Information and Communications Technology (ICT) has taken a central role in modern society. Unfortunately, malicious hackers and cybercrime have become a stubborn and expensive part of the ICT landscape. This has made providing cybersecurity a defining challenge for our era. Many strategic plans and National Academies of Sciences (NAS) studies have been written, and billions of dollars have been spent on the development and deployment of innovative cybersecurity solutions, but our network infrastructure, devices and organizations are increasingly insecure against threats.

In February 2016, the federal government released a new cybersecurity federal R&D strategic plan – this one mandated by Congress – that explicitly engaged the socio-technical nature of the systems that we are securing. The plan also emphasized the need for understanding the efficacy of different approaches, albeit empirically, economically, or mathematically. However, in order to make meaningful progress, using a socio-technical approach requires innovation driven by informational and experiential diversity.

A socio-technical approach to cybersecurity recognizes that the science and technology deployed to protect and defend our information and critical infrastructure must consider human, social, organizational, economic and technical factors, as well as the complex interaction among them, in the creation, maintenance, and operation of our systems and infrastructure.

Our goal is to advocate an evidence-based sociotechnical cybersecurity approach, integrating the best research evidence with diverse cybersecurity expertise and broadening the consideration of ICT user characteristics, through the exploration of potential grand challenge areas. Our intention is that the grand challenges will promote effective and appropriate consideration of the socio-technical factors and sound and effective principles of cybersecurity assessment, evaluation, and intervention. The five potential grand challenges we plan to explore during the workshop are:

• How can organizations be structured to handle cybersecurity better?
• How could one go about creating a Cybercrime Statistic Bureau?
• How do we design and evaluate cyberinfrastructure that takes the behavior of all users, including adversaries, into account?
• How do we preserving individual agency in cyberspace?
• How do we design incentives to ensure security?

The resulting report will help illuminate the implications for cybersecurity researchers of taking a socio-technical approach identifying human, social, organizational, economic and technical factors that must be considered, techniques for understanding the interactions among them, and positive steps that can be taken to better protect and defend our information and critical infrastructure.

This workshop is the second workshop in the Sociotechnical Cybersecurity workshop series and will expand upon the discussions held in workshop 1.