Towards Systemic IT Security: Introducing a Holistic Conceptual Framework for a Society-centered Perspective Connecting IT and Cyber Security

Abstract

Digital systems are everywhere and we rely so much on those ubiquitous and interconnected systems that "the networked digital" could be called a hyper-infrastructure. But given the ongoing grave IT security incidents it still is a defective one. To approach this societal IT security problem I build on IT security theory and cyber security research to suggest a new paradigm called systemic IT security extending traditional individualistic understandings. Firstly, I map out the academic consensus on how the current state of IT security is not sufficient given the role IT plays in digitally networked societies. I then illustrate the societal consequences of IT insecurity using two major real-world incidents, the Mirai botnet and the WannaCry ransomware. Based on those characteristic examples, I flesh out how the current individualistic paradigm of IT security theory can not sufficiently grasp the increasingly interconnected nature of the issue. For furthering the fruitful academic discourse, I propose the holistic concept of systemic IT security. With it I define a criteria framework for extending current IT security approaches with the seven dimensions: problem scope, impact, timing, fairness, effective responsibility, resilience and complication. This framework can be used to extend IT security theory, assess concrete IT security measures in a structured manner, and even analyze policies regarding their contribution to systemic IT security. Flanking the framework I propose the new IT security protection goal of intention and expectation alignment and two new actor categories for threat modeling: systems manufacturers and service operators. Finally, the argument is summarized and the scientific merits of the new perspective are explicated: a more contextualized society-aware understanding of IT security.