Advertisement

Cyber Hygiene: The Big Picture

  • Kaie MaennelEmail author
  • Sten Mäses
  • Olaf Maennel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11252)

Abstract

Cybercrime is on the rise and it’s widely believed that an appropriate cyber hygiene is essential to secure our digital lives. The expression “cyber hygiene” appears in conversations, conferences, scientific articles, legal texts, governmental publications and commercial websites. However, what cyber hygiene is, what is appropriate or optimal cyber hygiene, or what is really meant by this expression and related practices—that is often varying and even somewhat contradicting. We review and analyze selected academic papers, government and corporate publications with the focus on implicit and explicit definitions of what cyber hygiene means to the authors. We also draw parallels and contrast the expression in cyber security context and terminology (cyber awareness, behavior and culture). We present a conceptual analysis and propose a definition to assist in achieving a universal understanding and approach to cyber hygiene. This work is intended to stimulate a clarifying discussion of what appropriate “cyber hygiene” is, how it should be defined and positioned in the wider cyber security context in order to help changing the human behavior for achieving a more secure connected world.

Notes

Acknowledgment

The authors would like to thank Archimedes SA and CybExer Technologies for their support.

References

  1. 1.
  2. 2.
  3. 3.
    Belgian Cyber Security Guide, ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. https://www.b-ccentre.be/wp-content/uploads/2014/04/B-CCENTRE-BCSG-EN.pdf
  4. 4.
    Cyber Essentials-Keeping UK Businesses Safe, CREST. http://www.cyberessentials.org/index.html
  5. 5.
  6. 6.
  7. 7.
    Glossary of Key Information Security Terms, NISTIR 7298, Revision 2, nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
  8. 8.
    Guide Des Bonnes Pratiques De L’informatique, CGPME / ANSSI. https://www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf
  9. 9.
  10. 10.
    Small Business Information Security: the fundamentals, NIST. http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
  11. 11.
    Special Publication 800–53 - NIST Computer Security Resource Center. Version 5, August 2017. https://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf
  12. 12.
    The CIS Critical Security Controls for Effective Cyber Defense. Version 6.1. http://www.cisecurity.org
  13. 13.
    Systemic security management. IEEE Secur. Privacy 4(6), 74–77 (2006). https://doi.org/FEC0FD8D-A181-4AFD-BEA7-AEADF75DEE82
  14. 14.
    Information Supplement: Best Practices for Implementing a Security Awareness Program, Security Awareness Program Special Interest Group PCI Security Standards Council (2014). https://www.pcisecuritystandards.org/documents/PCIDSSV1.0BestPracticesforImplementingSecurityAwarenessProgram.pdf
  15. 15.
    Review of cyber hygiene practices. ENISA, Heraklion (2016). http://publications.europa.eu/publication/manifestation_identifier/PUB_TP0217008ENN
  16. 16.
    US officially accuses Russia of DNC hack while election systems come under attack. Netw. Secur. 2016(10), 1–2 (2016).  https://doi.org/10.1016/S1353-4858(16)30092-7
  17. 17.
    Core Principles of Cyber Hygiene in a World of Cloud and Mobility, VMware, August 2017. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vmware-core-principles-cyber-hygiene-whitepaper.pdf
  18. 18.
  19. 19.
    The WannaCry ransomware attack. Strateg. Comments 23(4), vii–ix (2017).  https://doi.org/10.1080/13567888.2017.1335101
  20. 20.
  21. 21.
    Tripwire state of cyber hygiene report, August 2018. https://www.tripwire.com/misc/state-of-cyber-hygiene-report-register/
  22. 22.
    Ajzen, I.: The theory of planned behaviour: reactions and reflections (2011)CrossRefGoogle Scholar
  23. 23.
    Almeida, V.A.F., Doneda, D., de Souza Abreu, J.: Cyberwarfare and digital governance. IEEE Internet Comput. 21(2), 68–71 (2017).  https://doi.org/10.1109/MIC.2017.23CrossRefGoogle Scholar
  24. 24.
    Beris, O., Beautement, A., Sasse, M.A.: Employee rule breakers, excuse makers and security champions: mapping the risk perceptions and emotions that drive security behaviors. In: Proceedings of the 2015 New Security Paradigms Workshop NSPW 2015, pp. 73–84. ACM, New York (2015).  https://doi.org/10.1145/2841113.2841119
  25. 25.
    Bradbury, D.: Insuring against data breaches. Comput. Fraud Secur. 2013(2), 11–15 (2013).  https://doi.org/10.1016/S1361-3723(13)70020-4CrossRefGoogle Scholar
  26. 26.
    Camp, L.J.: Mental models of privacy and security. IEEE Technol. Soc. Magaz. 28(3), 37–46 (2009).  https://doi.org/10.1109/MTS.2009.934142CrossRefGoogle Scholar
  27. 27.
    Chaudhry, J.A., Rittenhouse, R.G.: Phishing: classification and countermeasures. In: 2015 7th International Conference on Multimedia, Computer Graphics and Broadcasting (MulGraB), pp. 28–31. IEEE (2015)Google Scholar
  28. 28.
    Craig, J.: Cybersecurity research-essential to a successful digital future. Engineering 4(1), 9–10 (2018).  https://doi.org/10.1016/j.eng.2018.02.006CrossRefGoogle Scholar
  29. 29.
    Curtis, V.A.: Dirt, disgust and disease: a natural history of hygiene. J. Epidemiol. Commun. Health 61(8), 660–664 (2007).  https://doi.org/10.1136/jech.2007.062380CrossRefGoogle Scholar
  30. 30.
    Dobbins, J., et al.: Choices for America in a Turbulent World: Strategic Rethink. Rand Corporation (2015)Google Scholar
  31. 31.
    Dodge, R., Toregas, C., Hoffman, L.J.: Cybersecurity workforce development directions. In: HAISA, pp. 1–12 (2012)Google Scholar
  32. 32.
    Emerson, R.G.: Limits to a cyber-threat. Contemp. Politics 22(2), 178–196 (2016).  https://doi.org/10.1080/13569775.2016.1153284CrossRefGoogle Scholar
  33. 33.
    Fabiano, N.: Internet of things and blockchain: legal issues and privacy. the challenge for a privacy standard. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 727–734, June 2017.  https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData.2017.112
  34. 34.
    Fabiano, N.: The internet of things ecosystem: the blockchain and privacy issues. the challenge for a global privacy standard. In: 2017 International Conference on Internet of Things for the Global Community (IoTGC), pp. 1–7, July 2017.  https://doi.org/10.1109/IoTGC.2017.8008970
  35. 35.
    Farwell, J.P., Rohozinski, R.: The new reality of cyber war. Survival 54(4), 107–120 (2012)CrossRefGoogle Scholar
  36. 36.
    Floyd, D.L., Prentice-Dunn, S., Rogers, R.W.: A meta-analysis of research on protection motivation theory. J. Appl. Soc. Psychol. 30(2), 407–429 (2000)CrossRefGoogle Scholar
  37. 37.
    Fogg, B.J.: A behavior model for persuasive design. In: Proceedings of the 4th International Conference on Persuasive Technology, p. 40. ACM (2009)Google Scholar
  38. 38.
    Gardiner, K., Harrington, J.M.: Occupational Hygiene. Wiley, Hoboken (2008)Google Scholar
  39. 39.
    Gartzke, E., Lindsay, J.R.: Weaving tangled webs: offense, defense, and deception in cyberspace. Secur. Stud. 24(2), 316–348 (2015).  https://doi.org/10.1080/09636412.2015.1038188CrossRefGoogle Scholar
  40. 40.
    Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)CrossRefGoogle Scholar
  41. 41.
    Hänsch, N., Benenson, Z.: Specifying it security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications (DEXA), pp. 326–330. IEEE (2014)Google Scholar
  42. 42.
    Kelley, D.: Investigation of attitudes towards security behaviors. McNair Res. J. SJSU 14(1), 10 (2018)Google Scholar
  43. 43.
    Kerfoot, T.: Cybersecurity: towards a strategy for securing critical infrastructure from cyberattacks (2012)Google Scholar
  44. 44.
    Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015)CrossRefGoogle Scholar
  45. 45.
    Magnuson, S.: New cyber hygiene campaign seeks to curtail attacks. Nat. Defense 98(726) (2014)Google Scholar
  46. 46.
    Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.: A systematic literature review: information security culture. In: 2017 International Conference on Research and Innovation in Information Systems (ICRIIS), pp. 1–6, July 2017.  https://doi.org/10.1109/ICRIIS.2017.8002442
  47. 47.
    Mansfield-Devine, S.: The death of defence in depth. Comput. Fraud Secur. 2016(6), 16–20 (2016).  https://doi.org/10.1016/S1361-3723(15)30048-8CrossRefGoogle Scholar
  48. 48.
    Mansfield-Devine, S.: Meeting the needs of GDPR with encryption. Comput. Fraud Secur. 2017(9), 16–20 (2017).  https://doi.org/10.1016/S1361-3723(17)30100-8CrossRefGoogle Scholar
  49. 49.
    Maybury, M.T.: Toward principles of cyberspace security. In: Cybersecurity Policies and Strategies for Cyberwarfare Prevention, pp. 1–12 (2015)Google Scholar
  50. 50.
    Mears, J.: The rise and rise of id as a service. Biometric Technol. Today 2018(2), 5–8 (2018).  https://doi.org/10.1016/S0969-4765(18)30023-7CrossRefGoogle Scholar
  51. 51.
    Mouradian, A.: Employees are lax on cyber fundamentals. Comput. Fraud Secur. 2017(8), 17–18 (2017)CrossRefGoogle Scholar
  52. 52.
    O’Connell, M.E.: Cyber security without cyber war. J. Conflict Secur. Law 17(2), 187–209 (2012).  https://doi.org/10.1093/jcsl/krs017CrossRefGoogle Scholar
  53. 53.
    Oravec, J.A.: Emerging “cyber hygiene” practices for the internet of things (iot): professional issues in consulting clients and educating users on IOT privacy and security. In: 2017 IEEE International Professional Communication Conference (ProComm), pp. 1–5. IEEE (2017)Google Scholar
  54. 54.
    Oravec, J.A.: Kill switches, remote deletion, and intelligent agents: framing everyday household cybersecurity in the internet of things. Technol. Soc. 51, 189–198 (2017).  https://doi.org/10.1016/j.techsoc.2017.09.004CrossRefGoogle Scholar
  55. 55.
    Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31(5), 673–680 (2012)CrossRefGoogle Scholar
  56. 56.
    Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)CrossRefGoogle Scholar
  57. 57.
    Pfleeger, S.L., Sasse, M.A., Furnham, A.: From weakest link to security hero: transforming staff security behavior. J. Homeland Secur. Emerg. Manage. 11(4), 489–510 (2014)Google Scholar
  58. 58.
    Sanders, R.: Embedding cyber-security into your company’s DNA. People Strategy 39(1), 8–9 (2016)Google Scholar
  59. 59.
    Savold, R., Dagher, N., Frazier, P., McCallam, D.: Architecting cyber defense: a survey of the leading cyber reference architectures and frameworks. In: 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 127–138. IEEE (2017)Google Scholar
  60. 60.
    Schrader, P.G., Lawless, K.A.: The knowledge, attitudes, & behaviors approach how to evaluate performance and learning in complex environments. Perform. Improv. 43(9), 8–15 (2004).  https://doi.org/10.1002/pfi.4140430905CrossRefGoogle Scholar
  61. 61.
    Shackelford, S.J.: Business and cyber peace: we need you! Bus. Horiz. 59(5), 539–548 (2016).  https://doi.org/10.1016/j.bushor.2016.03.015. THE BUSINESS OF PEACECrossRefGoogle Scholar
  62. 62.
    Sheppard, B., Crannell, M., Moulton, J.: Cyber first aid: proactive risk management and decision-making. Environ. Syst. Decis. 33(4), 530–535 (2013).  https://doi.org/10.1007/s10669-013-9474-1CrossRefGoogle Scholar
  63. 63.
    Singer, P.W.: The ’Ocean’s 11’ of cyber strikes. Armed Forces J. (2012)Google Scholar
  64. 64.
    Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)CrossRefGoogle Scholar
  65. 65.
    Wang, C.P., Snyder, D., Monds, K.: A conceptual framework for curbing the epidemic of information malice: e-hygiene model with a human-factor approach. Int. J. Inf. Comput. Secur. 1(4), 455–465 (2007)Google Scholar
  66. 66.
    Winkler, I., Gomes, A.T.: Chapter 5 - how to hack computers. In: Winkler, I., Gomes, A.T. (eds.) Advanced Persistent Security, pp. 41–46. Syngress (2017).  https://doi.org/10.1016/B978-0-12-809316-0.00005-1CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.TalTech UniversityTallinnEstonia

Personalised recommendations