Notorious exhibits of the irresponsible use of digital technologies causing harm to large numbers of citizens (such as the Cambridge Analytica case) tell us that regulation of the Internet as one of the major technological developments of the modern global society is imminent. Although much work is devoted to the development of risk measures in digital domains, it is equally important to understand the origins of human behaviour in cyber spaces as well as to analyze how regulatory frameworks develop around human values as well as human behavioural patterns.
In a world where the majority of our lives are spent in the digital domain, cyber security is on everybody’s mind. Cyber attacks not only lead to a significant financial damage, but also cause prolonged psychological harm as the majority of modern attacks use social engineering techniques to trick people into doing something they otherwise would not want to do (for example, click on phishing email links, etc.). Under these circumstances, regulation of digital spaces is necessary at a state level and we see more and more countries introduce regulatory tools and laws for cyber environments. Yet, while in some parts of the world digital spaces are heavily regulated (e.g., China), in other parts nation-states exercise a more laissez-faire approach. What is the reason for such a heterogeneity in cyber security regulation around the globe?
How Can We Measure Global Cyber Security?
If you think that the state-level differences in cyber security regulation have nothing to do with human culture, think again! We recently found that differences in cultural values between countries explain this regulatory variability. We used the cultural value orientations measures from 74 countries to predict the Global Cybersecurity Index (GCI), which measures state commitments of countries to cyber security regulation. The Index, produced by the International Telecommunications Union (ITU) via detailed interviews with governments, assesses each country’s engagement with the cyber security regulatory processes across 5 pillars: Legal, Technical, Organizational, Capacity Building, and Cooperation pillar. The measures from all pillars are then combined into one index.
The GCI aims to measure how countries differ in terms of their cyber security regulation. The ITU argues that: The Global Cybersecurity Index (GCI) is a composite index combining 25 indicators into one benchmark measure to monitor and compare the level of the cybersecurity commitment of Member States with regards to the five pillars of the Global Cybersecurity Agenda (GCA). These pillars form the 5 sub-indices of GCI. GCI is continuously being enhanced in response to ITU Member States request to develop a cybersecurity index that can be published on a regular basis. The main objectives of GCI are to measure:
the type, level and evolution over time of cybersecurity commitment in countries and relative to other countries
progress in cybersecurity commitment of all countries from a global perspective
progress in cybersecurity commitment from a regional perspective
the cybersecurity commitment divide i.e. the difference between countries in terms of their level of engagement in cybersecurity initiatives
The objective of the GCI is to help countries identify areas for improvement in the field of cybersecurity, as well as motivate them to take action to improve their ranking, thus helping raise the overall level of cybersecurity worldwide. Through the collected information, GCI aims to illustrate the practices of others so that Member States can implement selected aspects suitable to their national environment, with the added benefit of helping harmonise practices and foster a global culture of cybersecurity. (See ITU/BDT Cyber Security Programme Global Cybersecurity Index, 2018, p. 3)
According to the ITU, the GCI components are defined as follows:
It turns out that the heterogeneity in cyber security regulation (measured by the GCI) stems from the fundamental cross-cultural differences in human values between countries. This means that cultural value orientations map nicely onto national commitments to regulate and govern cyber security.
Measurements of Human Values Across the World
Schwartz theory of cultural value orientations provides a nice measurement structure for understanding how countries around the globe differ from each other in terms of their cultural values. Schwartz theory of cultural value orientations is based on three fundamental problems important for the formation of human values. We can define these problems as Social problem, Responsibility problem, and Nature problem.
·Society problem: the problem of coexistence between an individual and a group (highlighted by Embeddedness vs. Autonomy dichotomy).
Responsibility problem: the problem of coexistence between an individual and social fabric responsibilities (highlighted by Egalitarianism vs. Hierarchy dichotomy).
Nature problem: the problem of coexistence between human beings and nature (highlighted by Harmony vs. Mastery dichotomy).
It is easy to notice that Social problem (captured by the Embeddedness and Autonomy dichotomy) plays a more important role for cyber spaces than the other two problems as it relates to the general issues of an individual's place within the society. We all have individual and social experiences in the digital world as different people have different habits with regard to their cyber activities (such as sharing personal data via social media, enjoying a conversation with other people, etc.). Therefore, the issues relevant to Embeddedness and Affective as well as Intellectual Autonomy, and values associated with them, are very important in the digital domain.
Responsibility problem (measured by Egalitarianism versus Hierarchy) is unlikely to significantly impact on regulation of cyber space because it defines societal rankings for different strands of human life. Yet, one of the most interesting aspects of the use of the Internet as well as the human digital life is that hierarchical structures are rare in digital domain in a sense that when users are communicating or engaging with certain services online, they have equal social standing within the digital world. Of course, hierarchies may develop in digital communities over time but the starting position for the majority of people in the digital domain is very close to the egalitarian world.
Finally, the Nature problem is likely to have least (if any) impact in the digital setting. Of course, the Nature problem is important for many people as many of us are concerned with the use of environmental resources for technological purposes. However, people are unlikely to directly link the use of digital technology to environmental outcomes. For example, many of us are concerned about our personal carbon footprint which may affect our decisions about flying (because, as humans we see a direct link between the act of flying and generation of carbon footprint); yet, when we write an email (or a blog post!), we rarely think of the consequences of our use of the digital technology, which is necessary to write that email (blog post), for the environment.
The Link between Human and Cyber Security Culture
This leaves us with two major “poles” of human values. One of these poles is defined by Hierarchy, Mastery, and Autonomy constructs and is mostly consistent with individual‐based, more challenge‐oriented value structure which we label the Competitive social human values pole; whereas the other pole is defined by Embeddedness, Harmony, as well as Egalitarianism and primarily associated with collective‐based, more challenge‐smoothing value structure which we label the Cooperative social human values pole.
Source: Kharlamov and Pogrebna (2019)
Essentially, using these poles it is possible to distinguish between two types of nations: (1) nations with more competitive (individual-based) social value systems and (2) nations with more cooperative (collective-based) social value systems. Based on this division, we can formulate hypotheses about commitment to cyber security for nations of type 1 and type 2 and test these hypotheses using field data. Through these empirical tests, we see a strong link between human values and the state commitment to regulation and governance of cyber security suggesting that regulatory systems and processes which help societies govern digital domains are rooted in their values and culture.
Source: Kharlamov and Pogrebna (2019) based on Schwartz Theory of Cultural Value Orientations
Specifically, type 1 nations are perceived to be less risk taking by their governments so type 1 governments tend regulate less (show low commitment towards cyber security governance); while type 2 nations are perceived to be more risk taking by their governments and type 2 governments tend to regulate more (show high commitment towards cybers security governance). It turns out that more pro-socially oriented countries scoring high on cultural “Embeddedness”, tend to have lower commitment to cyber security regulation; whereas more individualistic countries scoring high on cultural “Autonomy” tend to have higher commitment to cyber security regulation.
Take Aways: From Human Culture to Cyber Culture
Culture shapes the way in which we govern cyber spaces. Human values lie at the core of the human risk‐taking behaviour in the digital space, which, in turn has a direct impact on the way in which digital domain is regulated. This is why in some countries we have regulation like General Data Protection Regulation (GDPR) while in other countries. We often talk about establishing overarching international regulation for cyber spaces, such as the possibility of a new International Convention of Human Digital Rights. Yet, it seems that the main reason why the international community still failed to agree on such an international regulation has deep cultural underpinning.