Would 'Secure' Users Lead to Secure Commons? Surprisingly Not! A framework to evaluate effective power and collective outcomes in cybersecurity.

Individuals are often held responsible when adverse cyber incidents occur. The ensuing narrative, explaining the occurrence, points to confounding factuals e.g., inability to act securely, a convincingly deceptive attack, or selfishness/laziness. The underlying assumption is that: if only humans were different (acted securely), such adverse events would not occur. In this paper, we use a game theoretic approach to investigate the counterfactual in cyber: what would happen if individuals were indeed different? To that end, we propose a generic framework drawing upon two games. Our proposed framework can help move the field towards judicious responsibilization of individuals and eliminate knee-jerk scapegoating. We use this framework to examine a specific social harm — data pollution. Our explorations show that even if individuals always behaved securely, this would not necessarily improve collective outcomes. We show that individuals are sometimes not in a position to change security outcomes, however secure their behaviours. The proposed framework can be applied to highlight those entities that are indeed in a position to influence security outcomes in the wider aggregate harm landscape. Future research should build on our work to assign responsibilities in the cyber domain, explore ways to operationalise the games to carry out empirical research, and contribute to novel paradigms such as ethical responsibilization in the context of data breaches.