The Intersection Between the Social Sciences and Information Security

Strong interrelationships between academia and information security, in all its various guises, stretch back decades. However, it is only recently that the intersection between the much of the social sciences and information security has come to the fore. The social sciences include, amongst others, Anthropology, Political Science, Psychology and Sociology. Criminology is also included as Criminal Anthropology is, like Archaeology and Cultural/Social Anthropology, a sub-discipline of Anthropology. although some people also include history, criminology, and geography. Of these, Criminology has been most leaned on for motives, responses and how to counter cyber attackers; this is expressed succinctly in Sarah Armstrong-Smith’s book, Understand the Cyber Attacker Mindset, and in Loiseau et al.’s book, Cybersecurity in Humanities and Social Sciences: A Research Methods Approach. This piece takes a step back to include Anthropology as a whole into the conversation, and at this critical juncture of the proliferation of digitization and the inherent attendant dangers. For example, Critical Discourse Analysis (CDA) is a powerful tool used in both criminology and anthropology to examine how language shapes our understanding of crime and social context.Taken together, the Social Sciences emerge as a vital resource, offering distinctive perspectives to aid in comprehending and strengthening information security, more so than drawing solely upon Criminal Anthropology.

Anthropology and Archaeology

In North America, archaeology is a subset of anthropology, whereas in Europe and elsewhere they are first cousins. Here, the term anthropology is used to cover both, for the sake of convenience. Overall, these disciplines provide a valuable perspective on information security through the examination of cultural norms and practices related to technology and data privacy. Different cultures have varying attitudes towards privacy, information sharing, and online behaviour. Understanding these cultural nuances is critical for the development ofeffective security strategies in a globalized world.

Taking the Mission’s work at Jebel Moya (south-central Sudan), there is a list of stakeholders: the Director and other personnel of the Institute of Archaeology, Sudan’s foreign Ministry, prominent individuals from the Sudanese antiquities service (NCAM), the University of Khartoum, our fieldwork team and specialists, other Sudanese scholars and journalists, local government officials, and most importantly the local inhabitants of Jebel Moya who are the custodians of their heritage. The methodologies deployed in the field include but are far from limited to the oversight of operational work, heritage outreach and educational activities, and the director and co-director activities which include but are also not limited to programme and project, risk and stakeholder management.

Moving down one level to operations and datasets, Archaeology and Information Security, a more fundamental similarities: the meticulous analysis of incomplete trails to construct a coherent narrative. Some of the core overlaps are:

1. Data Analysis and Interpretation: Archaeology analyses physical artefacts, using ethnography to reconstruct past societies’ social complexity and their multi-faceted behaviours. Information Security leverages behavioural science and strategy to ensure businesses can continue working with the least impact. Both work with small and large datasets, which leads to the next point.

2. Pattern Recognition: Archaeology identifies patterns in artifact distribution, settlement patterns, and cultural practices. Information Security uses patterns to identify anomalies and to construct contextualised defences.

3. Digital Preservation: Archaeology has made use of digital technologies to locate, analyse and preserve physical artifacts and digital records of archaeological sites. Information Security leverages a multitude of digital technologies to protect digital assets and data from interference, loss or corruption.

4. Data recovery: Both fields involve meticulous examination of evidence to uncover hidden information, or work with damaged or corrupted data. Archaeologists examine pollen, for example, to reconstruct ecological environments, while digital forensic experts analyse system logs for suspicious activity.

In various guises, anthropologists therefore deal with vast stretches of time and space. Anthropologists delve into past human motivations, decision making, and social dynamics. This knowledge can be applied to understand the motivations of cyber attackers, their decision-making processes when targeting systems, and the social structures within cybercrime rings. Another example is that Archaeology itself is multi-disciplinary, drawing upon technology, geology, cultural anthropology, genetics, climate science and many others besides. The reconstruction of past societies necessitates understanding their climatic contexts both locally and regionally. This view of deep time for climatic change and the knowledge of the types, nature and severity of ecological changes means there are lessons which can be drawn for ESG (Environmental, Social and Governance) frameworks. Investors are looking for companies that are not only financially profitable but also socially responsible and environmentally sustainable. By considering ESG factors, investors can potentially identify companies that are less likely to face risks associated with environmental damage or social issues, and that may also have opportunities for long-term growth. I will return to ESG.

The resulting data can also be placed within appropriate social contexts. For instance, security measures implemented in a Western context might not be readily adopted in a culture that values collectivism over individualism. Anthropology helps information security professionals adapt their strategies to different cultural contexts, ensuring their effectiveness across borders. Cyber criminals may exploit differences in infrastructure, legal frameworks, and digital literacy levels in those regions. Anthropology provides insights into relatedvulnerabilities, allowing for the development of targeted solutions and capacity building initiatives. This point leads very well into the next: Criminology, although it is a distinct discipline within the social sciences, draws not only on the theory and practice of anthropology, but also on sociology, psychology, economics, and even biology.

Criminal Anthropology

Criminal Anthropology plays a pivotal role in information security by providing insights into the minds and methods of attackers. Criminologists study criminal behaviour, motivations,and trends, and their findings can be directly applied to understanding cybercriminals. By analysing past cyber-attacks, criminologists can identify common attack patterns and predict potential future threats. This knowledge empowers information security professionals to develop targeted security measures that anticipate and deter attacker strategies.

Criminologists also delve into the social and economic factors that contribute to criminal activity. Understanding the root causes of cybercrime—such as poverty, inequality, or lack of job opportunities—can inform broader societal interventions that may reduce the overall pool of potential cybercriminals.

Additionally, Criminology offers valuable insights into the psychology of cybercrime. Studies explore the motivations of attackers, ranging from financial gain to ideological extremism. Understanding motives allows for the development of more effective deterrents, such as targeted awareness campaigns or psychological profiling of potential offenders.

However, it is my view that we need to delve down deeper than Criminology to understand what behaviour actually is. Apart from what has been mentioned already about Anthropology, one could turn to Sahlins and de Almeida for cultural relativity, as well as Latour, Foucault and others. We could also turn to linguistic relativity (e.g. Martin Heidegger’s notion that we do not speak language, language speaks us). There is the French enlightenment literature which is so important. In the Anglo-Saxon intellectual world, there were and are endless debates on how knowledge and behaviours were/are culturally constructed, enacted and construed in terms of power and interactions. Other areas of the world outside of the Anglo-Saxon academic sphere also have their own interesting debates.

Let’s momentarily switch our attention, therefore, to another example: Critical Discourse Analysis (CDA). CDA is a powerful tool used in both criminology and wider Anthropology to examine how language shapes our understanding of crime and social context. As Sarah Armstrong-Smith recounts in her book on the cyber attacker mindset, referencing specialist publications and expert conversations she held, CDA applies inter alia to the language used in social engineering. In criminology, CDA reveals how language choices can reinforce power structures and could possibly show how certain contexts may make individuals more prone to crime, which is an alignment with Criminal Anthropology studying the cultural aspects and underpinning of crime.

In wider Anthropology, we use CDA to explore how knowledge about cultures and social groups is produced through language. This can be particularly important in studying how dominant narratives about crime and deviance are shaped. CDA also helps analyse interview transcripts, ethnographic notes and other forms of communication between and within communities. It can reveal hidden power dynamics and cultural assumptions.

Finally, CDA is also useful in examining the language used during colonial periods, and the lasting impact on how certain cultures and practices are perceived, including those related to crime and what is regarded as deviance in different socio-economic contexts.

Sociology

Sociology examines the social structures, institutions, and norms that shape human behaviour. The sociologist’s perspective is invaluable because it helps information security professionals understand the social context in which security practices are implemented.

Organizational culture significantly impacts information security. A culture of openness and trust can foster a more responsible approach to data security. Conversely, a culture of fear or secrecy can discourage users from reporting security incidents, hindering the overall effectiveness of a security posture. Sociology helps information security professionals create a positive security culture within organizations through better understanding of what motivates employees (needs and desires, and incentives and rewards encouraging compliance) and understanding of how social norms can differentially influence employee behaviour both within different areas of a country and between countries. Additionally, helping identify cognitive biases that can lead to security breaches (people may be more likely to take risks if they believe they are invulnerable)

There is further aspects to consider, those of team dynamics, and power and influence. Sociology can help understand how to create effective teams that can work together to improve security. By understanding the dynamics of group behaviour, and the values and beliefs underpinnings those behaviours, security professionals can foster a culture of collaboration and trust. This also feeds into the next point about power and influence, whereby through understanding the distribution of power (hierarchical and heterarchical) within an organization, security professionals can identify potential vulnerabilities and develop strategies to mitigate them.

Sociology also sheds light on the broader social implications of information security practices. For example, the use of surveillance technologies to combat cybercrime can raise concerns about privacy and civil liberties. Sociology helps information security professionals navigate ethical considerations and develop solutions that balance security needs with societal values.

Psychology

Psychology plays a crucial role in information security in terms of human behaviour and decision making. Understanding how users interact with technology, their susceptibility to social engineering attacks, and their awareness of security risk is critical for developing effective strategies. This helps information security professionals create user-friendly security solutions that do not hinder productivity. Research in behavioural science can be used to develop training programs that encourage secure practices and raise awareness about common threats.

Political Science

Political science examines the role of government in creating and enforcing policies. Information security is increasingly becoming a matter of national security, with governments playing a crucial role in developing and enforcing cybersecurity regulations. Political science helps information security professionals understand the legal and regulatory landscape surrounding data privacy and security. This knowledge allows them to develop security practices that comply with relevant regulations.

Additionally, political science sheds light on international cooperation in cybersecurity. Cyberthreats are often transnational in nature, requiring collaboration between governments to effectively combat them. Having an understanding of international relations and the political dynamics of cybersecurity cooperation is crucial for developing effective global security strategies.

Science and Technology Studies

The interdisciplinary field of science and technology studies (STS) is focused on the creation, development, and consequences of science and technology in historical, cultural, and social contexts. STS scholars come from various backgrounds such as sociology, anthropology, history, and philosophy. They explore how science and technology shape societies and how societies, in turn, shape science and technology. The emphasis is on the interconnectedness of science, technology, and society in their historical, cultural, and social contexts. In other words, STS scholars investigate how science and technology are produced and how they interact with and are shaped by society.

While criminology directly informs information security, STS plays a more nuanced role. It examines the social and cultural factors that influence information security practices. For instance, STS can help illuminate how organizational cultures, user behaviour, and societal attitudes towards privacy impact security decisions. It sheds light on how technology itself can create new opportunities for crime. It also considers how social media platforms might be used for cyberbullying or how online anonymity can facilitate criminal activity. As technology advances, STS facilitates an examination of the ethical implications of new security measures related to surveillance, privacy, and potential biases in security algorithms. It challenges the idea that technology is neutral, supporting the value of anthropology in understanding societal and social context.

Both STS and anthropology challenge the idea that scientific knowledge or technology is objective. They emphasize how social, cultural, and political factors influence their development and use. Anthropologists' extensive use of fieldwork, where they immerse themselves in a culture or community, provides valuable data for STS scholars studying the social implications of science and technology. STS draws on anthropological concepts such as power dynamics, cultural relativism, and the importance of local knowledge to understand the development and impact of science and technology in different contexts. STS scholars often use anthropological methods such as fieldwork and participant observation to study scientific communities and technological practices. STS broadens anthropological perspectives by promoting consideration of the broader social, political, and economic forces shaping technology.

For the purpose of illustration, consider a simple analogy: Imagine information security as a castle. Criminology helps shed light on who might try to attack the castle and how they might do it. STS, drawing upon multiple intersecting disciplines, helps reveal the social dynamics within the castle (morale of the guards, vulnerabilities in the walls), the tools available to defend it (weaponry, training), and the ethical considerations of defending it (avoiding civilian casualties).

Discussion

In this section, I am briefly highlighting one particularly relevant intersection between the social sciences, Information Security and business, namely that of ESG (Environmental, Social, and Governance) which has significant implications for organisations and society as a whole. ESG, a framework used to evaluate a company's performance in environmental, social, and governance dimensions, has gained prominence in recent years due to growing concerns about sustainability and ethical business practices. As covered above, the social sciences provide valuable insights into human behaviour, group dynamics and culture. Social science helps in designing educational campaigns that correct misconceptions, fostering a more realistic assessment of security risk. Educational psychology suggests that interactive and practical training sessions are more impactful than passive learning. Tailoring content to accommodate different learning styles—visual, auditory, and kinesthetic—can also improve the retention of security protocols. These disciplines can help us understand how people interact with technology, how they perceive and manage risks, and how they respond to security threats.

As organisations increasingly rely on technology to conduct their business, they are also considering the environmental and social impacts of their digital activities. A good ESG programme not only addresses these challenges, it also helps to enhance their reputation, attract investors, and improve their overall performance. Such a programme would consist of good governance and processes, capacity planning, reproducibility, interwoven strands of support and delivery/service, alignment amongst multiple stakeholders, economies of scale, contractual compliance and grasping changing contexts. These are all skills also either grounded in or leveraging skillsets which practitioners from the social sciences can and do leverage in Information Security.

Additionally, social networks have transformed the way information is shared and introduced novel security vulnerabilities. Studies of how groups behave online can inform strategies to combat social engineering attacks that exploit trust and relationships within social networks.When users trust the entity that handles their data, they are more likely to share information. However, this trust must be earned and maintained through transparent practices and respect for user autonomy.

The formulation of security policies and regulations benefits greatly from a social science perspective. Ethical considerations, societal norms, and legal frameworks must be balanced to ensure that security measures do not infringe upon fundamental rights. Public policy research can guide the creation of regulations that are both effective and socially responsible.

Conclusion

There are multiple entries points into information security. The traditional career trajectory in information security often involves starting in a helpdesk role and progressing upward or transitioning laterally within the IT department. However, this is not the only route to success in this critical field. Many disciplines cultivate strong analytical thinking, problem-solving abilities, and a keen eye for detail—all essential qualities for information security professionals. Individuals from diverse backgrounds can leverage these transferable skills to thrive in cybersecurity careers, bringing unique perspectives and innovative approaches to cybersecurity challenges. This can lead to more effective solutions and a richer understanding of the ever-evolving threat landscape.

The intersection between academia in the social sciences and information security presents a powerful opportunity to build a more secure digital future. By integrating insights from criminology, psychology, sociology, anthropology, and political science, information security professionals can develop holistic strategies that address the multifaceted nature of cyberthreats.

Moving forward, the continued fostering of collaboration between social scientists and information security experts is crucial. Social science research can inform the development of new security solutions, training programs, and awareness campaigns. Conversely, information security professionals can provide real-world data and case studies to enrich social science research on cybercrime and human behaviour in the digital age.

This interdisciplinary approach is not just about fortifying technology, but also aboutfortifying the human element of information security. Addressing the social, cultural, and psychological factors that contribute to cybercrime is as important as developing robust technical defences. An understanding of the motivations and methods of attackers, the vulnerabilities of human behaviour, and the broader societal context of data security will contribute to the creation of a more resilient information ecosystem.

However, the path forward is not without its challenges. Bridging the gap between academic research and real-world application can be difficult. Information security professionals may struggle to translate complex social science theories into actionable practices. Similarly, social scientists may lack access to the data and resources needed to conduct robust research on cybercrime.

Overcoming these challenges requires ongoing dialogue and collaboration. The creation of interdisciplinary research centres focused on information security can foster communication and knowledge exchange between social scientists and security experts.

Furthermore, promoting open-source intelligence (OSINT) initiatives can provide researchers with valuable datasets for analysing cybercrime trends and attacker behaviour.

The Social Sciences equipped me with essential skills such as critical thinking, analysis, research, learning, absorption, condensation, and articulation. These abilities are indispensable in navigating the dynamic and evolving landscape of our field.

Ultimately, the fight for information security is a collective effort. Harnessing the combined power of social sciences and information security expertise will make it possible to build a digital world that not only secures technology but also fosters trust, privacy, and responsible behaviour in the online sphere. As technology continues to evolve, an understanding of the human element in cybersecurity must evolve as well. An interdisciplinary approach offers a roadmap toward a more fortified future, where information security serves not as a barrier but as an enabler of progress in the digital world.