Student blog by Amira Ferraboli*
Resilience as a concept has been applied to several fields of study, from engineering to psychology and sosiology (Bourbeau, 2018). In the last few decades, it has also experienced shift towards increasing policy relevance, and has developed deep roots in security analyses, including the field of digital security (Juntunen & Virta, 2019: 72). But what is digital security? And what is resilience is this context?
Digital security is usually understood as building thick firewalls and bulletproof structures around networks and infrastructures to make them impenetrable to all kind of risks (Rothrock & Clarke, 2018). However, increasing complexity and nonlinear changes are continuously demanding the use of resilience as a key strategic response in security policy and practice (Juntunen & Virta, 2019: 67). In this sense, with the sophistication of cyber threats, the question is not anymore “if” our networks will ever be hacked, but “when” this will happen. Thus, the goal of passively preventing any unauthorized access and any action of malicious players can be deemed almost unfeasible. A more attainable goal would be to develop resilience to deal with these attacks in a proactive way and survive in the chessboard of security (Rothrock & Clarke, 2018).
Resilience, in broad sociological lines, is the ability of a group to cope with external stresses and disturbances as a result of social, political, and environmental change (Adger, 2000: 347). Resilience emphasises the need to increase the mental and physical adaptability of individuals, communities, the private sector, and civil society to face unpredictable, even inevitable threats (Juntunen & Virta, 2019: 73). In this sense, being digitally resilient means to quickly identify and limit unauthorized activities in your network, and most importantly, resume core operations right after disabling an attack. Digital resilience also means learning to dose our fears and openness to business and opportunities in the heavily interconnected world we live in (Rothrock & Clarke, 2018).
A concrete illustration of this point could be found in an analogy of parents trying to protect their child from digital threats. Any parent would worry should their children become a victim of cyber-bullying, cyber predators and scammers, phishing, or an accidental download of malicious software. Still, they also know how important it is to allow their kids to develop their digital presence, access e-books, learn languages, connect and bond with people from all over the world.
Preventing children from interacting in online spaces does not seem to be the most sensible choice. Instead, wiser path would be to take necessary prevention measures – like instructing them not to disclose their personal information – which is usually done quite successfully by parents; but also, to monitor and identify risks, as well as prepare plans of action for undesired situations. This is what parents may not be doing, because they might believe that their preventive actions guarantee safe online behavior of their children, or because they might simply perceive something bad happening to their children as too painful and unbearable to think of.
At this point, it is important to highlight that it is quite normal of not wanting anything bad to happen to our beloved ones and, thus, to invest all efforts into prevention and protection instead of resilience strategies. Still, as previously argued, dealing with security means requires taking strong preventive and protective measures, but also learning to foresee adversities and act rapidly and assertively to prevent further damage and trauma. Apologies must be asked to the reader, as this is an extreme example that brings emotional reactions; however, the exercise of transporting our argument to a more human and daily reality, and not talking only in abstract terms of policies and businesses, hopefully makes the importance of the argument more evident.
Rothrock and Clarke (2018) argue that American companies and institutions have not been able to show resilience after facing cyber attacks and data breaches. When companies and institutions show their inability to do so, this may result in loss of trust from consumers and citizens, and consequently reputational, legal and financial risks to the brand/institution. This includes, for example, becoming defendants in expensive lawsuits due to data privacy issues, and employing high sums of money with emergency plans. Regarding the latter, it is easy to foresee that the entities that suffered data breaches, in their despair, will be willing to pay whatever is asked by opportunistic providers for a mitigation action. To make things worse, there is also the risk that these mitigation actions may not be very well designed and effective due to lack of time and “last-minute improvisations”.
What is digital resilience in practice, then? Some brief examples: getting to know your network and all its connections; building an incident response team; quickly and precisely identifying malware, worm or virus invasion and implementing suppression tools against them; implementing data and cyber recovery programmes; identifying phishing attempts and investigating their source; and issuing timely alerts to co-workers, leaders and authorities about threats and attacks. At this point, it is essential to highlight that these practices of digital resilience should not only be a concern of the “IT guys” only. Instead, they should be comprehensively dealt by companies/institutions as well as their respective employees and stakeholders, since they are all responsible for the data generated by their digital presence.
In conclusion, the title of this post is quite provocative as it argues that we should stop trying to shield our networks and data at all costs. As the reader might have noticed, the complement “at all costs” is important here. Prevention and protection are key and are not to be dismissed, still their pursuit should not be done at the costs of ignoring resilience. In order to achieve an optimum result in dealing with digital threats and risks, we should be able to divide our attention and resources between both facets of digital security.
*This student blog post has been done as part of the course SAFS01 Societal Security: Contemporary Challenges in the Masters Degree Programme in Security and Safety Management (SAFER) in fall 2019.
Adger, W. N. (2000). Social and Ecological Resilience: are they Related? Progress in Human Geography, 24(3), 347–364.
Bourbeau, P. (2018). A Genealogy of Resilience. International Political Sociology, 12, 19–35.
Juntunen, T. & Virta, S. (2019). Security Dynamics: Multilayered Security Governance in an Age of Complexity, Uncertainty, and Resilience, in: Kangas, A. et al. (eds.) Leading Change in a Complex World: Transdisciplinary Perspectives. Tampere University Press, 67-85.
Rothrock, R., & Clarke, R. (2018). Digital Resilience: Is your Company Ready for the Next Cyber Threat? New York: American Management Society.