Unintended Harms of Cybersecurity Countermeasures

Organizations can deploy cybersecurity countermeasures to prevent or reduce the harms of specific risks. These measures include technical controls, policies, and advice for system users.

Although cybersecurity countermeasures are put in place to reduce or prevent damage, they can have unintended consequences. These harms can be negligible such as, causing disruption or serious and thus harming entire groups of users.

In this article, the authors have developed a conceptual framework to discern unintended consequences and potential harms. The authors subsequently applied this conceptual framework to cyberbullying. They based their conceptual framework on five case studies for which they considered the unintended consequences associated with possible interventions that could be used in cases intimate partner abuse, disinformation campaigns, CEO fraud, phishing, and dating fraud.

Based on the five case studies, the authors defined several elements, namely:

  • Displacement: Crime displacement occurs when crime moves to other locations, times, targets, methods, perpetrators, or offences, as the result of crime prevention initiatives.
  • Insecure norms: The implementation of countermeasures encourages unstable behaviours, creating the potential for more significant harm.
  • Additional costs: Countermeasures can often involve additional costs to particular parties in terms of time or resources.
  • Misuse: A countermeasure developed to prevent harm may be intentionally misused by a variety of actors in order to create new harms.
  • Misclassification: Technological or administrative systems that create distinctions (such as good/bad or allowed/disallowed )will occasionally classify non-malicious content or individuals as malicious.
  • Amplification: Interventions can backfire, causing an increase in the behaviour targeted for prevention.
  • Disruption: Countermeasures can interrupt the operation of other, potentially more effective countermeasures.

The authors illustrated the applicability of their framework to cyberbullying and especially on two countermeasures of it, namely education and training and privacy control and management. The analysis in the cyberbullying scenario identified many signals and events to either look out for or avoid on social media or online communication platforms. 

To cite: Chua, Y. T., Parkin, S., Edwards, M., Oliveira, D., Schiffner, S. Tyson, G. and Hutchings, A. (2019). Identifying Unintended Harms of Cybersecurity Countermeasures. APWG Symposium on Electronic Crime Research (eCrime), Pittsburgh, PA, USA, p. 1-15.