Close

Exit-interview with Laura Kocksch: “SMEs have better cybersecurity practices than what first meets the eye”

Anthropologist Laura Kocksch has been part of the ADD-project since its early beginnings. In this exit-interview, Laura looks back at her time with the ADD-project.

From July 2024 she will end her direct affiliation with the project and head on as Assistant Professor in the Techno-Anthropology Lab (TANTlab).

What has your research in the ADD-project been focused on?

I have conducted an ethnographic study of cybersecurity in small and medium-sized enterprises in Denmark. The aim was to try and understand how SME’s deal with cybersecurity by observing their everyday practices. So, I’ve visited more than 30 SMEs around the country and made camp at their various office spaces and industrial sites, while also interviewing both leaders and employees to try and understand how they work with cybersecurity.

During my research I have developed the concept of “everyday cybersecurity”. In short, this is a term categorizing all the types of practices where companies find ways to address cybersecurity issues, which may not be “by the book” in terms of what is considered the golden standard by many cybersecurity experts, but where companies nevertheless manage to deal with many of the most relevant cybersecurity issues and have their own solid logic. And that is a term, that I think fittingly describes the reality for the broad majority of SMEs in Denmark who deal with cybersecurity as one of many other concerns and risks to their business.

Can you give an example of these “everyday cybersecurity” practices?

For example, we saw that a logistics company did not use password protection on those PCs that a lot of different employees have to use throughout the day. Think about a large terminal, where lorry-drivers queue up to print out delivery orders. Not having password protection on PCs is typically not considered “good cybersecurity”, but for this company it’s not because of carelessness and instead they come up with alternative security strategies. In this case for example, the printing computer would only be accessible when the office was staffed and thus when the terminal is under observation by office staff, and in this way, no unknown people would be able to use the PC. Quite clever!

What can the broader society learn from your research?

My research challenges the conventional wisdom in the cybersecurity community that SMEs are clueless, resourceless and all over don’t care about cybersecurity. That is not the picture I have seen in my many visits to SMEs around Denmark, and that is important because it tells us that SMEs 1) actually do care about cybersecurity and 2) they do find ways to address cybersecurity issues, although it may be by other means, that we typically think.

That provides practical insights that can help shape more effective and realistic cybersecurity strategies for small and medium-sized enterprises. And that is also why we partnered with the Danish Business Authority (now the Danish Agency for Digital Government) to develop insights and tools that can help SMEs reflect about and developed their own cybersecurity policies. We have heard from our collaborators that such stories of dilemmas and the everyday practical handling still inform their work.

What impact has your research had in relation to the research agenda and community that you are a part of?

Having worked in the field of cybersecurity for over 10 years the impact will go a bit beyond just the work that I’ve done as part of ADD. The field has shifted from being engineering or defense centered to involving other disciplines such as psychology but recently also anthropology and science and technology studies. As a part of this trend there is a push for the use of qualitative and ethnographic methods. Especially the idea of using ethnography to send researchers into the companies or organizations to understand the everyday practices. Doing studies of the very mundane everyday cybersecurity brings a different perspective of the issue as it’s not about living up to the golden standard but it’s often about doing things good enough.

We are thus working towards a shift from relying on defining expert views to challenge and incorporate more practical, field-based situations. Although expert opinions and alarmism still dominate cybersecurity, examining everyday cyber security can lead to new insights and approaches as we might start to think about it a little bit differently.

What have been particularly successful venues for impact?

The success of our collaboration with the Danish Business Authority stemmed from not pretending to have all the answers. It was not about claiming that we could solve all the issues of cyber security practices. Instead, we prioritized collaboration and communication holding regular meetings to keep aligned within the project.

At the same time, we can’t force research impact. It is more about identifying shared concerns with public stakeholders and negotiate and communicate about possible interventions that research can make. In our project, we were lucky to „intervene by invitation“, meaning that our collaborators had a certain frustration with how cybersecurity was understood in SMEs and because previous campaigns seemed to have failed. By finding collaborators like this, who welcome a slightly new way of looking at things, and who welcome intricate empirical stories, the social science perspectives of ADD can generate real, specific and local impact.

Now that you are leaving the ADD-project, what will you be moving on to next?

My next research project focus on telecommunication breakdowns and cyber-attacks in Greenland and Denmark. This project, funded by the Carlsberg Foundation is titled DigiBreak. Here, my colleague Mette Simonsen Abildgaard and I aim to understand the everyday ways people handle breakdowns of digital systems and develop practical solutions based on their resources at hand. In a second project to start in 2025, we will look more into Arctic infrastructure projects, specifically, in my case, aging data centers and cables in Iceland. This project is funded by the Independent Research Foundation. In many ways, the ADD project has lifted me off to investigate many more interesting facets of digitalization in Denmark and the Arctic.

What will you miss the most from being part of the ADD-project?

The interdisciplinarity that is integral to both the ADD-project as well as TANTlab at Aalborg University, where I have been based, is something that has intrigued me from the beginning. Bringing together people from so many different academic disciplines has been very interesting to be part of and is something that I think qualifies the broader debate about how digital technologies shape the Danish society. I think it’s very valuable for the many research projects in the ADD, to have it be formed by the discussions we have had across our many different disciplines from anthropology, data science, political science, organizational theory and more, to name but a few. I will miss that but look forward to following the project from the sidelines.