Building Cyber Resilience: Resisting the Tragedy of the Commons

Based on research by Samir Jarjoui, DBA, Robert Murimi, DBA, and Renita Murimi, PhD, CISSP

Anyone conducting business or personal affairs is becoming increasingly reliant upon interacting with cyberspace. With the rise in digital infrastructure comes even more threats, but many of them seem irrelevant or unconcerning to non-experts. Individuals and organizations tend to compartmentalize cybersecurity efforts, or ignore them entirely. Since cyberattacks tend to target institutions that are weaker in their cybersecurity efforts, it is crucial not to ignore cybersecurity issues or relegate responsibility for cyber resilience to a specific department. 

The tragedy of the commons (ToC) in cybersecurity leaves institutions reeling when cyberattacks occur because of the insufficient prevention education, response planning, and recovery resources. When cybersecurity becomes the issue for “someone else” to deal with, organizations and individuals become vulnerable to cyberattacks because there are either no information security systems, or the ones that are in place have significant gaps and weaknesses. 

The most common issues in cybersecurity today are threefold: superficial cyber resilience approaches, a failure to reach a “tipping point,” and lax cybersecurity awareness efforts. When organizations use narrow, risk management based methods of promoting cybersecurity, they miss the broader social and cultural considerations. Tipping points occur when a series of small changes become significant enough to propel a system beyond a certain threshold into a new state. The prevalent top-down approach to cybersecurity leads to the perception of cybersecurity efforts as an imposition or distraction, rather than as an opportunity to positively contribute to a network of responsibility and resilience. Finally, many organizations fail to promote security-consciousness, which leads to limited focuses and misaligned objectives in cybersecurity efforts.

Key Points

• The tragedy of the commons (ToC) is a social phenomenon in which people assume that their responsibility for a specific issue is not their responsibility, but instead up to “someone else.”

• In the realm of cybersecurity, the ToC phenomenon is fueled by the size, complexity, and lack of knowledge about the issues.

• To spur resistance to the tragedy of the commons, three strategies need to be implemented:

  • Awareness: Resilience depends on cultivating  a proactive, community-based cybersecurity mindset, rather than promoting rules-based protocols.

  • Adaptability: Tailoring resilience solutions to organizations' specific capabilities, and equipping them for changes, creates a more effective cybersecurity framework.

  • Innovative Learning: Bottom-up approaches to education empowers people to boost resilience and take ownership for information security.

Why This Matters

Cyber resilience requires both the proactive construction of effective cybersecurity infrastructure, and the deployment of responsive—not reactive—solutions when cyberattacks occur. While the cybersecurity landscape is complex, solutions do not have to be complicated. Rather, they need to be tailored to the specific needs, contexts, and challenges of individuals and organizations. 

Implementing a multi-dimensional, community-centric approach to cybersecurity requires trust and a long-term return on investment. To successfully build cyber resilience, all stakeholders (individual, civic, government, and companies) must assume responsibility for the security of cyberspace. 

Undertaking a holistic cybersecurity strategy, including cooperative efforts and alliance building, requires responsible information-sharing. Social learning, which is enhanced by information-sharing, offers agency to each individual and organization in their efforts to secure their digital networks; it is critical to developing a culture of cybersecurity that fosters innovations. 

Communities and networks share many structural traits, and the impact of cyber resilience can be most effective when leveraged with a focus on communities and social cohesiveness. Since the cyber commons that everyone inhabits are composed of resources required to create, maintain, and sustain them, protecting and defending cyberspace is of the utmost importance. 

As the digital environment becomes more pervasive in everyday life, cyberattacks will become more common, undetectable, and unavoidable. It is more important now, than ever before, to promote cyber resilience in a way that accounts for cultural context and social behavior. Rather than a procedural, “check-the-box” approach, institutions need to encourage a cybersecurity mindset on both an individual and community level.

Based upon the following peer-reviewed manuscript: Jarjoui, S., Murimi, R., & Murimi, R. (2024). Communities, Agency, and Resilience: A Perspective Addressing Tragedy of the Cyber Commons. Cyber Defense Review, 9(1), 113-131.