Harmonizing Accessibility and Cybersecurity: A Comparative Analysis of the Digital Divide
Jessica Ankley*
Introduction
As the digital world becomes the default mode of operation, the importance of accessible and inclusive cybersecurity measures is evident. Accessible cybersecurity refers to designing and implementing digital security measures to fit the needs of all individuals. People with disabilities, low socioeconomic status, or age differences face several challenges with ensuring their own security where there is a lack of supportive software and general technological education. This demonstrates that it is crucial to ensure that cybersecurity measures are usable and provide digital protections to users regardless of individuals’ capabilities, abilities, and resources.
From a regulatory standpoint, there are several different approaches to cybersecurity, particularly in the areas of privacy and certification prioritization. Considering these differences, it is evident that cybersecurity is a significant priority from a governmental perspective, as regulatory schemes enact different laws and programs to offer individuals and entities digital protection. Moreover, it is imperative for policymakers and industry stakeholders to collaborate and harmonize their approaches to cybersecurity to close the digital divide. By doing so, they can ensure that accessibility and inclusivity are at the forefront of development and implementation of cybersecurity law. This concerted effort will contribute to creating a more secure and accessible digital environment for all.
I. The Digital Divide
In the current digital age, where individuals and organizations heavily rely on digital services for essential needs, there is a growing need for accessible and inclusive cybersecurity measures. Differences between socioeconomic groups reflect accessibility challenges, where factors like age, housing status, and disability create digital exclusion, leading to isolation and limited opportunities to fully participate and benefit from digital opportunities.[1] Therefore, improving accessible and inclusive cybersecurity measures is not only a legal and ethical imperative but also a fundamental aspect of promoting digital inclusion and protecting individuals’ rights in the digital space.
To achieve a robust and equitable cybersecurity framework, it is essential to recognize the unique challenges and requirements of different socioeconomic groups. By doing so, cybersecurity measures can be tailored to be inclusive and accessible to all individuals, irrespective of their abilities and resources. This targeted approach is fundamental in ensuring that cybersecurity law is not only equitable but also proficient in safeguarding and supporting individuals from diverse strata. Thus, delving into the significance of considering age, financial status, and disability contributes to a more comprehensive and effective understanding of the current cybersecurity framework and helps to create a more equitable and secure digital environment for everyone.
1. Age
Age is a significant factor influencing individuals’ cybersecurity behaviors and the effectiveness of their personal digital protection.[2] Older individuals encounter unique challenges in upholding personal cybersecurity which render them more susceptible to cybercriminals compared to younger individuals.[3] Furthermore, research has demonstrated that older individuals have “less . . . confidence, and as such performed less security behaviors, than younger populations.”[4] Some specific challenges for older individuals include phishing, dual authentication systems, and discerning genuine emails from fake ones.[5] These challenges have created significant financial repercussions. More specifically, in 2022, “the Internet Crime Complaint Center (IC3) reported that 88,000 people aged 60 and over collectively lost $3.1 billion to internet fraud, with cryptocurrency and technical support schemes topping the list of complaints.”[6] The National Council on Aging’s Director of Economic and Financial Security noted that older adults are targeted by cybercriminals because of their perceived wealth from lifelong, established careers and their perceived sense of trust and memory issues.[7]
Moreover, the desire to learn sufficient cybersecurity measures further divides older individuals from being adequately protected. Older individuals are more likely to be reluctant to learn their cybersecurity options because they often doubt their own technological abilities, “and this in turn inhibits their willingness to engage in novel forms of digital interaction.”[8] This doubt may stem from the lack of lifelong exposure to the internet, compared with younger individuals. Furthermore, the lack of confidence in their own technological skills is a major inhibitor for older individuals and fosters a system of mistrust and a lack of awareness towards new protective means.[9] As a result, older individuals unfamiliar with the digital sphere believe that managing online security is an anxiety-inducing experience, causing even more deterrence from protecting themselves.[10] Thus, older individuals’ digital avoidance contributes to the age-gap between protective cybersecurity measures, because it inhibits them from educating themselves about the best-practices of the internet.
Despite the deterring challenges older individuals face, research demonstrates that they do have a desire to protect themselves online and understand the consequences of not doing so.[11] The initial steps into protective behaviors are viewed as the most challenging and as an “unforgiving process which generates anxiety and ultimately avoidance and denial,” to even attempt.[12] Research has demonstrated that while older users are “less likely to secure their device to prevent unauthorized access,” they were “more likely to report generating secure passwords, updating their devices, and demonstrating proactive checking for risk.”[13] This may reflect that older users choose security measures they are most familiar with and have previously received educational support for. Thus, improving digital protection education for older individuals could be a way to bridge the cybersecurity age-gap.
Thus, improving accessibility for older individuals involves enhancing support sources and available information to facilitate a more efficient and stress-free process.[14] Fostering communication and encouraging older users to avoid risky online behaviors, such as clicking on unfamiliar links and attachments are immediate steps to enhance their cybersecurity.[15] Additionally, the use of password managers is recommended to protect older users passwords and mitigate the risk of security breaches, and encouraging them to ignore unsolicited phone calls and avoid engaging in any transaction exchanging personal information helps to ensure their digital security.[16] Involving the expertise of researchers, policymakers, and software developers may also encourage development of stress-free applications and educational materials to ensure that users of every age group have accessible options for protecting themselves.
2. Economic Status
Economic status poses significant obstacles to the implantation of cybersecurity measures, particularly for low-income individuals and those lacking necessary resources to protect themselves against cyberthreats. Accessing secure devices and Wi-Fi is not always a viable option for low-income individuals, thereby heightening the risk of data breaches compared to individuals with a higher socioeconomic status. For people living in unstable housing situations or residing in temporary shelters, the challenges in accessing and upholding a secure digital environment are further compounded.
The cost of implementing robust cybersecurity measures can be prohibitively high for many individuals, especially those with limited financial resources and restricted access to reliable devices and internet connections. This can significantly impede their ability to invest in essential cybersecurity measures, such as antivirus software, anti-spam, spyware detection software, and useful tools such as paid password managers.[17] Furthermore, the financial implications of a data breach alone can be devastating for individuals with constrained financial means, potentially leading to severe financial loss, damage to credit scores, and emotional distress.[18] Victims of a breach often spend considerable time and resources sorting through finances, canceling their credit cards, and dealing with the consequences of identity theft.[19] For individuals with limited financial resources, this can create substantial implications as they may lack the necessary time and personal safety to effectively mitigate the losses resulting from a breach.
In addition to the financial barriers, unstable housing situations can make it exceedingly challenging for individuals to prioritize digital security and privacy, potentially resulting in the neglect of best practices and increased vulnerability to cyberthreats.[20] Untrusting relationships in shared living spaces can further expose them to an elevated risk of unauthorized access to their devices and personal information.[21] Moreover, for many unhoused individuals, digital devices may be outdated, limited, and even shared, thereby increasing risks associated with the compromise of personal data.[22]
Public computers and Wi-Fi also pose notable challenges for data privacy, further exacerbating the difficulties faced by individuals living in unstable housing situations or those with limited financial resources.[23] Public computers may have installed spyware or have nearby prying eyes, while public Wi-Fi could put data at risk when accessing unencrypted websites.[24] Despite the accessibility of free public devices, low-income individuals are often aware of the risks to their data privacy but may have no other viable option for accessing essential online resources, such as government benefit or job search websites. [25] Furthermore, public devices can also create difficulty for using two-factor authentication, as many unhoused and low-income individuals do not have stable access to a second device to ensure the additional level of security.[26]
These challenges underscore the pressing need for software developers to take proactive steps to enhance the accessibility of cybersecurity for low-income individuals. In addition to reducing costs of protective software, there is a clear imperative to encourage the technology community to develop comprehensive education and training materials for “shelter workers and community resource providers on common scams and risks.”[27] This may help empower them to better support low-income users who are seeking to improve their digital security.[28] Furthermore, educating resource providers may also help low-income users that have already been victimized by online scams.[29] As for two-factor authentication challenges, technology creators may better serve low-income users by creating more recovery options to help them maintain their accounts and avoid being locked out from their device.[30] Technology creators may also better serve individuals using shared devices by “providing notifications when suspicious or sensitive activities occur,” or offering methods to revoke access to a shared device.[31] Thus, while it is indisputable that the implementation of effective cybersecurity measures poses significant challenges for low-income individuals, it also represents a substantial opportunity for software developers to create more accessible and inclusive solutions that can meaningfully address the unique needs and circumstances of this demographic.
3. Disability Status
For individuals with disabilities, ensuring comprehensive and diverse accessibility to cybersecurity measures is essential to guarantee digital protection. People with disabilities may encounter heightened risk due to the potential inaccessibility of certain cybersecurity tools and measures. Both physiological and neurological disabilities cause challenges when navigating the digital sphere, underscoring the need for a wide range of options to be available for everyone. Furthermore, the need for accessible and secure software in the workplace is imperative for disabled individuals to create an equitable workplace environment.
There are several ways in which cybersecurity may be inaccessible for individuals with disabilities, such as through complicated interfaces, mis-labeled buttons, ambiguous link text or audio/visual warnings, and a lack of transcripts or captions.[32] Additionally, challenging color schemes for people with colorblindness, security software that removes accessibility functions to leave individuals less secure, incompatibility with assistive technology between devices, and software inability to recover from errors or access support are all barriers for people with disabilities to improve their digital protection.[33] Creating, imputing, and storing secure passwords may also be challenging for individuals with mobility issues or memory impairments.[34] These limitations can significantly impact the ability of individuals with disabilities to protect themselves from cyber threats and can lead to increased risk and vulnerability.
The lack of accessibility to individuals with disabilities also creates significant digital exclusion. According to the 2022 World Bank survey, approximately three billion people worldwide continue to be offline due to several factors, including disability.[35] Furthermore, in the United Kingdom, around 22% of working age adults are disabled, demonstrating around 4.9 million disabled people in the workforce.[36] Software challenges in the workplace may become a major deterrent for disabled individuals, causing frustration and isolation from their colleagues and overall work environment. The statistics alone demonstrate the need for “[d]igital foundations, especially high quality, reliable, affordable connectivity and devices; open, interoperable and safe digital public infrastructure,” because they are imperative for “inclusive, reliant and sustainable development in the new digital era.”[37] Thus, changes in the accessibility realm for disabled individuals may improve cybersecurity and aim to close the digital divide.
To address these challenges, it is essential to create accessible cybersecurity policies and standards and to improve the overall usability of system security requirements to ensure the needs of disabled users are met in both the public sphere and in the workplace.[38] Improvements to thumbprint and facial recognition may become a useful tool for disabled individuals unable to use the traditional software.[39] Moreover, advancements in workplace diversity can serve as a catalyst for enhancing accessible cybersecurity means in the office environment.[40] Improving workplace digital accessibility can be achieved by requesting accessibility statements from vendors to identify any potential shortcomings prior to the implementation of new office solutions.[41] Thus, ongoing efforts to promote inclusive cybersecurity are essential to create a digital environment that is safe and accessible for all individuals, regardless of their abilities.
II. Regulatory Frameworks
Despite the increased demand for enhanced cybersecurity measures for the general public, the explicit recognition of an inherent right to cybersecurity for all is lacking. The United Nations emphasizes the need for appropriate cybersecurity laws, because in their absence, “the data that we share every day can be twisted to undermine democratic processes and hurt the most vulnerable among us.”[42] It further notes that government efforts are misguided to advance cybercrime laws rather than creating a more user-centric, individualized focus on the right to privacy.[43] Thus, while there is no specific inherent right to privacy in many jurisdictions, the protection of individuals’ data and the use of force in response to cyberattacks are addressed within the framework of existing international law and continue to evolve within the United States.
1. The United States
Cybersecurity in the United States is governed with a complex and decentralized regulatory framework, with legislation evolving at both the federal and state levels. The Department of Homeland Security (DHS) plays a key role in enhancing cybersecurity resilience and investigating malicious cyber activity at the federal level.[44] The primary law governing organizational cybersecurity in the United States is the Federal Trade Commission Act, which prohibits deceptive digital acts and practices.[45] In the most recent administration, President Biden has declared cybersecurity a top priority at all levels of government, with a focus on addressing the “immediate threat of ransomware and building a more robust and diverse workforce,” within the DHS.[46] The federal government has also released the National Cybersecurity Strategy, emphasizing the modernization of federal networks and public-private collaboration to defend critical infrastructure and essential services.[47] This strategy also aims to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto organizations that are most capable and best-positioned to reduce risks for all of us.” Thus, to exercise this strategy, the federal government aims to “use all tools of national power” to develop a more robust cybersecurity scheme, rather than focus on the needs of individual Americans.[48]
While the federal government’s approach is more nationally focused, individual states have taken significant steps in enacting comprehensive privacy and cybersecurity laws. For instance, California is known for having detailed regulations that cover a wide range of issues and expressly mentions a right to privacy in its state constitution.[49] The state’s online privacy protections also include laws that require a warrant to track an individual’s location using GPS, and a law that gives customers the right to know the specific data companies have collected about them, allowing them to request deletion of that information.[50] Other states such as Virginia, Colorado, and Utah have also passed comprehensive laws to protect personal data, reflecting a growing movement to safeguard individuals’ general right to privacy.[51]
There is little cybersecurity law in the United States to address the digital divide between specific socioeconomic groups. Primarily, the focus is on developing general laws protecting individual data, and most of the action on an individual front is taken by the states rather than the federal government. Furthermore, the lack of a single federal law regulating cybersecurity and privacy has led to a more fragmented regulatory environment, with states implementing their own measures to close the gaps.[52] Despite this fragmentation, the robust cybersecurity laws in states like California, Virginia, Colorado, and Utah provide hope for the continued development of cybersecurity legislation in other states for all individuals, promoting more accessible cybersecurity options.
2. The European Union
The landscape of cybersecurity regulation exhibits notable differences between the United States and the European Union (EU). The EU has adopted a more proactive and stringent regulatory framework, particularly with the implementation of the General Data Protection Regulation (GDPR), which came into effect in May 2018.[53] The GDPR aims to harmonize data protection laws across all EU member states, mandating a uniform standard for data protection that applies to all entities operating within the EU or processing data pertaining to EU residents.[54] The regulation encompasses provisions for safeguarding personal data, the privacy rights of individuals, and it outlines the responsibilities of organizations that handle personal data.[55] Non-compliance with the GDPR carries substantial penalties, including fines up to 4% of annual global revenue or €20 million, whichever is higher, significantly deterring cybercrime.[56]
In further effort to bolster cybersecurity measures, the EU enacted the Cybersecurity Act in 2019.[57] This legislation enhances the role of the EU Agency for Cybersecurity (ENISA) and introduces a comprehensive cybersecurity certification framework for information and communication technology (ICT) products, services, and processes.[58] This allows companies to certify their ICT offerings, thereby facilitating the movement of secure and reliable digital products across the EU technology market.[59] Certifications under this framework can help in mitigating risks associated with cyberthreats and be a competitive advantage for companies by fostering trust and confidence in the digital space.
The EU’s strategy reflects a commitment to ensuring that government policy on internet rights is both rights-based and user-centric, with a focus on safeguarding individual privacy and aligning with international human rights standards.[60] This approach aligns with the United Nations’ objectives, prioritizing civil protection over risky legislative measures.[61] While there is no specific legislation to bridge the gap between socioeconomic groups, the robust system within the EU generates inherent protections for all people of different backgrounds, covering essential services such as hospitals, energy grids, and railways, as well as the ever-increasing number of connected objects in homes, offices, and factories.[62] The significant fines for non-compliance with EU cybersecurity law is a major deterrence to cybercrime, and numerous proposals for digital protection programs demonstrates the EU’s motivation to improve cybersecurity accessibility for its people.[63]
III. Future Trends & Challenges
The landscape of cybersecurity is continually evolving, presenting a spectrum of challenges that both organizations and individuals should anticipate and prepare for. A critical issue within this domain is the scarcity of cybersecurity professionals, which hampers the development of accessible software and educational resources for those at risk of being marginalized by the digital divide.[64] Additionally, proliferation of ransomware and phishing attacks is projected to increase, posing heightened rights throughout 2024.[65] The shift towards remote work has further compounded cybersecurity risks, as distributed workforces introduce a broader array of digital vulnerabilities.[66] This shift necessitates a concerted effort by organizations to address the unique security challenges inherent in remote work environments, particularly for individuals with disabilities who rely on remote work. Thus, the urgent need for
cybersecurity professionals equipped to ensure the integrity of remote work infrastructures is at an all-time high to mitigate those concerns.
Despite these challenges, there is an emerging consensus on the importance of integrating accessibility into cybersecurity strategies. This is essential to bridge the digital divide and foster a more inclusive and secure online environment for all users.[67] Furthermore, the United States is witnessing a legislative push towards strengthening its cybersecurity measures, which, in conjunction with the expansion of international efforts in the European Union, underscores a commitment to enhancing cybersecurity measures globally. Thus, the future of cybersecurity will involve leveraging advanced technologies, addressing critical skills shortages, and staying ahead of increasingly sophisticated cyberthreats against the public.[68]
Conclusion
Designing cybersecurity measures that are both accessible and inclusive is crucial as we transition to a predominantly digital world. It is essential that these measures accommodate everyone, especially those with disabilities, age-related limitations, and low-income individuals.[69] The regulatory landscapes of the United States and the European Union showcase a diverse set of approaches, with the European Union often treating privacy as a fundamental right, while the United States takes a more fragmented approach. To bridge these differences and enhance security for all, it is vital to foster active collaboration among policymakers, industry leaders, and the public. By sharing best practices and aligning objectives, we can develop a unified strategy that ensures cybersecurity is accessible and inclusive, leading to a digital environment that is secure and equitable for all users, regardless of their capabilities, abilities, or resources.
* 3L, Michigan State University College of Law. This paper was written for the Fall 2023 Cybersecurity and Data Protection Class at MSU Law taught by Professor Dennis Kennedy. Thank you to Professor Kennedy for your guidance and introduction to the world of cybersecurity. To Makala Udoni, Mackenzie Almassian, Patricia Graham, and Kendall Gouldthorpe, I am endlessly grateful to for your invaluable encouragement to publish this paper. To Gabriel Wrobel, our online forum editor of the Michigan State Law Review, thank you for your careful, prompt editing and openness. Lastly, I am incredibly grateful to my friends, family, partner, and ferocious feline, Tofu, for their unwavering reassurance and support.
[2] F.B. Fatokun, et al., The Impact of Age, Gender and Education level on the Cybersecurity Behaviors of Tertiary Institution Students: An Empircal Investigation on Malaysian Universities, J. Phys.: Conf. Ser. 1339 (2019).
[3] NCOA, How Older Adults Can Improve their Personal Cyber Security, (Jul. 6, 2023), https://www.ncoa.org/article/how-older-adults-can-improve-their-personal-cyber-security.
[13] Dawn Branley-Bell, et al., Exploring Age and Gender Differences in ICT Cybersecurity Behavior, Hum.Behav. & Emerging Tech. (2022).
[14] Morrison, supra note 4.
[17] Cybersecurity: Are You Staying Cyber Safe? 8 Tips for Securing your Financial Accounts, FINRA (Mar. 21, 2023), https://www.finra.org/investors/insights/cyber-safe-financial-accounts.
[24] Consumer Advice, Are Public Wi-Fi Networks Safe? What You Need To Know, FTC (Feb. 2023), https://consumer.ftc.gov/articles/are-public-wi-fi-networks-safe-what-you-need-know.
[34] Accessibility and Cybersecurity, Info. Access Grp. (2023), https://www.informationaccessgroup.com/news/accessibility_and_cybersecurity.html.
[35] Digital Development, World Bank (Sep. 28, 2023), https://www.worldbank.org/en/topic/digitaldevelopment/overview.
[36] Department for Work and Pensions, Official Statistics: The employment of disabled people 2022, GOV.UK (Jan. 26, 2023), https://www.gov.uk/government/statistics/the-employment-of-disabled-people-2022.
[37] World Bank, supra at note 35.
[38] Lee C, supra at note 31.
[44] Cybersecurity, Dep’t of Homeland Sec. (May 30, 2023), https://www.dhs.gov/topics/cybersecurity.
[45] Michael Brands, Cybersecurity laws and legislation (2023), ConnectWise (Nov. 13, 2023), https://www.connectwise.com/blog/cybersecurity/cybersecurity-laws-and-legislation.
[46] Dep’t of Homeland Sec., supra at note 44.
[49] Derek Walborn, Best and worst US states for data privacy, Network Tigers News (Oct. 8, 2022), https://news.networktigers.com/opinion/best-and-worst-us-states-for-data-privacy/.
[50] Casey Leins, States With the Strongest Online Privacy Protections, U.S. News (Oct. 23, 2019), https://www.usnews.com/news/best-states/articles/2019-10-23/states-with-the-strongest-online-privacy-laws.
[51] KramerLevin, Comparing the 5 Comprehensive Privacy Laws Passed by US States, KramerLevin (Jun. 10, 2022), https://www.kramerlevin.com/en/perspectives-search/comparing-the-5-comprehensive-privacy-laws-passed-by-us-states.html.
[52] Federal Cybersecurity and Data Privacy Laws Directory, IT Governance USA, https://www.itgovernanceusa.com/federal-cybersecurity-and-privacy-laws (last visited Jan. 13, 2024).
[56] ITGovernance, supra at note 52.
[66] Top Ten Cybersecurity Trends, AO Kaspersky Lab, https://usa.kaspersky.com/resource-center/preemptive-safety/cyber-security-trends (last visited Jan 13, 2024).
[67] Mark Stone, The importance of accessible and inclusive cybersecurity, Sec. Intel. (Apr. 19, 2023), https://securityintelligence.com/articles/importance-of-accessible-inclusive-cybersecurity/.
[68] See The Future of Cybersecurity, Honeywell, https://www.honeywell.com/us/en/news/2020/10/the-future-of-cybersecurity (last visited Jan. 13, 2024).
[69] See id.
Any reproduction of the Article, including, but not limited to its publication, posting, or excerption in print, or on the internet, shall give attribution to the Article’s original publication on the online MSLR Forum, using the following method of citation:
“Originally published on Feb. 1, 2024, Mich. St. L. Rev. Forum.”
Jessica Ankley, Harmonizing Accessibility and Cybersecurity: A comparative Analysis of the Digital Divide, Mich. St. L. Rev. Forum (Feb. 1, 2024), https://www.michiganstatelawreview.org/forum20232024/harmonizingaccessibility.
