For years the cybersecurity research community has used the so-called CIA triad – system confidentiality, integrity, and availability – as its common frame of reference. Any issue touching the triad, however tangentially, was considered fair game for inquiry. Thus programmers, engineers, systems administrators, attorneys, and policy-focused academics could claim cybersecurity scholarship. However, the testimony of Frances Haugen, the former Facebook product manager-turned-corporate whistleblower, before Congress last week shows that our near-religious devotion to the CIA triad has to change. We now know that Facebook possesses internal research demonstrating that its products can negatively affect users’ mental health at any age. Yet, focusing cybersecurity scholarship on confidentiality, integrity and availability sidesteps the fact that the word “security” itself is intertwined with notions of personal safety and well-being. Cybersecurity research must now consider technologies’ impacts on users’ mental health, too.
Before her testimony, Haugen's leaked documents that illustrate that Facebook knows far more about the effects of its products on the public generally, and young people in particular, than it has admitted. For example, inside Facebook, researchers understand that applications like Instagram can be harmful to children’s mental health in general and young women’s self-image in particular. In adults, issues like anxiety, loneliness and sleeping difficulties are exacerbated by using the application. Moreover, the Wall Street Journal, whose recent Facebook exposé was based upon documents that Haugen leaked, notes that Facebook has not challenged a single factual assertion made in the Journal’s reporting on Haugen’s information. This suggests that however damning the information presented in Haugen’s documents may be, it is accurate.
"Cybersecurity research must now consider technologies' impacts on users' mental health, too"
The challenge that Haugen’s testimony presents for the cybersecurity research community is clear. We can continue to cling to the CIA triad, decide that technologies’ mental health consequences are not in our lane and relegate research about them to psychologists and public health officials, among others. Or, we can try to claim this subject as our own, attempting to draw research grants about it away from medical scholars. Or, we can systematically examine technologies’ effects on user health in an interdisciplinary manner, collaborating with social workers, epidemiologists, statisticians and others. This latter path would seem the most viable and attractive way forward.
The contributions cybersecurity researchers could make to studies on the interactions between technologies and mental health are significant. For example, Haugen spoke at length in her testimony about the effects of Facebook’s user experience algorithms, which elevate provocative and divisive content. Cybersecurity scholars with experience in developing and tweaking such algorithms would be well-positioned to detail for researchers, lawmakers, and the general public what specific, code-level changes to the algorithms need to be made to reduce the prominence of inflammatory posts. That, in turn, could lead to more positive mental health consequences for users.
Or consider this: the proliferation of in-home Internet of Things (IoT) devices has generated new psychological stressors which previously did not exist. For example, do Ring camera users feel more anxious when they cannot access Internet-enabled cameras in their own homes? (Probably) Can the use of devices such as Google Home or Amazon Echo reduce loneliness and depression in users? (Maybe.) Examining such questions rigorously can generate new knowledge about how these technologies affect our daily lives and provide insights into how innovations may be changing our perceptions of the world around us.
Moving beyond mental health into the physical realm, it is worth noting that cybersecurity researchers’ involvement could enhance even older topics that remain understudied. There remains inconclusive evidence, for instance, about the potential cancer risks posed by mobile phone use. While medical scientists may be interested in exploring the neurological damage that can occur through cell phones, cybersecurity researchers collaborating with them may develop new design features that can reduce the risk of damage to the human brain. Cooperative research like this holds out the promise of better understanding ubiquitous technologies while also developing harm-reducing hardware modifications.
We are aware that some cybersecurity researchers might claim that the community has no business exploring technologies’ effects on mental health. Breaking out of the CIA triad risks disrupting the disciplinary boundaries of cybersecurity research or muddying the idea of cybersecurity itself. We agree. But the possible benefits of expanding our understanding of cybersecurity as a concept to incorporate mental health far outweigh the potential drawbacks of breaking the CIA triad mold. Facebook has over 2.8 billion users, and worldwide mobile phone usage exceeds 90% of the global population. Suppose even one fraction of 1% of these users suffers mental health challenges attributable to these technologies. In that case, cybersecurity researchers have the potential to improve the lives of tens of millions of people.