A Critical Assessment of Social Cybersecurity as a Technoscientific Enterprise

As I have noted, the socio-technical architecture of cyberspace presents a significant challenge for designing effective responses to the malicious use of information and communication technologies. A fundamental problem in countering offensive cyber operations is the proactive and effective detection of them. This challenge is closely linked to the difficulty of irrefutable attribution of responsibility. These offensive cyber operations can be understood on two levels. The first, and best-known, is most associated with the field of cybersecurity: practices that target the material infrastructure of networks and devices, such as ransomware, denial-of-service attacks, system infiltration, and other technical intrusions. The second level, which may overlap with the first and is the focus of my research, encompasses operations that exploit individual cognitive vulnerabilities.

It can be argued that these latter operations are more complex to prevent, identify, attribute, and counter at a technical level than cyber operations targeting computer systems, which are more traceable through intensive forensic analysis. In this sense, cybersecurity is a field called upon to expand its epistemological boundaries and take on a significant portion of the challenges posed by influence operations in cyberspace. In his 2023 book What is Cybersecurity, Tim Stevens argues that cybersecurity has become a basic element of contemporary public policy, one that cannot be treated solely from the perspective of technologists but demands engagement from the social sciences. However, cybersecurity research has tended to concentrate on software and hardware vulnerabilities that can be exploited, thereby often overlooking actions that—for political purposes—intervene in the dynamics of information consumption and distribution in cyberspace.

The social dimension is not absent from standard cybersecurity approaches, but the human factor is viewed primarily as a vulnerability. Practices such as setting a weak (i.e., crackable) password, introducing a contaminated USB drive into the local network, or falling for a phishing attack can severely compromise system integrity. As indirect victims of attacks targeting networks and computer systems, the impact is often reduced to the loss of sensitive information and the disruption of complex social services that now critically depend on this infrastructure. Yet progressively, cybersecurity is becoming a field of interest to a multiplicity of epistemic communities, integrated as a subfield of international relations and (critical) security studies. The shift is from viewing cybersecurity as a technical matter to framing it as a political (security) task.

The prevailing approaches in the discussion on defending against cybersubversion point to two main strategies. The first is oriented toward fostering social resilience through digital literacy actions or mass content moderation. This involves what is often called cognitive resilience, which aims to prevent the target audience from internalizing disinformation and propaganda. The second strategy entails a strategic partnership between state security agencies, software developers, and infrastructure managers to proactively counter threats—a path that includes some artificial intelligence and machine learning-assisted approaches.

Social Cybersecurity

And there are concrete operational proposals. The field of social cybersecurity studies is less than fifteen years old by my count. Its main, central figure, Kathleen Carley of Carnegie Mellon University, defines it—alongside a U.S. Army officer—as:

an emerging scientific area that uses science to characterize, understand, and forecast cyber-mediated changes in human behavior, society, culture, and politics, and to build the necessary cyber-infrastructure to enable society to retain its essential character in the midst of a changing information environment facing current and emerging social cyber threats .

It is a form of applied computational social science, meaning that new technologies and findings emerging from its development have immediate application in cyberspace. According to a 2019 report by the U.S. National Academies of Sciences, Engineering, and Medicine, a social cybersecurity researcher empirically and methodologically accounts for the socio-political context of activities in cyberspace, integrates theory and research on persuasion, influence, and manipulation with studies of human behavior online, and identifies pathways for the practical application of their research findings.

Computational Social Science is "an interdisciplinary field of study at the intersection of data science and the social sciences that seeks causal and predictive inferences", according to the Handbook of Computational Social Science. For author Claudio Cioffi-Revilla, it is about "advancing scientific understanding of society and social dynamics using the computational paradigm of complex adaptive systems." Studies in social cybersecurity tend to employ methods such as network analysis, automated information extraction, and agent-based simulation to provide evidence about who is manipulating online conversations and to define alternatives to counter that manipulation. This aligns with the core research areas of Computational Social Science.

Principal Contributions and Limitations of Social Cybersecurity

The field of social cybersecurity provides research lines and findings that contribute to the goal of countering political cybersubversion. Catch here some of its most recent contributions. The spectrum of topics is broad, not limited to disinformation and influence operations on social media, but also includes analyzing these dynamics in the broader context of the Internet. Other objects of study include the development of educational and training modules in critical thinking and the assessment of political and ethical issues related to media manipulation, among others.

However, a primary limitation of the field is that concrete user-layer interventions remain scarce. Solutions appear oriented toward informing policy or strengthening (U.S.) national security from a military operational standpoint, rather than understanding the user as an active agent with a role in the co-design and co-production of solutions. This is starting to change with ongoing integration with psychological studies. Another problem is the privileging of quantitative approaches in final assessments, such that the "social" within "social cybersecurity" is often reduced to the technical processing of a social problem. This is consistent with the broader conceptions and practical realizations of computational social science, but it is possible to improve on this point without discarding all the empirical value that the quantitative approach entails.

Source for the ChatGPT conversation used to generate the cover image.