Using public health frameworks to explain cybersecurity

A white padlock on a dark digital background.
(Image credit:

For years, governments have reported pandemics and cyber attacks as the top priority risks facing their nations. The first has already come to pass. COVID-19’s rapid viral transmission has shown all too well how infectious disease can create turmoil on a global level and major socioeconomic damage.

But what about this second enormous risk? Even as we continue to combat the coronavirus it is timely to consider the need for cyber preparedness in order to protect the economic and societal interests of our increasingly digital society.

How can we use the lessons of this public health crisis and apply them to our second greatest risk factor? Cybersecurity often draws on concepts and metaphors of warfare but public health provides much more familiar, everyday concepts and metaphors that could provide richer resources for explaining cybersecurity, especially when public health and cybersecurity provide major public goods.

Public health focuses on the health of communities, not just of individuals. Likewise, digital systems cannot be considered in isolation; the networked nature of cyberspace means that the collective security of systems must be considered, too.

A layered approach to public health

Improved individual hygiene practices and large scale vaccination programs are a primary line of defense used to prevent the transmission of infectious disease.

Herd or community immunity is a secondary line of defense that benefits people who cannot be vaccinated. While vaccination directly protects those who can be immunized, the idea behind herd immunity is that it indirectly protects people who are immunocompromised; as more people become vaccinated and immune, there are fewer people who are able to spread the disease.

But herd immunity only works if everybody does their part. If too many people, who can be vaccinated themselves, depend on other people's vaccinations, the result is an outbreak of disease. More contagious diseases require more people to be vaccinated for herd immunity to work; for example, at least 90-95% of the population need to be vaccinated to achieve herd immunity for measles whereas 80-85% of the population would need to be vaccinated for polio which is less contagious.

Herd immunity does not protect against diseases that are not spread directly by people who have the disease; for example, tetanus is caught from bacteria in the environment; no matter how many people are vaccinated against tetanus, it will not provide wider protection.

A third line of defense includes active monitoring whereby vulnerable people are monitored; and if symptoms are detected, the disease is treated and people may be hospitalized, isolated or quarantined if necessary. Contact tracing to identify individuals who have physically interacted with infectious individuals were critical during the early stages of the SARS outbreak in 2003 and Ebola outbreak in Africa in 2014, so that follow up measures could be implemented, such as isolation and when quarantine, since vaccines were not yet available and were only still being developed.

Additionally, interventions targeting the wider population set out minimum standards for good hygiene, involving organizational policies, government regulations and wider health norms. The aim is to remove or lower key risk factors, such as smoking, drinking and exercise, and to manage environmental exposures to poor quality air, food, water and hazardous materials.

A layered approach to cyber health

Digital systems would benefit from similar layers of protection. For example, analogous to immunized individuals, organizations and their systems need to be 'digitally vaccinated' by implementing security controls, such as firewalls, anti-malware and software patches to prevent access being provided to attackers or from malware being installed or software vulnerabilities being exploited.

Some digital systems cannot be secured in these ways but like people who cannot be vaccinated, they would benefit from equivalents of 'digital herd immunity' if they interact only with secured systems. Herd immunity changes the incentives of attackers if the benefits of attack no longer outweigh their costs and risks. But as with vaccination, it's not enough to trust that others will provide herd immunity: every organization has a responsibility to ensure its systems are secured (wherever possible) and that its employees can comply with security policies effectively.

And just as patients who need healthcare monitoring, these digital systems need to be actively and continuously monitored so that threats can be detected and responded to promptly. Likewise, cybersecurity includes systemic interventions that set and enforce suitable policies, standards, regulations and wider norms to establish acceptable levels of security.

Interventions must meet the needs of all types of organizations- not just large enterprises but also small and medium enterprises- thereby overcoming any cultural, skills and compliance challenges.

Helping to maintain cyber hygiene to grow a healthy digital society

Ad-hoc responses to Covid-19 have highlighted the need to better prepare for future crises. Drawing on now familiar public health frameworks can help explain what interventions are needed so that we can continue enjoying the full benefits of the digital society. With this in mind, there are a few crucial steps that businesses can do to make sure they maintain healthy security.

As employees continue to work remotely, companies run the risk of exposing their corporate networks in a variety of new ways. Through unsecured networks and using personal devices, employees can offer an open door to hackers that wasn't there before. Businesses should take care to educate their employees by providing guidelines around standard and simple security measures like password strength, using a VPN, enabling firewalls, and keeping software up-to-date. The measures individuals should take are not set in stone, but constantly in flux: As we respond to new healthcare information (such as on masks), we must make attempts to modify our behavior to remain safe. This is similar in security: We must always be ready to respond to the ever-expanding threat landscape with new protective measure. Like hand washing, this kind of basic cyber hygiene can go a long way in preventing the threats we're seeing increase on a daily basis. It's imperative that businesses begin to prioritize their data security.

Ben Koppelman, Head of Innovation, CyberSmart

Ben Koppelman is Research & Innovation Lead at CyberSmart.