On the other hand, citizen-centricity involves active citizen participation in the design and implementation of cybersecurity solutions. As cybersecurity can be considered a public good, it should not be captured by the interests of private actors and the state alone. Yet, this is frequently the reality. Responsible co-production of cyber resilience involves the coordination of civil society activity by the state within the bounds of laws. Indeed, the cybersecurity laws and frameworks under which civil society is governed should reflect a cross-section of society at large.
It is essential to think from the perspective of intersectional disadvantages as a starting point to design cybersecurity solutions. Specific communities are marginalized under the dominant power and privilege structures due to their various identities. Many cyber risks are experienced differently by communities online, reflecting the structural dynamics of the offline world.
For instance, individuals' characteristics – such as user trust in social network providers and members, gender and age – are found to influence their levels of vulnerability to social engineering in social networks. Another illustrative case is the data breach that revealed the personal data including abortion records of nearly 650,000 patients from the Brazilian municipality of São Paulo in 2016, exposing women and their doctors to potential criminal charges as abortion is illegal in the country. Intersectional inequality is also pronounced in online hate speech in Europe, which is often targeted against women, especially those working in public positions or from minority religious, ethnic and gender-identity communities.
A global study of the information security workforce by the International Information System Security Certification Consortium (ISSCC) found that wage and workplace discrimination – factors that deter new entrants into the workforce – are the most prevalent for female minority cybersecurity professionals, while ethnic minorities are underrepresented in leadership roles. The lack of diversity and meaningful participation from different communities in the formation of cybersecurity practices perpetuates the barriers and disincentives for inclusive and context-sensitive cyberspace.
The recent study conducted by the United Nations Institute For Disarmament Research emphasizes the need for technology design to be gender-sensitive – for example, smart household devices have not been designed, in the threat modelling phase, to include intimate partner violence. Similarly, much of the assistance to civil society organizations is concentrated on emergency response, analysis and advocacy, while direct technical assistance targeting threats specific to these organizations and long-term capacity-building against cyber attacks are rare.
Current research on an intersectional approach to cybersecurity is still at its nascent stage. A scoping study on gender and digital security by the Citizen Lab has revealed that gaps still exist in topics such as targeted threats, free expression online, app privacy and security, and transparency and accountability of social media companies. Indeed, in this article, we have not covered all the affected vulnerable communities in cyberspace, but have only shed light on the differentiated impact digital risks have on specific communities that are often marginalized in cyberspace.
Integrating underserved communities
To promote greater inclusion in cybersecurity efforts, states and intergovernmental organizations should begin by mainstreaming the perspectives, experiences and participation of different communities into the underlying norms and structures governing cyberspace. For instance, understandings from existing international gender frameworks such as the 2018 Human Rights Council Resolution that calls for “preventing and responding to violence against women and girls in digital contexts” could be integrated into intergovernmental cybersecurity efforts. Such initiatives include the 2015 UN Group of Governmental Experts (GGE) cyber norms and the Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security.
Only when citizens, including vulnerable civil society stakeholders, take ownership of and contribute to the co-production of cybersecurity can we ensure that no one is left behind in cyberspace.