Public Health Policies and Cyber Resistance: What Cyber Can Learn – Part I

Mark Sirkin, PhD

Head, Applied Psychology and Human Factors

Assured Cyber Protection

May 22, 2020

When the history of our times is written, our response to this pandemic will be part of the story. COVID-19 may become a footnote in history, but the 4th Industrial Revolution (4IR), which is also happening now, will probably be the driven by it. In terms of COVID, there is a background story too, centuries in the making, that is worth paying attention to.  And it may inform our approach to another pandemic currently sweeping the internet—cyber threats of many shapes and sizes.

The history of public health efforts to combat plagues and pandemics can be traced to the beginning of civilization.  Human communities have always battled sickness and plague, and the more close-knit and interconnected the community, the faster sickness and disease spread and the greater the threat.  Simple customs, that we don’t even realize were based in disease prevention, have become barely a second thought: the use of toilets, access to running water, washing hands before handling food, and myriad other activities have reduced our exposure and the spread of disease.  A quick look at the history of public health and preventative healthcare could point to viable approaches in the sphere of cyber prevention as well.

Public health experts often speak in terms of tertiary prevention, secondary prevention, and primary prevention.  Tertiary prevention addresses problems after the fact, and it is often associated with rehabilitation in medicine.  Applying the concept to the world of cyber systems and cyber vulnerability, this approach may be akin to rebuilding a system after it has been hacked and crashes.  It is the worst-case scenario in the sense that the damage is done, the “disease” or attack has run its course, and what can be done now is to rebuild and repair the damage.  This assumes, of course, that the attack has not been fatal, and some reconstitution is even feasible.

Secondary prevention, by comparison, is more concerned with treating the disease as it runs its course, perhaps ameliorating the effects since the disease itself couldn’t be prevented.  In cyber terminology, this means repelling a “black hat” attack or preventing active phishing campaigns from penetrating your organization’s network.  It is an approach that deals with attacks in real-time but doesn’t really prevent them.  It is the treatment phase, in terms of disease progression.

Primary prevention is concerned with stopping the disease before it infects you, perhaps even preventing it from developing in the first place.  We’ve all heard stories of Europe in the middle ages, where human waste was thrown out of windows and garbage left to rot in streets; where sewers, if they existed, ran through the center of busy streets, and horse dung was everywhere you stepped.  The advent of public hygiene, running water from the tap, flush toilets, regular use of soap, are all minor innovations that have contributed to making modern societies the healthiest in human history. 

What is the connection between cyber security and primary prevention?  As the saying goes, “an ounce of prevention is worth a pound of cure,” and in the world of cyber security even more so.  Preventing cyber attacks before they penetrate the system is much more effective than fixing the system after an attack has taken hold.  Along these lines, what does an ounce of cyber protection look like?  There is such a thing as “cyber hygiene,” which refers to best practices among computer users in an interconnected system.  It is accomplished through training, reinforced by culture, and put to actual use. People must be trained to use passwords and two-factor authentication, to think twice about clicking on strange links or opening emails and attachments from people they don’t know, etc.  Just as children are taught to wash their hands after they use the bathroom – an effort that must be reinforced countless times, as any parent knows –cyber hygiene must be taught and reinforced as well.

Children don’t come into the world pre-programmed to prevent the spread of disease. It is something they are taught.  Employees, similarly – especially in a rapidly evolving workplace – must be taught cyber hygiene and best practices to attain a high standard of primary prevention.  And, as the capabilities of cyber criminals evolve, just as viruses do, a one-and-done approach is simply inadequate.  Cyber hygiene is not accomplished in a single training, but must be inculcated at the deepest level of a company’s culture.  Just as communities developed the ability to track the spread of disease to evaluate public health needs and preventative measures, companies can access recently developed culture analysis tools to evaluate how well a company is meeting the challenge of developing cyber immunity at the primary, or training, level.

The above article compares approaches to cyber health with established approaches to public health.  As such, it is a bottom-up viewpoint to suggest ways of looking at the challenges of cyber resistance and cyber immunity.  In the next article in this series, we will examine the issue from a top down perspective, speaking to leaders about how they should consider policy and process in the 4th Industrial Revolution.