Cybersecurity and Consumers

Dr. Kimberlee Ann Brannock
Author: Dr. Kimberlee Ann Brannock, Security Advisory Board Member and Senior Security Advisor
Date Published: 24 May 2022

As a cybersecurity leader and scientist, I find it interesting that as I observe events all around me that all are seemingly unconnected, they are in fact connected, at times with exciting and favorable outcomes. Let me share an example with you.

About a year ago, I was collaborating with the conglomerate in which I am employed, along with an amazing university and other amazing leaders in the cybersecurity industry, when we were asked to help on some cybersecurity endeavors. The university asked us to participate in its cybersecurity advisory board as it worked on bringing to fruition a cybersecurity operation center. The purpose of the cybersecurity operation center is geared toward entities that cannot afford to have one of their own. It is intended to provide a forum and environment for university students to work in a cybersecurity operations center while practically applying what they learn from their cybersecurity program. While this was playing out, one of the cybersecurity leaders with whom I was collaborating introduced me to the 3GO founder and chief operating officer, and I was unexpectedly invited to join the 3GO Security Advisory Board.

As this journey with the 3GO Security Advisory Board progressed, a conversation about how to show the viability of their consumer cybersecurity offerings – and how to measure them – came into the equation. This led to me proposing we leverage and tailor the NIST Cybersecurity Framework (NIST, 2018), and associated NIST controls, such as the Special Publication 800-53 controls, to the 3GO consumer offerings and to create a proposed consumer cybersecurity framework. We have worked with several cybersecurity academics and industry professionals to ascertain what portions of the framework apply to consumers and what controls apply to consumers.

At the same time in my Marymount University doctoral residency and candidacy work, I needed to author a research paper and have that accepted at a viable conference to gain credit toward achieving my second doctorate. I proposed to 3GO and to my Marymount University professor that I write about this proposed research paper focusing on this consumer cybersecurity framework. This was supported by both 3GO to use the content being created and by my Marymount University professor. Once the paper was written, my Marymount University professor stated that the research paper was viable and recommended submitting the research short paper to the ACM sponsored CAPWIC 2022 conference. On 26 March, I had the honor and privilege of presenting the research short to the conference, which resulted in several favorable outcomes, which I share below:

  1. CAPWIC 2022 reviewer feedback indicated the talk on cybersecurity and consumers was an interesting topic and real-world examples were used to illustrate why solving the problem is important. There was reinforcement that the topic could make a huge impact.
  2. We demonstrated we need to approach cybersecurity end-to-end as consumers, which was outlined both in the paper and presentation where we showed current approaches to consumer cybersecurity have an emphasis in securing only one point that can be a significant cybersecurity risk or a few points of vulnerability. At this time, current approaches do not do an adequate job of addressing overall cybersecurity risk in structured manner.
  3. We demonstrated we need to have a cybersecurity framework that helps accomplish this goal (Item 2.) (above)
  4. This also drives that we need a structured consumer cybersecurity solution to take into account behaviors, readiness, education, mitigation, and so forth, which translates into a consumer cybersecurity framework.
  5. The work translated into us identifying key controls for consumers, and the controls were then placed into control families. (This image and content may not be used for commercial purposes outside 3GO).
  6. Figure 1

  7. We then placed the control families into key control pillars which are noted in the below image. (This image and content may not be used for commercial purposes outside 3GO).
  8. Figure 2

    Figure 3

  9. We then rolled the key control pillars into the consumer cybersecurity framework where we readily can tie it back to the NIST Cybersecurity Framework (NIST, 2018), which we share below for reference.
  10. Figure 3

  11. The conference talk and research short paper gives credence to the above data points and will help 3GO and those of us on our exciting cybersecurity journey.
  12. Lastly, my hope is this will encourage the cybersecurity industry to continue to conduct applied research to outline where we are in the cybersecurity field and where we need to go. I, personally, am excited to see what we learn next.