“60’s Robot” by Eber Evangelista is licensed under CC BY-NC-ND 4.0

A few months ago I was chatting on Twitter about adapting cybersecurity standards for personal use. Sure we’re all big brain geniuses (right?), but large companies have thoroughly vetted, high-quality, consensus-based guidance that they can follow to keep themselves secure. (Or at least try.) Hell, if they don’t leverage these frameworks, they could be accused of negligence in a court of law. How come there’s nothing like that for me or you or my grandma? Cybersecurity is an ever-expanding topic that grossly violates the that 7 +/- 2 rule (a.k.a Miller’s Law) about the number of things that a person can concurrently hold in their head. So is there something I can grab a hold of that at least helps me remember the easy stuff?

 

And thusly, the Personal Cybersecurity Framework was born.

Assumptions
What assumptions should we presume when creating this framework? Some major items jump out at me:

  1. The end user has a moderate level of technical acumen. They are familiar with websites, apps, phones, and the like. They don’t need to skilled in the art of technomancy, but they already know how to set up an account, change passwords, purchase goods and services online, and basically the things a digital citizen needs to do online. I know this one is a little nebulous, but we can refine as we go. “Cybersecurity for grandma” is too high of a bar to clear (or too low of one.)
  2. The end user is not running any IT infrastructure for a company. The threat surface is someone’s digital life. For instance, threats and mitigations regarding a Microsoft Active Directory technology would not be included.
  3. The end user needs to protect their desktops, laptops, tablets, phones, and Internet of Things (IoT) devices (e.g., smart assistants or smart light bulbs).
  4. The end user needs to protect access to 3rd party services (e.g., Netflix).
  5. The end user is not under attack from dedicated, well-resourced cybersecurity experts. (Despite news stories, this is true of most people.)

Goals
What should the goals of the PCF be? My initial thought is that it should be a workflow. You enter and exit as needed. Here are my initial stakes in the ground.

  1. Appropriate. The PCF should only defend against realistic attacks normal people face. These attacks will generally have mitigations that are achievable with a reasonable person’s money and time. Following the PCF should not require a major lifestyle change to stay secure.
  2. Succinct. Whatever the PCF is, it must be like the YouTube of cybersecurity standards with lots of quick cuts cutting out all the necessary bits. It’s fine for their to be lengthy justifications on the backend GitHub repositories, but the end-user can’t be exposed to that information.
  3. Beautiful. I do think there’s beauty in brevity, but sometimes it’s worth stating as it’s own goal. But, when information is easy to comprehend and use, it is beautiful, especially in this data-driven wrold. This goal also drives to drawing users to the framework and providing legitimacy (e.g., it’s not something you’re buying out of an old Firefly-class transport ship.)
  4. Self-contained. It shouldn’t be necessary for the user to go scurrying through the internet with dangerous links mirrored to pages that no longer exist. Everything the user needs is available within the PCF. Links to additional reading or viewing material will only be provided as supplemental material.
  5. Unencumbered. The license for the PCF should allow for remixing as long as work is properly attributed. This should not exist to make money for an individual or organization.

 

 

Security for All

Existing Guidance
Before I embark on this exercise, let’s do a literature survey of sorts. What’s out there for users to leverage now? Searching Google Scholar for terms like “personal cybersecurity” and “protect yourself online” give very little comprehensive guidance. After leaving NIST, I no longer have access to fancy schmancy journals and the like so I asked some friends to search those databases for reasonable terms relating to “personal cybersecurity” or “security for the user.” Little relevant results came up. (Also, I’ve learned, most of the time, if you see a paper you want, just email the researcher directly and they’ll kindly send you the paper 🤫.) Still, no dice.

Moving on, a lot of “keep yourself safe online” sites tend to focus on privacy. There are even wonderful sites with a toolbox of privacy tools like: https://www.privacytools.io. But, I think we need to go further than privacy and focus on some core tenets of cybersecurity: detection, protection, and response. I don’t really want this to be about completely removing someone’s digital footprint. But instead focus on having a safe and properly managed modern footprint given a reasonable set of resources (e.g., time, expertise). The posts I found that didn’t focus on privacy were typically marketing-focused posts trying to get you to buy identity protection services and anti-malware. Like, yeah. Totally. I’m going to trust LifeLock with my personal security. Some governments have 1 – 2 pagers available, such as this excellent infographic from the UK government. Which honestly doesn’t sound bad if the necessary guidance belongs there but in my opinion it doesn’t offer tangible guidance on the steps to do once you’ve been compromised. There’s tons of listicles. And some HUGE books. 

Hacker hoodie with Goldilocks' face. The 3 bears are in the top left
A Goldilocks Approach to Cybersecurity

Next Steps 

So I’ve kind of concluded that what I think is necessary doesn’t exist. There are still huge questions to be answered, like what sort of structure should this framework have? Should it follow the NIST SP 800-53 model? NIST CSF? CIS Controls? That’s unclear. What about a logo? Regardless, I plan to develop the PCF here on this blog, so stay tuned to see it all happen! If you have friends, family, and frenemies who get compromised, once you’re done helping out put what you learned into the PCF. In my mind, the strength of this effort will be if folks are able to use it and provide real feedback. Or maybe you treat your digital life to how one changes batteries in the fire alarm every year, or you set up a check-in with a retirement advisor every year. Essentially do a self-checkup on your personal cybersecurity. It’s currently in a private Github repo, and folks can request access to lean with it and rock with it. It’ll go public soon! If you’re are interested, we can iterate a bit and see what happens. I look forward to a launch with zero fanfare, no backing, and an egregious amount of chutzpah.