The prevalence of cyber-dependent crimes and illegal activities that can
only be performed using a computer, computer networks, or other forms of
information communication technology has significantly increased during
the last two decades in the USA and worldwide. As a result,
cybersecurity scholars and practitioners have developed various tools
and policies to reduce individuals' and organizations' risk of
experiencing cyber-dependent crimes. However, although cybersecurity
research and tools production efforts have increased substantially, very
little attention has been devoted to identifying potential comprehensive
interventions that consider both human and technical aspects of the
local ecology within which these crimes emerge and persist. Moreover, it
appears that rigorous scientific assessments of these technologies and
policies "in the wild" have been dismissed in the process of encouraging
innovation and marketing. Consequently, governmental organizations,
public, and private companies allocate a considerable portion of their
operations budgets to protecting their computer and internet
infrastructures without understanding the effectiveness of various tools
and policies in reducing the myriad of risks they face. Unfortunately,
this practice may complicate organizational workflows and increase costs
for government entities, businesses, and consumers.
The success of the evidence-based approach in improving performance in a
wide range of professions (for example, medicine, policing, and
education) leads us to believe that an evidence-based cybersecurity
approach is critical for improving cybersecurity efforts. This book
seeks to explain the foundation of the evidence-based cybersecurity
approach, review its relevance in the context of existing security tools
and policies, and provide concrete examples of how adopting this
approach could improve cybersecurity operations and guide policymakers'
decision-making process. The evidence-based cybersecurity approach
explained aims to support security professionals', policymakers', and
individual computer users' decision-making regarding the deployment of
security policies and tools by calling for rigorous scientific
investigations of the effectiveness of these policies and mechanisms in
achieving their goals to protect critical assets. This book illustrates
how this approach provides an ideal framework for conceptualizing an
interdisciplinary problem like cybersecurity because it stresses moving
beyond decision-makers' political, financial, social, and personal
experience backgrounds when adopting cybersecurity tools and policies.
This approach is also a model in which policy decisions are made based
on scientific research findings.
