-
Security Patchworking in Lebanon: Infrastructuring Across Failing Infrastructures
Authors:
Jessica McClearn,
Rikke Bjerg Jensen,
Reem Talhouk
Abstract:
In this paper we bring to light the infrastructuring work carried out by people in Lebanon to establish and maintain everyday security in response to multiple simultaneously failing infrastructures. We do so through interviews with 13 participants from 12 digital and human rights organisations and two weeks of ethnographically informed fieldwork in Beirut, Lebanon, in July 2022. Through our analys…
▽ More
In this paper we bring to light the infrastructuring work carried out by people in Lebanon to establish and maintain everyday security in response to multiple simultaneously failing infrastructures. We do so through interviews with 13 participants from 12 digital and human rights organisations and two weeks of ethnographically informed fieldwork in Beirut, Lebanon, in July 2022. Through our analysis we develop the notion of security patchworking that makes visible the infrastructuring work necessitated to secure basic needs such as electricity provision, identity authentication and financial resources. Such practices are rooted in differing mechanisms of protection that often result in new forms of insecurity. We discuss the implications for CSCW and HCI researchers and point to security patchworking as a lens to be used when designing technologies to support infrastructuring, while advocating for collaborative work across CSCW and security research.
△ Less
Submitted 25 October, 2023;
originally announced October 2023.
-
Othered, Silenced and Scapegoated: Understanding the Situated Security of Marginalised Populations in Lebanon
Authors:
Jessica McClearn,
Rikke Bjerg Jensen,
Reem Talhouk
Abstract:
In this paper we explore the digital security experiences of marginalised populations in Lebanon such as LGBTQI+ identifying people, refugees and women. We situate our work in the post-conflict Lebanese context, which is shaped by sectarian divides, failing governance and economic collapse. We do so through an ethnographically informed study conducted in Beirut, Lebanon, in July 2022 and through i…
▽ More
In this paper we explore the digital security experiences of marginalised populations in Lebanon such as LGBTQI+ identifying people, refugees and women. We situate our work in the post-conflict Lebanese context, which is shaped by sectarian divides, failing governance and economic collapse. We do so through an ethnographically informed study conducted in Beirut, Lebanon, in July 2022 and through interviews with 13 people with Lebanese digital and human rights expertise. Our research highlights how LGBTQI+ identifying people and refugees are scapegoated for the failings of the Lebanese government, while women who speak out against such failings are silenced. We show how government-supported incitements of violence aimed at transferring blame from the political leadership to these groups lead to amplified digital security risks for already at-risk populations. Positioning our work in broader sociological understandings of security, we discuss how the Lebanese context impacts identity and ontological security. We conclude by proposing to design for and with positive security in post-conflict settings.
△ Less
Submitted 16 June, 2023;
originally announced June 2023.
-
'Cyber security is a dark art': The CISO as soothsayer
Authors:
Joseph Da Silva,
Rikke Bjerg Jensen
Abstract:
Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July…
▽ More
Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term `cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.
△ Less
Submitted 25 February, 2022;
originally announced February 2022.
-
Collective Information Security in Large-Scale Urban Protests: the Case of Hong Kong
Authors:
Martin R. Albrecht,
Jorge Blasco,
Rikke Bjerg Jensen,
Lenka Mareková
Abstract:
The Anti-Extradition Law Amendment Bill protests in Hong Kong present a rich context for exploring information security practices among protesters due to their large-scale urban setting and highly digitalised nature. We conducted in-depth, semi-structured interviews with 11 participants of these protests. Research findings reveal how protesters favoured Telegram and relied on its security for inte…
▽ More
The Anti-Extradition Law Amendment Bill protests in Hong Kong present a rich context for exploring information security practices among protesters due to their large-scale urban setting and highly digitalised nature. We conducted in-depth, semi-structured interviews with 11 participants of these protests. Research findings reveal how protesters favoured Telegram and relied on its security for internal communication and organisation of on-the-ground collective action; were organised in small private groups and large public groups to enable collective action; adopted tactics and technologies that enable pseudonymity; and developed a variety of strategies to detect compromises and to achieve forms of forward secrecy and post-compromise security when group members were (presumed) arrested. We further show how group administrators had assumed the roles of leaders in these 'leaderless' protests and were critical to collective protest efforts.
△ Less
Submitted 31 May, 2021;
originally announced May 2021.
-
Fragmented digital connectivity and security at sea
Authors:
Rikke Bjerg Jensen
Abstract:
This paper explores how uneven and often unreliable digital connections shape the patterns and routines of everyday life, work and rest for seafarers, during long periods at sea. Such fragmented connections, which surface when the ship moves in and out of connectivity or when onboard data allowances run out, create a series of uncertainties that might unsettle individual and collective notions of…
▽ More
This paper explores how uneven and often unreliable digital connections shape the patterns and routines of everyday life, work and rest for seafarers, during long periods at sea. Such fragmented connections, which surface when the ship moves in and out of connectivity or when onboard data allowances run out, create a series of uncertainties that might unsettle individual and collective notions of security. Ethnographic in nature, the study engaged 43 seafarers on board two container ships in European waters, during two two-week voyages between February and April 2018. This provided an empirically grounded exploration of how digitally facilitated connections, relations and networks, enabled through increasingly connected ships, shape and reshape seafarer lives. Findings from this study demonstrate the creative ways in which seafarers navigate and negotiate digitally facilitated connections to maintain relational ties with family and friends. The paper concludes by setting out future research directions and practical implications that speak to connectivity and security at sea.
△ Less
Submitted 31 October, 2020;
originally announced November 2020.
-
The Vacuity of the Open Source Security Testing Methodology Manual
Authors:
Martin R. Albrecht,
Rikke Bjerg Jensen
Abstract:
The Open Source Security Testing Methodology Manual (OSSTMM) provides a "scientific methodology for the accurate characterization of operational security" [Her10, p.13]. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its pr…
▽ More
The Open Source Security Testing Methodology Manual (OSSTMM) provides a "scientific methodology for the accurate characterization of operational security" [Her10, p.13]. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its promise of actual security. Our contribution is threefold and builds on a textual critique of this methodology. First, OSSTMM's central principle is that security can be understood as a quantity of which an entity has more or less. We show why this is wrong and how OSSTMM's unified security score, the rav, is an empty abstraction. Second, OSSTMM disregards risk by replacing it with a trust metric which confuses multiple definitions of trust and, as a result, produces a meaningless score. Finally, OSSTMM has been hailed for its attention to human security. Yet it understands all human agency as a security threat that needs to be constantly monitored and controlled. Thus, we argue that OSSTMM is neither fit for purpose nor can it be salvaged, and it should be abandoned by security professionals.
△ Less
Submitted 13 October, 2020;
originally announced October 2020.