity. However, further research is still needed in order to determine which existing metrics are sufficient to address particular types of harm, and which metrics are currently unavailable due to an insufficient understanding of both the immediate and cascading effects that emerge from such harms. Chapter 3.1 has summarised existing attempts to measure harm, cost or impact of cybercrime and cyber-attacks. Although comprehensive models that address different types of harm have not yet been developed, some approaches towards assessing harm can be identified. As shown above, these approaches are primarily aimed at quantifying the cost of cybercrime, hence are focused on economic impact in terms of financial losses. While the quantification of all different types of harm would be an unrealistic endeavour, qualitative metrics allow for a more holistic and sophisticated analysis and mapping of cyber harm and its severity. Indeed, further application of validation of the harm model seeks to clarify how cyber harm and its corresponding metrics relate on a conceptual level. This will then hopefully lay the groundwork for future research in producing more accurate and comprehensive metrics for cyber harm. Figure 4.7 below provides a non-exhaustive list of potential quantitative and qualitative metrics that have been identified for the assessment of cyber harm, impact and cost, or in the context of risk analyses. This list merely serves as an example of the kinds of metrics and methods that could be used to measure the various forms of cyber harm. In order to develop a comprehensive approach towards assessing cyber harm at the national level, more in-depth research, including the identification of novel methods and metrics that can be applied to cyber harm, is required. An alternative approach towards measuring cyber harm is the use of proxy measures and metrics, which assess trends and relativities rather than offering direct measurements of cyber harm. One important aspect of such measures is the role of trust and confidence in relation to the ICT environment, for example represented by demographics and user growth rates on social media services. While more indirect in nature, proxy measures offer vast potential for assessing both the advantages and disadvantages of cyber harm interventions, including opportunity costs.

37

Type Physical

Subject Individual

Infrastructure/ property Psychological Individual

Economic

National

Medical statistics

Individual

Direct financial losses Indirect financial losses

Organisational

Direct financial losses Indirect financial losses Direct financial losses Indirect financial losses Market growth statistics Stock market fluctuations Sentiment analysis

National

Reputational

Quantitative metrics Crime statistics Medical statistics Insurance premiums System recovery time Medical statistics

Individual

Organisational

Shareholder value Sentiment analysis

Cultural

National Individual

Sentiment analysis -

Political

Organisational National Individual

-

Organisational National

-

Qualitative metrics Victimisation survey Case studies Victimisation survey Case studies Victimisation survey Case studies Victimisation survey Case studies Victimisation survey Consumer survey Case studies Victimisation survey Case studies Case studies

Victimisation survey Consumer survey Sentiment analysis Case studies Victimisation survey Consumer survey Sentiment analysis Case studies Case studies Victimisation survey Case studies Case studies Case studies Media review Case studies Case studies Case studies Trade embargos

Figure 4.7: Examples of cyber harm metrics

Selected quantitative metrics Direct financial loss83 Direct financial losses due to cybercrime, such as online fraud, allow for quantitative measurement, for instance through the number and amount of unwanted credit-card charges, disputed bank transactions, etc. A variety of methods to determine financial costs of different cyber-attacks has been developed. Reports by Anderson et al. and the Center for 83

Anderson, R. et al. (2012). “Measuring the Cost of Cybercrime,” in: The Economics of Information Security and Privacy (pp 265-300). Berlin and Heidelberg: Springer; Center for Strategic and International Studies (2014). Net Losses: Estimating the Global Cost of Cybercrime. Economic impact of cybercrime II. Santa Clara: McAfee.

38

Strategic and International Studies provide an overview of the different applied approaches and their accuracy. Crime and medical statistics84 Statistics on criminal incidents (provided the cause of cyber-attacks can be attributed) and medical injuries as well as associated severity of physical harm are another quantifiable metric for the assessment of cyber harm, in particular as more cases of physical harm are reported. Sentiment analysis85 One method to analyse reputational harm is to identify positive and negative opinions expressed in media (both mainstream and social media) through sentiment analysis, using computer algorithms. Quantitative data can then be assessed in light of the financial performance of a company. In addition, opinions might also be analysed qualitatively, in particular to determine the severity of reputational harm. Shareholder value86 Some publications suggest that cybercrime might lead to a reduction of the shareholder value of companies, which could be used as an indicator of economic and reputational harm. Although an analysis of the loss in shareholder value should be correlated with other metrics, such as financial loss, as it otherwise poses the risk to establish false connections, it can be a useful measurement for long-term impact on a company and the extent of a cyber-attack. Selected qualitative metrics Victimisation survey87 Commonly used to measure crime occurrences and in this context used as a quantitative metric, victimization surveys can provide insights, both into the number of victims that have suffered harm caused by a cyber-attack, as well as into the forms of harm suffered. However, these surveys assume that the victim is aware of and understands the attack and harm suffered, which might not always be the case in cybercrime. Moreover, the common form of victimisation surveys mainly focusses on determining the number of reported and unreported (cybercrime) cases rather than looking at the extent of the harm suffered. Nuanced survey questions that go beyond mere ratings of experienced harm on a given scale and are able to produce comparable results need to be developed, if the aim is to measure different forms of cyber harm and their extent. This could for instance be achieved through linking the survey to

84

Daphna, C., Gross, M.L. and Waismel-Manor, I. (2014). "Immune from Cyber-Fire? The Psychological & Physiological Effects of Cyberwar." In: Binary Bullets: The Ethics of Cyberwarfare. Edited by Fritz Allhoff, Adam Henschke, and Bradley Jay Strawser. Oxford: Oxford University Press forthcoming. 85 Diermeier, D. (2008). “Measuring and Managing Reputational Risk,” Risk Management (March 2008). 86 Maddison, M. and Boichat, P. (2013). Cyber Security and Mining: A boardroom issue. London: Deloitte LLP; Cisco (2011). Email Attacks: This Time It’s Personal. Cisco Security White Paper. 87 Fafinski, S., Dutton, W.H. and Margetts, H. (2010). Mapping and Measuring Cybercrime. Oxford: Oxford Internet Institute.

39

the cultural values model of Schwartz, so that victims are asked about the specific needs or values they experience as having been set back. Consumer survey and indirect financial loss88 Similarly to victimisation surveys, consumer surveys are commonly used as methods for quantitative rather than qualitative data gathering. Consumer surveys portray attitudes and behaviour of consumers after a cyber-attack, such as whether they refrain from buying goods in an online shop that has been victim of a data breach. These data in turn allow for a costing of the indirect financial losses, i.e. lost revenues, suffered through decreased consumer demand. Consumer surveys also offer opportunities for more direct communication between consumers and decision- or policy-makers, as they are able to function as a rapid feedback mechanism. In particular, new Internet-enabled communication channels, including social media, have created possibilities to gather wide-scale quantitative and qualitative data on consumers’ or citizens’ attitudes, opinions and values.

88

Anderson, R. et al. (2012). “Measuring the Cost of Cybercrime,” in: The Economics of Information Security and Privacy (pp 265-300). Berlin and Heidelberg: Springer.

40

Discussion: Linking Cyber Harm and Cybersecurity Capacity This article has revealed a significant gap in current cybersecurity literature: harm caused by cyber incidents is understood only in very basic terms and there are no comprehensive models which would allow for the measurement of cyber harm on a national level. Beyond the academic value of an in-depth understanding of cyber harm in its different forms, interdependencies and scales, a national Cyber Harm Model is key to enable informed, strategic and proportionate investments in cybersecurity capacity- building. While current policy-making approaches mainly rely on the analysis of cyber-threats, the nature, extent and interrelatedness of the harm that can be caused by these threats is not sufficiently understood. A model on cyber harm provides a systematic structure of different forms of harm and their interrelationship, as well as cascading effects. Thus, an in-depth analysis of the subjects of harm, their link and the ways in which they can be harmed is possible. Moreover, the identification of qualitative and quantitative measurements of different forms of cyber harm allows for a more comprehensive assessment of the harm landscape. The long-term, inclusive and comprehensive approach of the Cyber Harm Model adds significant value to risk analysis and management. The outcome of the CHM, i.e. a national assessment of cyber harm, will eventually inform the CMM through the identification of links between: 1) Types of cyber harm, affected subjects and areas of cybersecurity capacity; 2) Types of cyber harm and those actors who have the mandate to act upon them. Figure 5.1 demonstrates how the different steps of the CHM and CMM can work jointly to inform national policy-makers in their investments and interventions. The joint application of these two models would thus make it possible to assess whether nations are investing in the areas of capacity where they could be harmed most, or whether adjustments in cybersecurity investments need to be made. It would further allow for an assessment of a nation’s ability to strategically and efficiently gather data to measure and assess cyber harm, leading in turn to proactive action upon the identified harms. Moreover, the CHM also serves a tool for validation of indicators within the CMM by enabling traceability of cybersecurity requirements with respect to avoided, reduced or deterred harm. Having identified the scope of the analysis, the different elements of the CHM (light blue box) indicate what is experienced as cyber harm as a result of cyber-attacks and cybercrime in terms of nature, scope and severity. The outcome of this analysis can then be mapped to who is responsible for acting upon the different types of harm, whether in an anticipatory or a reactive manner. The CMM, through its five dimensions,89 informs the determination of how these actors can intervene to reduce, mitigate or respond to cyber harm. On a national level, this process is further shaped by the specific national priorities, both regarding ICT development and the strategic priorities in other sectors. These factors not only affect how a

89

Security strategy, defence and resilience; society and culture; education and skills, law and regulation, and technology.

41

country perceives cyber harm in the respective national contexts, but also determines which harms the nation decides to act upon and in what way. Applying a more detailed view, the relationship between the CHM and the CMM can be conceptualised in a joint matrix (Figure 5.2), in which types and subjects of cyber harm appear on the vertical axis and dimensions and factors of cybersecurity capacity appear along the horizontal axis. This matrix would be subject to continual review, as the cybersecurity landscape evolves. For each cell, the specific cybersecurity capacity-building actions that prevent, mitigate or avoid the specific type of harm could be identified. Through such an approach, it would be possible to use the CHM as a tool to measure cybersecurity capacity maturity vis-à-vis the level of national preparedness to avoid or mitigate specific types of harm. The matrix could thereby serve as an adaptive reference framework, which specifies a set of criteria to be satisfied and establishes links between actions and their effect. In this context, the CMM could serve as a tool to assess to what extent a nation satisfies this set of criteria. Ultimately, the joint application of the CMM and the CHM, contextualised by national priorities and mandates, will allow for a strategic and targeted approach towards cybersecurity investments, interventions and capacity-building activities.

42

Subjects

Scope

•National •Infrastructure/ property •Organisations •Individuals

Types of harm

•Physical •Psychological •Cultural •Economic •Reputational •Political

Metrics

•Crime statistics •Financial losses •Victimisation surveys •Consumer surveys •...

•Nation as a whole •Specific type of cybercrime •...

National priorities

•Economic development •Political stability •Welfare •ICT development •...

Mandate

•Government •Police •Health system •Insurance companies •Military •...

•Strategy and resilience •Technology •Knowledge •Society and culture •Law and regulation

Capacity (CMM)

INTERVENTION Figure 5.1: Cyber harm in policy-making

43

Cybersecurity Capacity Maturity Model (CMM) D1: Security Strategy, Defence and Resilience

Types of harm

Cyber Harm Model (CHM)

Physical Psychological Economic

Reputational

Cultural

Political

Subjects of harm

F 1.1 National strategy

F 1.2 Incident Response

F 1.3 CNI Protection

F 1.4 Crisis Management

D2: Society and Culture F 1.5 Cyber Defence

F 1.6 Digital Redundancy

F 2.1

F 2.2

F 2.3

…

D3: Knowledge Development

D4: Law and Regulation

F 3.1

F 4.1

F 3.2

F 3.3

F 4.2

F 4.3

D5: Standards, Controls and Technologies F F … 5.1 5.2

Individual Infrastructure/ property Individual National Individual Organisational National Individual Organisational National Individual Organisational National Individual Organisational National

Figure 5.2: Relating cyber harm and cybersecurity capacity

44

Acknowledgements This work would not have been possible without the invaluable assistance of Ivan Arreguín-Toft, Ian Brown, William Dutton, Jassim Happa, Lilly Pijnenburg Muller, Jason R.C. Nurse, Lara Pace and Basie Von Solms.

45