The Internet is not the only critical infrastructure that relies on the participation of unorganized and technically inexpert end users. Transportation, health, waste management, and disaster preparedness are other areas where cooperation between unorganized citizens who lack experience with the domain has increased resiliency, reduced social costs, and helped meet shared goals. Theories of community-based production and management of the commons explain this type of cooperation, both offline and online. This essay examines these two complementary approaches to organizing the cybercitizen for cybersecurity. Cybersecurity discourse has reasonably focused on centralized parties and network operators. From domain name registrars to network service providers, solutions are sought through incentives, regulation, and even law enforcement. However great the ability of these centralized entities to implement change, the end user plays a crucial role. The Internet must remain open to enable innovation and diffusion of innovation; thus, the end user will continue to be important. What is the role of the citizen in cybersecurity? What socio-technical characteristics might enable a system that encourages and empowers users to create a secure infrastructure?
How can cyberspace be augmented or organized so that security is more widely produced at home by citizens who lack technical expertise? Answering this question is critical to governance of the Internet. When one person or machine is not secure, any or all of the people connected to the Internet potentially pay a cost. The average user receives spam because other average users allow their machines to host spammers. Securing cyberspace is an inherently cooperative venture.
A growing body of work illustrates how classes of goods are constructed by a collective (community-based production) and how shared resources are managed (managing the commons). When viewed from the first of these two perspectives, security is a good that can be cooperatively produced. When viewed from the second, computer security appears to be a common good that can be consumed and preserved, but not produced, cooperatively. The Internet as a commons can be compromised if too many people accept a high level of insecurity. In both cases, requirements for the nature of the good, whether public or private, must be defined. Cybersecurity is a good with significant private incentives; in the same way that no one seeks to become ill, no one wishes to be the victim of identity theft. Cybersecurity may also have a tipping point, after which a herd effect motivates action or adherence. On the network as in the realm of public health, herd immunity is needed to prevent epidemics.
In this essay, I describe resource management as community-based production and as the management of the commons. I suggest that the underlying requirements for each of these approaches may already exist or could be created.
. . .