Security awareness

Crowdsourcing Cybersecurity: How to Raise Security Awareness Through Crowdsourcing

Daniel Dimov
September 22, 2015 by
Daniel Dimov

Editor’s note: Rasa Juzenaite also contributed to this article.

Section 1. Introduction

Public involvement in the investigation of the Boston Marathon bombing and Collaboration Community - an initiative providing U.S. citizens with the ability to post ideas concerning the country's security issues - are only two examples of crowdsourcing initiatives that incentivize citizen involvement in security issues. The use of crowdsourcing platforms is becoming a trend in solving public security issues and raising security awareness. For example, crowdsourcing platforms are widely utilized for reporting cybersecurity vulnerabilities and threats, such as web browser security, bugs, or phishing attacks. In the ongoing battle with such threats, raising information security awareness may become a crucial weapon.

This article will discuss four popular crowdsourcing-based methods that may help raise information security awareness. Firstly, the technique of crowdsourced reporting about information security vulnerabilities is analyzed (Section 2). Second: the crowdsourced security testing (Section 3) and shared intelligence (Section 4) are examined. Next, the gamification of crowdsourcing technology is studied (Section 5). Finally, a conclusion is drawn (Section 6).

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Section 2. Crowdsourced Reporting About Information Security Vulnerabilities

Information security strategies used by companies have recently shifted from dealing with security issues between the boundaries of a company toward an open innovation. Perceiving the wisdom and power of crowds in general and their customers in particular, many companies nowadays deploy crowdsourcing applications to increase their information security.

One of the techniques used by companies is encouraging their customers to report about the company's information security incidents and to identify the suspected vulnerabilities within company's IT infrastructure. Such a technique is used in order to avoid (1) an unauthorized access to resources of information, (2) a misuse of personal and confidential data, and (3) a threat to IT infrastructure.

Such crowdsourcing programs can help enterprises and software developers to allocate, monitor, and take the necessary measures to solve information security issues. The reported problems include, but are not limited to, direct and third-party hacking attacks, DDoS attacks, remote code execution exploitation, cross-site scripting, malware, viruses, and others. The collaborators are invited to detect such issues either before releasing a website or a software or while it is functioning online. The technique of a crowdsourced reporting about information security problems is used by a vast number of major enterprises, such as Facebook, Microsoft, Mozilla, WordPress, Dropbox, Twitter, and Samsung.

Most of the crowdsourcing strategies related to information security are award-based initiatives. In return for detecting information security threats, companies and software developers offer their collaborators various types of awards. Such awards range from listing the contributors in a hall of fame to swags and monetary prizes.

For example, Tesla Motors was offering an award of up to $10,000 for people who could spot any bugs on the company's website, thus identifying security weaknesses. Google encourages the security research community to participate in a Vulnerability Report Program that provides monetary rewards ranging from $100 to $20,000. The program requires writing down and submitting a potential attack scenario. The highest award of $20.000 is dedicated for reporting bugs related to remote code execution. Similarly, Mozilla promotes its Security Bug Bounty Program that has already paid more than $ 1.6 million in bounties to its researchers.

The aforementioned rewards are paid after evaluating the impact that may be caused by the reported issues. By providing rewards, companies outsource the control of their information security systems to various security research communities and white hat hackers. Such strategy benefits both participating parties.

Section 3. Crowdsourced Security Testing

A growing number of enterprises extend their cybersecurity strategies by employing crowdsourced security testing in addition to the services provided by their teams and formal security testing providers. Crowdsourced security testing is a process that enables customers to receive the service of software testing completed by a group of preselected crowd of professional software testers.

There are a variety of information security platforms that offer crowd intelligence for identifying information security threats. The main difference between such crowdsourcing platforms and traditional testing providers is that the crowdsourced platforms employ collaborative groups of a broad range of security researchers that may have more specific skills, expertise, and diversified experience than the official testing providers or automated scans. For example, offers more than 26,000 testers from all over the world to check the vulnerability of information systems.

Such enterprises offer crowdsourced testing of websites, software, mobile apps, and video games. The freelance professional testers find the security issues, identify the source of the problem, and arrange a concluding list of security problems that is later revised by other group of testers. In order to become one of the testers, an individual has to pass special examinations that prove that the applicant has the necessary skills to qualify as a tester.

The crowd security intelligence enterprises, such as Crowdsourced Testing, Synack, Bugcrowd, or Global App Testing have created virtual testing environments and offer a vulnerability identification service provided by a network of worldwide security researchers. Such crowdsourced security testing is used by major enterprises, including Western Union, Aruba Networks, and Pinterest.

Section 4. Shared Security Intelligence

One of the crucial tools in the ongoing cyberwar is collaboration among enterprises, governmental institutions, and cybersecurity professionals. Thus, more and more companies choose to participate in shared intelligence programs that bring together representatives of national security, cybersecurity industry, law enforcement, and consumers.

Such programs encourage the aforementioned bodies to share cybersecurity information, thus avoiding potential cyberthreats. The importance of such collaboration is stressed in a number of cybersecurity conferences within various industries, e.g., the U.S. Summit for Cybersecurity and Consumer Protection organized by the White House in February 2015.

One of the major concerns expressed during such conferences is protection of consumers' personally identifiable information. The quantity and the extent of cyber attacks that target sensitive personal information motivate organizations and private sectors to strengthen their cybersecurity strategies. The IBM Research X-Force Threat Intelligence Quarterly for 1Q 2015 indicates that more than 1 billion of various types of personal information, including, without limitation, credit card data, emails, and passwords, were leaked in 2014.

The shared security intelligence and expertise between various bodies not only improves the information security awareness and helps to strengthen defense mechanisms, but also allows distributing and reducing the costs of creating cybersecurity schemes.

Responding to the danger of cyberthreats, companies employ open innovation and collaboration as techniques for creating more effective security mechanisms against cyber criminals. For example, Facebook created a platform called ThreatExchange, which allows the participating organizations to share information about potential threats. Similarly, the Cyber Threat Alliance that was founded by major cybersecurity corporations, such as Intel Security, Symantec, Fortinet, and Palo Alto Networks, unites cybersecurity practitioners. The members of the alliance aim at improving the defense against sophisticated cyberattacks by sharing advanced threat data.

Johnson & Johnson, a company providing consumer healthcare products, is also an active initiator of security crowdsourcing programs. Johnson & Johnson gathers intelligence feeds from diverse sources that may have impact on company's cybersecurity. Furthermore, the internally and externally gathered information is shared with public healthcare bodies. This helps the company not only to identify the threat actors that may organize attacks against it, but also assists in creating prevention against the potential attacks. The director of worldwide information security at Johnson & Johnson, Mary N. Chaney, states that "sharing intelligence information, internally and externally, is a continuous loop, and the more you devote time to digesting and understanding the information, the greater the rewards to your overall security effort."

Section 5. Gamified Crowdsourcing Technologies

In addition to traditional security awareness programs that merely provide information concerning security issues for their users, the more advanced programs use crowdsourced gamification to raise security awareness. Gamification is a technique that incorporates game elements, such as competition and scoring, in various activities online and offline in order to engage the participants with that activity. This technique can also be applied to crowdsourcing applications that contribute to raising security awareness, managing cyberthreats, and preventing cyberfraud.

The technique of gamification is used in crowdsourcing applications for at least four reasons. First of all, it creates a sense of shared responsibility that helps to engage the participants in the activity. Secondly, gamified applications are easy to use and manage. Thirdly, gamification usually contains many motivational triggers, such as positive feedback, rapid advance, and awarding points. Fourthly, gamified crowdsourcing technologies can be applied inside the company (e.g., for employees) as well as outside the company (e.g., for customers).

The University of Connecticut has created a gamified security awareness technology called Husky Hunt. The game allows the students to share, tweet, and like messages related to various aspects of cybersecurity, such as password strength, privacy settings, phishing, Internet security, software privacy, and e-commerce safety. Husky Hunt aims at delivering security awareness by the means of fun, interactive, and engaging activities. The participation in the game includes gaining points by collecting information security tips, answering questions related to information security issues, solving clues, finding posters of the program, etc.

In order to be successful, a gamified crowdsourcing program that focuses on raising security awareness should comply with six principles, namely, (1) clearly defined goals and rewards, (2) settled rules and limitations, (3) ongoing feedback, (4) voluntary participation, (5) regulated behavior (e.g., reading, forwarding, indicating, or presenting security vulnerabilities), and (6) a long-term execution of a program.

The first attempt to create a freely accessible application that would comply with the aforementioned six principles is an app called Security Awareness. The app aims at raising awareness of information security by engaging and stimulating the users to answer security-related questions.

Section 6. Conclusion

Facing the fact that information security is a growing issue, various public and private bodies seek the ways to advance the mechanisms of their security systems. Crowdsourcing applications are being progressively deployed in raising security awareness because they attract contributors with various skills and expertise. Moreover, they enhance collaboration and collective action, engagement, and sustainability in solving issues related to information security, threat management, and fraud prevention.

This article discussed four crowdsourcing-based methods that may help raising information security awareness. More particularly, the text examined reporting about information security problems, crowdsourced security testing, shared intelligence, and gamification of crowdsourcing technology. Moreover, the article provided examples on how such technologies are applied in practice.

Naturally, crowdsourcing is not a panacea for counteracting security violations. The risks associated with this technique include malicious misinformation, bias of the contributors, and cybercascades. In a cybercascade, there is a point where the contributors stop making decisions on the basis of their personal opinions. Instead, their decisions start to be based on the signals conveyed by others. Thus, the behavior of a small group of people may produce similar behavior in a large group of people. Moreover, crowdsourcing applications often generate a lot of "noise", i.e., information which is not helpful for the users of the crowdsourcing applications. Such "noise" may, for example, consists of spam messages or randomly generated information.

However, if organized well, crowdsourced security awareness can become a powerful tool against cyberattacks. Actually, many small and large companies successfully utilize crowdsourcing to spread security awareness amongst their employees.



Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.