What's the Point?

We can't have cybersecurity without the humanities with Dr Andrea Zeffiro

Bryony Armstrong Season 1 Episode 8

Cybersecurity researcher Dr Andrea Zeffiro joins Bryony Armstrong to talk about:

  • The role of humanities in addressing technological challenges in data science domains
  • Using humanities to solve problems surrounding data breaches
  • Considering the human elements of cybersecurity 
  • Understanding cybersecurity as more than a neutral protection of networks and data
  • The problems we will have with cybersecurity if the humanities continue to be devalued and underfunded

The Reconfiguring Participation in Cybersecurity project at the Oxford Internet Institute can be found here.

Find Bryony @BF_Armstrong
Find Andrea here

Artwork: Riduwan Molla https://www.canva.com/p/riduwanmolla/
Music: Madaan Mansij https://www.pond5.com/artist/mansij_tubescreamer

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Bryony Armstrong:

Hello and welcome to What's the Point, the podcast where we discuss the need for arts and humanities today. I'm your host, Bryony Armstrong. We're living in a time when the arts and humanities are under threat, and I know this firsthand, having studied both English and maths at university, and now doing a PhD in English. Each week, I'll be joined by a guest talk about what arts and humanities do for the world. If you've ever wondered, what's the point of the arts and humanities, then this is the podcast for you. Hi, everyone, welcome back to What's the Point, my guest today is Andrea Zeffiro, here to talk with me about the role that humanities research plays in the world of cybersecurity. Andrea is an assistant professor in the Department of Communication Studies and Media Arts at McMaster University in Canada. She's also the Academic Director for the Lewis and Ruth Sherman Center for Digital Scholarship, and her areas of research include critical cybersecurity studies and data justice. Let's get into the episode. So how did you come to choose a humanities path?

Andrea Zeffiro:

It's good question, and I've been thinking a lot about it. And I think, in some ways, I don't think it was intentional, but it was certainly drawn by interest. And so when I started my academic trajectory, as an undergraduate student in 1998, you know, I decided that what I wanted to study was...was Media Studies. And at the time, it was, it was so new, and I think part of that was the unknowingness that intrigued me. You know, what it would mean to study media kind of broadly defined, but especially focus on the internet, you know. These questions around, like, what...what is the internet, because we were sort of living...living through...through...through it at the moment. And so when I...when I decided to pursue my studies at the undergraduate level, I...I decided to enroll in Media Studies. And, you know, what I found, I think, most exciting is that my professors at the time, you know, they were, it was truly like an interdisciplinary department and faculty. And so here, you had, you know, the makeup of this, of this department under the moniker of Media Studies, and you had researchers coming from diverse disciplines, you know, journalism, library science, English and Cultural Studies, anthropology. And a lot of...of my classes were, you know, rooted in some of the kind of more traditional approaches to political economy of communication, there was, you know, media and communication history, Information Studies, cultural studies. And I think that really affected me and led me to embrace the humanities because of the interdisciplinarity of, you know, what...what the humanities are and what they do. And at the same time, I had...was also double majoring in film studies, and I fell in love with...with film studies of all things, because to this day, I dislike going to the movie theater, and I'm not one...I'm not an easy, like, if someone suggests, you know, you should watch this film, I'm sort of always hesitant. I don't know...I don't know what it is about that. But it was, I think, the endeavor of...of engaging with film deeply or of peeling back the layers, you know, of understanding the formal qualities of the medium. It was almost like learning another mode of communication, you know? And that only expanded with, you know, the various classes that I was taking, you know, like, I was fortunate enough to take a class in avant garde cinema, you know, and it was, you know, those...the texts that we were analyzing, were really experimental, and, you know, in terms of socially, culturally, technologically. And so these questions like, you know, how do people communicate through media artworks, you know, what is, you know, the artist's perception of the world and what do they have to say about, like, being human and how do they mediate lived experiences through technology? I think these are questions that I continue to reflect on 25 years later, and even now, some of my...my research involves working with media artists whose work challenges the boundaries of conventional applications of data, code, and computation through, like, really experimental, critical, intersectional and multimodal interventions. And so I think, you know, there's this larger thread in my...in my work and in my interests, and in my investment in the...in the humanities, at least at this moment, that is really to advocate for the contributions of researchers in the humanities and social sciences in more, like, data science domains, or in, you know, traditional tech domains. And I think that's really important, because, you know, any attempt to address and respond to, you know, current and future technological challenges, things like, you know, data driven...data driven, or data centric processes, and, you know, artificial intelligence, which everyone is talking...it feels like everyone's talking about this moment. We really need broad societal collaboration and participation, right? So these complexities can't be solved within any one domain or discipline, or through a narrow set of expertise. And I think, you know, humanities scholars have been thinking and writing about the impact of big tech for many, many years. And we're starting to see some of those critical concerns being taken up more publicly. So I think like, you know, going back to your...your question, I'm like, I've proudly stayed within the humanities. I like that, you know, the disciplines in the humanities as ask us to perceive ordinary things differently, or those things that we take for granted, or what seems mundane. Like, that we're given, you know, tools...a toolkit of sorts, to really reflect on these phenomenon differently. And to look at something, like I said, something seemingly mundane and new, or sometimes even to submit to like more of a...an affective or emotional experience, rather than like a really kind of narrowly intellectual one. And so that's, that is really why I've...I've stayed in kind of this this area, or this domain.

Bryony Armstrong:

Yeah, wow, it must have been such an exciting time as well to be taking Media Studies, like while the internet was growing like that, as well. So cool. Yeah, that kind of brings me to my next question, which is like, can you give me an overview of how you came to realize that cybersecurity is what you wanted to look at, through this lens? And more about, sort of, how you realized that we need to look at it through humanities and not just through the lens of having better technology?

Unknown:

Yeah, absolutely. Yeah. So I think, you know, so

Andrea Zeffiro:

Yeah, I think I read online with your broadly, I'm interested in...in cybersecurity, and I think I came to, like, this, sort of, broader area through an intrigue, or interest in...in data breaches of all things. So it was in 2018, or 2019. Around that time that I noticed, well, two things. There was like a prevalence of news stories about data breaches, just like...and as I noticed this, the increase of news stories, I decided to just set a Google alert so that every time, you know, there was a kind of daily digest of news stories. And it went from like, a couple times a week, notifications, to daily over like a year and a half or so. And so that was intriguing to me. And there was something there. And I kind of wanted to know to know more about that. And so I delved into it a little bit and was reading industry literature. And I came across a term, breach fatigue, that was being used. And this was meant to describe a kind of ambivalence that people were experiencing about data breaches. And, you know, the assumption was that people were ambivalent or didn't really care, because we were being overwhelmed by the persistence of these breaches. Right? And so it seemed like it was two things at once. Like, it was becoming kind of, like, standardized, that this was normalized, that these events were...were increasing, but that there was something being presented as, at the same time, as abnormal, right? That there was, like, a kind of crisis there about these...these events. And so I...this is really where I started thinking about, kind of, cybersecurity and framing and I was thinking of, you know, how are data breaches sort of perpetuated as abnormal or as a crisis or as exceptional to, you know, the...the ordinary function of, of digital...of digital networks? So, that sort of set set the stage for me to think, kind of, beyond that to cybersecurity and through the research that I was doing and looking at how, like, domain expertise was defining cybersecurity, really, as you know, risks, threats, and risks and threats to data, to systems, to networks. And so I came across a project called the Reconfiguring Citizen Participation in Cybersecurity project, and that came out of the Oxford Internet Institute. And it was a 15 month study from January 20, to June 2021, something like that. And it consisted of eight co designed workshops on citizen cybersecurity and the researchers applied accident action research methods to cybersecurity, and they ran a series of community workshops where participants were invited to define cybersecurity threats, and also devise changes to protect themselves and reflect on, you know, cyber security's role in their lives. And that project had...had an impact on me. And I started, you know, thinking a little bit more about this. There, they use the framework of participatory threat modeling. And I started thinking more about, you know, how to engage heterogeneous communities in the cybersecurity domain, and what would that look like? What would it look like to run, you know, workshops with different...different community groups and organizations to learn more about how they understood cyber...cybersecurity, cyber threats or insecurities in their daily lives? And how could this...this community based knowledge making inform a toolkit that could be adopted kind of more broadly and possibly intervene in the the cybersecurity domain? Because I think, you know, right now, as...sorry I'm just going to take a step back. My, you know, my original research, like looking into learning more about cybersecurity, I guess, with...I started with this very sort of broad and simple question, which is, what is cybersecurity? You know, and it meant that, like, from sort of a very technical framework, but also more like in how it's constructed, or like that discursive construction of how do people talk about cybersecurity? And what dawned on me was that, like, even for myself, the capacity to understand the full range of cybersecurity risks and threats that people experience was really restricted by how experts and professional communities understood or understand the purpose of cybersecurity as protecting, like I said, network systems, devices, and programs and data. And so what, for me, what was missing was really a consideration of how individuals distinctly understand and experience cyber insecurity. So they're, you know, there's, there's a kind of, like, universalist approach to how cybersecurity is understood. And on one hand, like, I understand that, especially, you know, when we're looking at, you know, the protection of like, digital infrastructure, right, and there's particular things that need to be in place. But at the same time, you know, I think that that's, like, undermining this...this kind of work, because we're not understanding how people are...are...are experiencing cyber insecurity. So, you know, as an example, like what is considered a risk or threat in one context, you know, doesn't necessarily translate into another. In the, the Oxford Internet Research Institute, you know, they...one of the examples that, through that study, one of the examples that they used is gendered, technologically facilitated abuses, such as revenge porn and intimate partner violence that are...that are enabled through smart home technologies. That these are not recognized as cyber insecurities, even though these...these risks and threats directly impact how people, how individuals experience cyber security and safety. So it was really...it's almost like, you know, to acknowledge the necessary expertise of cybersecurity professionals, but then also to create a space for an intervention from humanities scholars to bring in new approaches to understand the lived experiences of people experiencing cyber insecurities. can create, like, the best multi factor authentication system ever. But it's irrelevant if a lot of, like, email customers, for example, don't have an iPhone or a phone that allows them to use that app.

Unknown:

That's right. Yeah. So there's, you know, these flawed assumptions that have underpinned, I think, the design of cybersecurity measures. So like you said, you know, sometimes those SMS codes that are sent during what's become, you know, quite standard two factor authentification. Well, that assumes that everyone possesses a cell phone, or, you know, even in terms of like, ideal user behaviors, you know, of what is kind of suspect behavior. And this configuration of...security configuration is typically modeled after consumers in western capitalist economies. And so, like, departures from certain kinds of behaviors, or even where, you know, emails are being sent from that will automatically be rerouted into a junk folder, for instance. You know, that...anything that departs from that is considered deviant and unlawful. Or even like the the kinds of cognitive function tests that...that people are required to engage with, or, you know, like that password protection practice of converting typed characters to asterisks and, or the visual display of password strength meter, like, it just disregards the...the...the needs of vast swaths of end users with...with vision or auditory and cognitive disabilities. So I think, you know, even within expert and professional groups, there's, I think, room to create an intervention. So even as simple as how the the end user is perceived. That end users have traditionally been perceived as these, like, passive recipients of products developed by expert communities. And...and even the trope of the deficient user is quite common. And this informs cybersecurity design and awareness. So end users are viewed as the weakest link in cybersecurity and, you know, usually devoid of the knowledge to detect or react to security risks. And even training itself will often focus on not getting duped, right? And it sort of characterizes end users in...in very uniform ways. And so my research really wants to reposition end users, and to center the perspectives and lived experiences of end users who are normally marginalized by technology and technology design. And so I think even if security experts, you know, security experts and professionals...I don't think they are necessarily consciously perceiving end users in this way, but, you know, there are value laden assumptions about users that are made and unconsciously structure these...these security practices and protocols. So, you know, for me, a core question that my work is engaging with is, what if cybersecurity and data security frameworks considered how end users experience a range of insecurities?

Bryony Armstrong:

Wow, yeah, because you can't, like, take the human out out of these things. If it's humans using it, you have to consider the human elements too.

Unknown:

That's right. Yeah. So I think it's part of it. If I could, you know, think of possible interventions, it's really about adding a human centered and a context specific lens to cybersecurity. So where humans are reframed, you know...humans as problem to humans as solution. And a lot of my thinking about, you know, how to go about doing this and conducting the research is informed by design justice frameworks. And again, this this means centering audiences and end users that are normally marginalized by design processes. So I think, you know, it's a question of like, how do people experience insecurities? What are the range of insecurities, and how to positionalities and lived experiences mediate, you know, people's ability to access cybersecurity and safety?

Bryony Armstrong:

Fascinating. And circling back to, kind of, your work on how you've noticed the media talking about data breaches, and this, like, ambivalence...and as you said that I was thinking yeah, it's so true that I feel like I...a lot of us see data breaches as, like, the biggest possible threat and yet find it so annoying and just overwhelming how much we're sent emails about being careful about data breaches in our organization. So have you found, like, does...does the way media talk about data breaches and the way we feel about them, like, completely affect the way people then like approach cybersecurity and the uptake of this technology?

Unknown:

Yeah, I think so. I think the media plays a really important role, like any kind of...of, you know, agenda setting actor in...in shaping how we understand these things. That...in some ways, I think, you know, to counteract that...that...that breach fatigue configuration, I think it's overwhelming, like how, especially for for most of us that don't have the the technical expertise, even, you know, to understand all of these, sort of, you know, adversarial actors and all of these processes that it, it almost seems like a problem that's too big for any one person to...to fix or to intervene.

Bryony Armstrong:

Yeah, yeah. It's kind of reminding me of climate change as well.

Unknown:

Exactly!

Bryony Armstrong:

That idea of, like, it's so big, it's so big, can you do anything about it? Will you actually be annoyed by...by someone, like, continuing to talk to you about it? I think a lot of people have a similar ambivalence to that, too.

Unknown:

I think so. And you know, some of my work has looked at how...the way in which data breaches have...the discussion of data breaches or discourses of data breaches have changed over time, from roughly like 2005 to present. And, you know, we see kind of early on that...that the language used, or way of describing the data breaches as...as a crisis is sort of there's, like, an inevitability that this is like, we can't control this, it's out of out of our control, to a shift to...it starts to shift a little bit differently. That...while it's still presented as...as a crisis, right, that it's presented sort of as abnormal to how these networks can function. And that's interesting to me, because I think, in some ways, it also parallels our, you know, larger data centric and data extractive processes. Everything we do is generating data. So if a lot of these companies that, you know, rely on consumer data, if they were to be like, you're right, you know, there's no possible way that we can possibly, you know, control that...it's something like 2.5 quintillion quintillion bytes of data produced every day...like, don't worry about it! You know, is it also about ensuring that, you know, that, that we continue to, you know, operate in these sort of digital or data economies?

Bryony Armstrong:

I'm really curious, in...in the cybersecurity world, what has sort of been the reaction to this humanities approach to it? Like, are people who are very technologically based, sort of, onboard with these ideas? Or have you come across any kind of resistance to your approach to this?

Unknown:

I haven't yet. So I think, at the same time, you know, a lot of this...this is about a year and a bit into into the research...I think the people that I've had the privilege of interfacing with have been very interested and intrigued and on board with, kind of, expanding, you know, how we go about defining and understanding cybersecurity. How that's taken up...I don't yet know how that...that would be taken up, you know, at a much kind of wider industry level. But certainly in smaller circles...and I think, at this point, it's been restricted mostly to cybersecurity or information security units within universities...there's been...there's been an interest, right? But what does, like, there's sort of...there's ramifications for suddenly...I can imagine there being concerned about the ramifications of trying to redefine insecurities and...and how can you put these protocols in place? Even, like, as AI is...is being used even to...to do this kind of, you know, threat hunting or...or, you know, observing sort of vulnerabilities to networks, that...how do you...how do you program experience, you know, these...these lived experiences that you can't always gaugue?

Bryony Armstrong:

Yeah, yeah, that's another thing where it's just...it's so huge that like, it's almost difficult to even start to approach. Um, and from the perspective of cybersecurity, thinking now about some of what you were speaking to at the beginning of sort of like the worth of humanities for you. Does does the, kind of, lack of...lack of funding, often lack of respect for the humanities worry you in this cybersecurity context? And, kind of, do you foresee problems in the world of cybersecurity if humanities continue to be devalued as they have been?

Unknown:

So yeah, yes! The short answer is. I think I am, you know...I think any kind of technological domain...you know, be it like cybersecurity or kind of like big, big tech framework...I think, if humanities are devalued, then we will only...we will only have a very, very narrow approach to understanding technological phenomenon. And we can see this in...in other ways. You know, I'm thinking even in the academic realm, with the adoption of certain kinds of, like, Ed Tech technologies as a kind of panacea for all of our, you know, all of our problems, all of our kind of organizational problems, that if we adopt this new platform, suddenly it will enable us to, you know, connect better or facilitate, you know, the student experience. And I...and I worry about that. I worry about that approach, because I think, in some ways, you know, we see organizations making claims about the values...what, you know, what is valued. And, versus, you know, the...the kinds of tools and approaches that are...that are being adopted, and being implemented through a very kind of narrow lens. So, I think that without a truly interdisciplinary approach, where you're bringing people together with different lived experiences, with different kinds of training, asking different questions, you know, that we're just going to kind of perpetuate the same harms, and biases that, you know, that that we've been perpetuating up to this point.

Bryony Armstrong:

That's totally how I see one of the huge roles of humanities, to. It's to ask questions. And it's so important. And yeah, we can't expect to kind of have a perfect technological society where everything is safe and secure with...by not asking questions and just removing the human elements from it.

Andrea Zeffiro:

That's right.

Bryony Armstrong:

I think that's a great place to end, so thank you so much for coming on What's the Point today. It's been great to have you.

Andrea Zeffiro:

Thank you so much. It was wonderful to be here.

Bryony Armstrong:

Thank you for listening to what's the point. If you enjoyed this podcast, don't forget to subscribe. You can also find us on Twitter at wtppod_ and send us a DM if you want to get in touch. We'll see you next time with a brand new episode.

People on this episode