Responsibilizing the cybersecurity risk?

In nowadays society, when considering the mitigation of any risks, it is widely presumed that individuals should, and will, make responsible life choices to improve their well-being. Thus, individuals are primarily held responsible for managing their cybersecurity which means they have been responsibilized when it comes to managing the cybercrime risk.

Governments engage primarily in deterrence in the form of advice and awareness campaigns. Prevention is left to individuals while detection is challenging due to the relative invisibility of the crimes. Also, the global distribution of cybercriminals makes remediation even more challenging. On the opposite, regarding traditional crimes (for example, crimes of property), individuals are expected to minimize their vulnerability, and the state then acts to remediate by catching, prosecuting, incarcerating and, in some cases, assisting in rehabilitating the criminals. Police forces also update their advice in terms of how individuals can protect themselves and ensure that deterrence efforts are current and up to date.

Responsibilization is defined as a technique of crime control that expects and requires individuals to take reasonable precautions thereby minimizing their risk of becoming victims. If they fail to take all the right precautions and fall victim, a certain degree of responsibility for the consequences rests with them. If a citizen falls victim to a cyber attack, he/she will have to cope with the harm that ensues, with little to no help from authorities in terms of recovering from the attack.

In this paper, Karen Renaud and her colleagues considered the suitability of responsibilization in terms of cybersecurity risk. The authors tried to answer two questions:

  1. Is it reasonable to assign responsibility for cybersecurity to users? In other words, can users be expected to possess the knowledge and skills required to manage the risk effectively?
  2. Is the cybersecurity responsibilization agenda judicious, given the widespread impact of cyber attacks?


The authors suggest that a hierarchist approach is more appropriate for managing cybersecurity risk. Hierarchist approach considers that whole-society solutions should be developed, informed by expert forecasting and management. In this case, if individuals are unable to take sufficient action to protect themselves, then they need to be able to rely on the state to step in. As per, individuals ought to act on prevention and deterrence such as having a list of preventative measures to take with instructions easy to follow and help centers available to advise on implementing these measures. The state ought to act on three fronts: (1) standard setting to prevent and ease management, (2) information gathering by encouraging reporting of cybercrime and establishing skilled cybercrime units to provide advice and help citizens to manage such risks and (3) behavioral modification.

For the authors, the responsibilization approach of cyber risk management is unreasonable, because it requires expertise to manage the risk that relatively few members of the public possess and is injudicious because when one particular person does not manage their cyber risk, the resulting attack can affect the community at large. Governments should take a more active role, committing more resources, and upskilling their crime-fighting police forces and prevention units.


Cite: Renaud, K., Flowerday, S., Warkentin, M. Cockshott, P. and Orgeron, C. (2018). Is the responsibilization of the cyber security risk reasonable and judicious? Computer & Security, 78(2018), 198-211.