Cyber Public Health workstream


According to the CDC Foundation, “Public health is the science of protecting and improving the health of people and their communities. This work is achieved by promoting healthy lifestyles, researching disease and injury prevention, and detecting, preventing and responding to infectious diseases. Overall, public health is concerned with protecting the health of entire populations.” Classic models of cybersecurity have focused on outcomes for the individual or a firm, and the work we’re doing to create a science and discipline of Cyber Public Health aims to use tools inspired by public health to bring those population level measurements and improvements to the cyber realm.

I’m working as lead scientist at CyberGreen on this initiative, and you can see our tech reports (by me and others); mine are listed below.)

The easiest way to get involved is to join our monthly seminars, held in conjunction with Indiana University’s Ostrom Workshop. (Fourth Thursdays, 3 Eastern, zoom.) You can sign up for the mailing list here.

Work by Adam (Background)

The New School of Information Security
In this book, Andrew Stewart and I used the public health metaphor, in particular John Snow and the Broad Street pump in The New School, and the idea stayed with me and led me to name a project Broad Street in 2010.
Project Broad Street
In 2010, I explicitly used public health metaphors to frame zero day attacks in Project Broad Street, which led to Microsoft pushing the AutoRun security update into Windows Update. You can read the story in Zeroing in on Malware Propagation Methods. The Windows Update led to roughly 1 million fewer infections per month, a number which can be derived from the subsequent Security Intelligence Reports.
We Need a Discipline of Cyber Public Health
In 2020, I gave a Distinguished Lecture at the CASA Cluster of Excellence for Cyber Security, Ruhr University, Bochum Germany, titled We Need a Discipline of Cyber Public Health. (Official page, video, and the references.)

CyberGreen work

That talk led to my connecting with CyberGreen, and that collaboration has led to three tech reports and a workshop.

A Cyber Belief Model
Abstract: The Health Belief Model (HBM) is a longstanding family of models to explain why people don’t act on health advice. Adaptation of the HBM to cybersecurity provides insight and explanations as to why cybersecurity advice is not consistently acted upon. This technical report presents motivation, a first Cyber Belief Model, results of an interview study and an interview coding scheme. The interview study with 9 participants analyzed enterprise responses to the log4shell crisis, and indicates that awareness and prompts to action are well addressed, but barriers to action remain. It may be that the overall cybersecurity investment could be rebalanced in ways that increase the rate of taking preventative actions. This Cyber Belief Model may be a useful way to identify and address inhibitors to action, leading to improved security globally. CyberGreen Tech Report 23-01
Vital Statistics in Cyber Public Health
Abstract: This report is part of a continuing effort to improve the rigor and grounding of a Cyber Public Health project, and does so by introducing the concept of vital statistics, their role in public health, and the challenge of gathering and generating this data in cyber public health. CyberGreen Tech Report 22-02
Public Health & Cyber Public Health
This project was undertaken to provide a structured approach to the question “How can we systematically translate the lessons of public health to cybersecurity?” This paper uses a popular textbook, Mary-Jane Schneider’s Introduction to Public Health (6th ed) as a structure to answer the question, following Dr. Schneider’s understanding of that field. Comparisons between cybersecurity and health are legion — we speak of computer viruses, despite their lack of RNA. And of course, analogies all have limits. CyberGreen Tech Report 22-01
First workshop on Cyber Public Health (2024)
The first workshop on Cyber Public Health was hosted by Google in New York on Jan 9, 2024. The final report is now available. (For archival purposes, the summary report is here). My keynote was Towards a Science of Cyber Public Health.
The Internet Infrastructure Health Metrics Framework (IIHMF, ongoing)
The IIHMF is an ongoing project by CyberGreen to measure the health of internet infrastructure, with a particular focus on harms to others. I’ve been heavily involved, as have many others.