Identifying Unintended Harms of Cybersecurity Countermeasures

Yi Ting Chua, Simon Parkin, Matthew Edwards, Daniela Oliveira, Stefan Schiffner, Gareth Tyson, Alice Hutchings

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)


Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity. The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex, multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to generate these consequences, not to paralyze decision-making, so that potential unintended harms can be more thoroughly anticipated and considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.
Original languageEnglish
Title of host publicationProceedings of the Symposium on Electronic Crime Research
PublisherAnti-Phishing Working Group
Publication statusPublished - 13 Nov 2019

Structured keywords

  • Cyber Security


Dive into the research topics of 'Identifying Unintended Harms of Cybersecurity Countermeasures'. Together they form a unique fingerprint.

Cite this