Cybersecurity

Burcu Bulgurcu
Toronto Metropolitan University

Building cyber resilience in a postpandemic world

Examining the security challenges in the transition to hybrid work

The COVID-19 pandemic rushed many companies into adopting new technologies so their employees could work remotely. The shift happened so quickly, however, that many did not take cybersecurity fully into account—and were left vulnerable to attack. SSHRC-funded researcher Burcu Bulgurcu from Toronto Metropolitan University (TMU) is examining what worked and what didn’t during the work-from-home transition in order to help businesses strengthen their cybersecurity practices.

She points out that some companies never envisioned having all their staff working remotely, especially those in industries such as finance where data security is critical. So, when the pandemic hit, they didn’t have any policies in place related to using personal devices for work purposes or accessing the corporate network via potentially insecure home routers.

Assessing the cybersecurity experience

In collaboration with Atefeh Mashatan, Canada Research Chair in Quality of Security Framework for Internet-of-Things and director of TMU’s Cybersecurity Research Lab, Bulgurcu will prepare case studies on the cybersecurity experiences of 10 to 15 Canadian businesses. She will assess their cybersecurity policies as well as their employee training and awareness programs, looking at how the companies responded initially to the pandemic and how they revised their approaches over time (for example, by strengthening authorization and authentication processes for people accessing corporate data from home). These findings will then form the basis of an online survey of about 1,000 knowledge workers and cybersecurity professionals.

Bulgurcu hopes the project will result in the creation of practical guidelines to help companies improve their cyber resiliency. She says these issues need to be addressed now because remote work is here to stay—and attacks are becoming more frequent.

“Digital transformation is a fact,” she says. “Prioritizing cybersecurity management, training and awareness is no longer just good to have, it’s a must have for everyone.”

Ignacio Cofone
McGill University

Ethical algorithms for artificial intelligence

What regulations are needed for better data-based decision-making

Although artificial intelligence (AI) is an exciting technology, it’s powered by algorithms that can inadvertently discriminate. Ignacio Cofone, Canada Research Chair in Artificial Intelligence Law and Data Governance at McGill University, wants to bring more accountability to the use of AI. His research examines why the data that shapes AI decisions should be regulated (rather than the technology itself) and how that can help Canada’s AI industry evolve ethically.

One of Cofone’s projects explores how the US correctional system is using AI to predict whether inmates are likely to reoffend when released. Because the algorithms are built on data from a system in which people of certain racialized groups are overrepresented, these people are flagged as “risky” more frequently by the AI—further magnifying the inequalities they experience.

“Almost all AI-related harms happen because of information inferred about people by AI, not the actual information collected,” he says. “If we changed legislation to say inferred information is protected personal information, that would ensure people’s rights are protected while still allowing for a flourishing AI industry.”

Data-related harms are varied

Legislation is a major focus of Cofone’s research, including how laws should adapt to technological change. When there’s a data breach, people can typically pursue legal action only if it leads to outright identity theft or financial/reputational harm. He believes every person who has their personal information stolen should be eligible for redress (compensation) because they faced privacy-related harm. Yet current laws globally undercompensate victims, which disincentivizes companies from responsibly collecting and storing personal information, including the data fed into AI software.

Cofone hopes his research will influence changes to Canada’s legal framework so courts react more strongly to the misuse of data—minimizing its potential harms to all Canadians.

Benoît Dupont
Université de Montréal

Moving from cybersecurity to cyber resilience

Better risk preparation for improving crisis recovery

Cybersecurity is like a fortress that protects us against invasion. Unfortunately, attackers are becoming increasingly powerful and resourceful, using tricks like Trojan horses to slip past our defences. This is where cyber resilience becomes important—the ability to limit the fallout from a successful attack and bounce back quickly.

Benoît Dupont, Canada Research Chair in Cybersecurity, full professor at the Université de Montréal school of criminology and scientific director of the Human-Centric Cybersecurity Partnership (HC2P), is interested in resilience and how security professionals deal with the unpredictable.

“As a criminology researcher, I’m not so much interested in the technical aspects of cyber attacks as the organizational and human aspects. I try to understand the MO of the people who launch these attacks, say, hackers, crackers or foreign governments. At the same time, I want to learn how the teams in public and private organizations conceptualize risks and try to respond to them.”

There’s no such thing as zero risk

Most of the critical systems that run our society, including those used in the healthcare, transportation, energy, finance and economic sectors, depend on vulnerable computer systems.

“Security helps us predict and prevent about 90% of risks. The problem is that last 10%, the unpredictable and potentially catastrophic risks that can bring down an entire organization or infrastructure.”

In other words, security on its own is no longer enough to respond to an ever-changing risk landscape. Benoît Dupont’s research will provide businesses and parapublic organizations with resilience metrics to properly prepare for a cyber attack. The research will also pave the way for the development of resilience-based practices and standards for the social, political, environmental, economic and legal spheres.

“Making cyber resilience a legal requirement will help Canadians feel confident that the businesses they depend on for their everyday needs can withstand and respond to crises.”