Abstract
Cybercrime is on the rise and it’s widely believed that an appropriate cyber hygiene is essential to secure our digital lives. The expression “cyber hygiene” appears in conversations, conferences, scientific articles, legal texts, governmental publications and commercial websites. However, what cyber hygiene is, what is appropriate or optimal cyber hygiene, or what is really meant by this expression and related practices—that is often varying and even somewhat contradicting. We review and analyze selected academic papers, government and corporate publications with the focus on implicit and explicit definitions of what cyber hygiene means to the authors. We also draw parallels and contrast the expression in cyber security context and terminology (cyber awareness, behavior and culture). We present a conceptual analysis and propose a definition to assist in achieving a universal understanding and approach to cyber hygiene. This work is intended to stimulate a clarifying discussion of what appropriate “cyber hygiene” is, how it should be defined and positioned in the wider cyber security context in order to help changing the human behavior for achieving a more secure connected world.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
NIST (2018). https://www.nist.gov/video/youve-been-phished
Essential Measures for a Healthy Network, ANSSI. https://www.ssi.gouv.fr/en/actualite/40-essential-measures-for-a-healthy-network/
Belgian Cyber Security Guide, ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. https://www.b-ccentre.be/wp-content/uploads/2014/04/B-CCENTRE-BCSG-EN.pdf
Cyber Essentials-Keeping UK Businesses Safe, CREST. http://www.cyberessentials.org/index.html
Cyber hygiene. https://en.wikipedia.org/wiki/Cyber_hygiene
Cyber hygiene. https://www.collinsdictionary.com/submission/1930/Cyber+hygiene
Glossary of Key Information Security Terms, NISTIR 7298, Revision 2, nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
Guide Des Bonnes Pratiques De L’informatique, CGPME / ANSSI. https://www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf
IATE: Term of the Week-Cyber Hygiene. http://termcoord.eu/2017/10/iate-term-of-the-week-cyber-hygiene
Small Business Information Security: the fundamentals, NIST. http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Special Publication 800–53 - NIST Computer Security Resource Center. Version 5, August 2017. https://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf
The CIS Critical Security Controls for Effective Cyber Defense. Version 6.1. http://www.cisecurity.org
Systemic security management. IEEE Secur. Privacy 4(6), 74–77 (2006). https://doi.org/FEC0FD8D-A181-4AFD-BEA7-AEADF75DEE82
Information Supplement: Best Practices for Implementing a Security Awareness Program, Security Awareness Program Special Interest Group PCI Security Standards Council (2014). https://www.pcisecuritystandards.org/documents/PCIDSSV1.0BestPracticesforImplementingSecurityAwarenessProgram.pdf
Review of cyber hygiene practices. ENISA, Heraklion (2016). http://publications.europa.eu/publication/manifestation_identifier/PUB_TP0217008ENN
US officially accuses Russia of DNC hack while election systems come under attack. Netw. Secur. 2016(10), 1–2 (2016). https://doi.org/10.1016/S1353-4858(16)30092-7
Core Principles of Cyber Hygiene in a World of Cloud and Mobility, VMware, August 2017. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vmware-core-principles-cyber-hygiene-whitepaper.pdf
The good cyber hygiene bill (2017). https://www.congress.gov/bill/115th-congress/house-bill/3010/text
The WannaCry ransomware attack. Strateg. Comments 23(4), vii–ix (2017). https://doi.org/10.1080/13567888.2017.1335101
The week that was, 29 October 2017). https://www.thecyberwire.com/issues/issues2017/October/WTW_2017_10_29.html
Tripwire state of cyber hygiene report, August 2018. https://www.tripwire.com/misc/state-of-cyber-hygiene-report-register/
Ajzen, I.: The theory of planned behaviour: reactions and reflections (2011)
Almeida, V.A.F., Doneda, D., de Souza Abreu, J.: Cyberwarfare and digital governance. IEEE Internet Comput. 21(2), 68–71 (2017). https://doi.org/10.1109/MIC.2017.23
Beris, O., Beautement, A., Sasse, M.A.: Employee rule breakers, excuse makers and security champions: mapping the risk perceptions and emotions that drive security behaviors. In: Proceedings of the 2015 New Security Paradigms Workshop NSPW 2015, pp. 73–84. ACM, New York (2015). https://doi.org/10.1145/2841113.2841119
Bradbury, D.: Insuring against data breaches. Comput. Fraud Secur. 2013(2), 11–15 (2013). https://doi.org/10.1016/S1361-3723(13)70020-4
Camp, L.J.: Mental models of privacy and security. IEEE Technol. Soc. Magaz. 28(3), 37–46 (2009). https://doi.org/10.1109/MTS.2009.934142
Chaudhry, J.A., Rittenhouse, R.G.: Phishing: classification and countermeasures. In: 2015 7th International Conference on Multimedia, Computer Graphics and Broadcasting (MulGraB), pp. 28–31. IEEE (2015)
Craig, J.: Cybersecurity research-essential to a successful digital future. Engineering 4(1), 9–10 (2018). https://doi.org/10.1016/j.eng.2018.02.006
Curtis, V.A.: Dirt, disgust and disease: a natural history of hygiene. J. Epidemiol. Commun. Health 61(8), 660–664 (2007). https://doi.org/10.1136/jech.2007.062380
Dobbins, J., et al.: Choices for America in a Turbulent World: Strategic Rethink. Rand Corporation (2015)
Dodge, R., Toregas, C., Hoffman, L.J.: Cybersecurity workforce development directions. In: HAISA, pp. 1–12 (2012)
Emerson, R.G.: Limits to a cyber-threat. Contemp. Politics 22(2), 178–196 (2016). https://doi.org/10.1080/13569775.2016.1153284
Fabiano, N.: Internet of things and blockchain: legal issues and privacy. the challenge for a privacy standard. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 727–734, June 2017. https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData.2017.112
Fabiano, N.: The internet of things ecosystem: the blockchain and privacy issues. the challenge for a global privacy standard. In: 2017 International Conference on Internet of Things for the Global Community (IoTGC), pp. 1–7, July 2017. https://doi.org/10.1109/IoTGC.2017.8008970
Farwell, J.P., Rohozinski, R.: The new reality of cyber war. Survival 54(4), 107–120 (2012)
Floyd, D.L., Prentice-Dunn, S., Rogers, R.W.: A meta-analysis of research on protection motivation theory. J. Appl. Soc. Psychol. 30(2), 407–429 (2000)
Fogg, B.J.: A behavior model for persuasive design. In: Proceedings of the 4th International Conference on Persuasive Technology, p. 40. ACM (2009)
Gardiner, K., Harrington, J.M.: Occupational Hygiene. Wiley, Hoboken (2008)
Gartzke, E., Lindsay, J.R.: Weaving tangled webs: offense, defense, and deception in cyberspace. Secur. Stud. 24(2), 316–348 (2015). https://doi.org/10.1080/09636412.2015.1038188
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)
Hänsch, N., Benenson, Z.: Specifying it security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications (DEXA), pp. 326–330. IEEE (2014)
Kelley, D.: Investigation of attitudes towards security behaviors. McNair Res. J. SJSU 14(1), 10 (2018)
Kerfoot, T.: Cybersecurity: towards a strategy for securing critical infrastructure from cyberattacks (2012)
Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015)
Magnuson, S.: New cyber hygiene campaign seeks to curtail attacks. Nat. Defense 98(726) (2014)
Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.: A systematic literature review: information security culture. In: 2017 International Conference on Research and Innovation in Information Systems (ICRIIS), pp. 1–6, July 2017. https://doi.org/10.1109/ICRIIS.2017.8002442
Mansfield-Devine, S.: The death of defence in depth. Comput. Fraud Secur. 2016(6), 16–20 (2016). https://doi.org/10.1016/S1361-3723(15)30048-8
Mansfield-Devine, S.: Meeting the needs of GDPR with encryption. Comput. Fraud Secur. 2017(9), 16–20 (2017). https://doi.org/10.1016/S1361-3723(17)30100-8
Maybury, M.T.: Toward principles of cyberspace security. In: Cybersecurity Policies and Strategies for Cyberwarfare Prevention, pp. 1–12 (2015)
Mears, J.: The rise and rise of id as a service. Biometric Technol. Today 2018(2), 5–8 (2018). https://doi.org/10.1016/S0969-4765(18)30023-7
Mouradian, A.: Employees are lax on cyber fundamentals. Comput. Fraud Secur. 2017(8), 17–18 (2017)
O’Connell, M.E.: Cyber security without cyber war. J. Conflict Secur. Law 17(2), 187–209 (2012). https://doi.org/10.1093/jcsl/krs017
Oravec, J.A.: Emerging “cyber hygiene” practices for the internet of things (iot): professional issues in consulting clients and educating users on IOT privacy and security. In: 2017 IEEE International Professional Communication Conference (ProComm), pp. 1–5. IEEE (2017)
Oravec, J.A.: Kill switches, remote deletion, and intelligent agents: framing everyday household cybersecurity in the internet of things. Technol. Soc. 51, 189–198 (2017). https://doi.org/10.1016/j.techsoc.2017.09.004
Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31(5), 673–680 (2012)
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)
Pfleeger, S.L., Sasse, M.A., Furnham, A.: From weakest link to security hero: transforming staff security behavior. J. Homeland Secur. Emerg. Manage. 11(4), 489–510 (2014)
Sanders, R.: Embedding cyber-security into your company’s DNA. People Strategy 39(1), 8–9 (2016)
Savold, R., Dagher, N., Frazier, P., McCallam, D.: Architecting cyber defense: a survey of the leading cyber reference architectures and frameworks. In: 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 127–138. IEEE (2017)
Schrader, P.G., Lawless, K.A.: The knowledge, attitudes, & behaviors approach how to evaluate performance and learning in complex environments. Perform. Improv. 43(9), 8–15 (2004). https://doi.org/10.1002/pfi.4140430905
Shackelford, S.J.: Business and cyber peace: we need you! Bus. Horiz. 59(5), 539–548 (2016). https://doi.org/10.1016/j.bushor.2016.03.015. THE BUSINESS OF PEACE
Sheppard, B., Crannell, M., Moulton, J.: Cyber first aid: proactive risk management and decision-making. Environ. Syst. Decis. 33(4), 530–535 (2013). https://doi.org/10.1007/s10669-013-9474-1
Singer, P.W.: The ’Ocean’s 11’ of cyber strikes. Armed Forces J. (2012)
Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)
Wang, C.P., Snyder, D., Monds, K.: A conceptual framework for curbing the epidemic of information malice: e-hygiene model with a human-factor approach. Int. J. Inf. Comput. Secur. 1(4), 455–465 (2007)
Winkler, I., Gomes, A.T.: Chapter 5 - how to hack computers. In: Winkler, I., Gomes, A.T. (eds.) Advanced Persistent Security, pp. 41–46. Syngress (2017). https://doi.org/10.1016/B978-0-12-809316-0.00005-1
Acknowledgment
The authors would like to thank Archimedes SA and CybExer Technologies for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Maennel, K., Mäses, S., Maennel, O. (2018). Cyber Hygiene: The Big Picture. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-03638-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)