Resilient Citizens in the Information Society



A Framework for Discussion Developed byJulie Cameron, Managing Director, Info.T.EC Solutions Pty Ltd, Australia

For the IFIP WG9.2 & WG 9.9 Joint Workshop, Milan, June 2011, “Social Accountability & Sustainability in the Information Society: Perspectives on Long-Term Responsibility”.


1     A Sustainable Information Society Requires Resilience

The concept of a ‘sustainable’ Information Society incorporates the requirement for ICT (Information and Communication Technology) to support and promote viable communities of citizens.

‘Sustainability’ presupposes the requirement for ‘resilience‘.

‘Sustainability’ is defined as the capability of ‘keeping something going over a long time or continuously’. ‘Resilience’ is defined as ‘able to rebound’. [Source: “Oxford Dictionary of Current English” published by Oxford University Press, 2001]. ‘Resilience’ in the Information Society is therefore defined in this document as: ‘The ability of ICT users and those affected by the use of ICT by others to:-  Adapt effectively to change-  Recover from harm’.

But who is accountable for ensuring ICT and the way it is used fulfils this responsibility for sustainability and resilience?  “Accountability describes the structures that need to be in place to facilitate responsibility” [Bernd Carsten Stahl, (p52) “Accountability and Reflective Responsibility in Information Systems pub in “The Information Society: Emerging Landscapes”, editors Chris Zielinski, Penny Duquenoy, Kai Kimppa, published by Springer for the Information Federation for Information Processing (IFIP), 2006].  ICT is used widely within industrialized societies by governments, organizations and individual citizens. Consequently, these three groups are accountable and have a long-term responsibility for ensuring the sustainability of the Information Society. But does each of these three groups have the structures and support that facilitate this responsibility? And are they resilient?

This framework is a living document aimed at citizens, not an academic paper. It is a summary of issues intended to provoke discussion. Although some of the scenarios and examples presented for discussion are ‘worst-case’ outcomes, they are based on actual events.  This document builds on research into the social impacts arising from the Information Society. It advocates developing the processes and structures that need to be in place to facilitate long-term responsibility for a sustainable Information Society. Importantly it examines the requirements for resilient citizens in the Information Society.

2     ICT is Ubiquitous

2.1  Thirty years ago, academics, policy makers, business leaders and community representatives discussed the social impacts of introducing computers.

In the IFIP community, Working Groups (WGs) and Special Interest Groups (SIGs) established by Technical Committee 9 (TC9), discussed the social impacts of computers and identified crucial issues. The membership of the groups was diverse, multi-disciplinary and international, although most members came from Europe and industrialized countries. How would computers affect the workforce? [WG9.1] How would ICT affect society? [WG9.2] What is ethical behaviour in an Information Society? [SIG9.2.2] How do emerging economies face the same issues but within different and compressed timeframes and with less time to adjust to increasingly complex ICTs? [WG9.4] Significant papers from conferences, and discussion papers presented to some group workshops were published. Crucial issues related to sustainability and resilience arising from the introduction of computers and the publications in which they were discussed included: What is an Information Society? [Refer to “The Information Society: Evolving Landscapes. Report from Namur”, editors Berleur, J., Clement, A., Sizer. R & Whitehouse, D., published by Springer-Verlag: New York & Captus University Publications: North York, 1990. “Computers and Society: Citizenship in the information age” editors C. Beardon & D. Whitehouse published by  Intellect Press: Oxford, 1990. “The Information Society: Emerging Landscapes”, editors Chris Zielinski, Penny Duquenoy, Kai Kimppa, published by Springer for the Information Federation for Information Processing (IFIP), 2006] What is an ethical Information Society? [Refer to “The Ethical Global Information Society: Culture and Democracy Revisited”, editors Jacques Berleur, Diane Whitehouse, published by Chapman & Hall for the Information Federation for Information Processing (IFIP), 1997] What kind of training is needed to prepare ICT professionals? [Refer to “Ethics of Computing: Codes, Spaces for Discussion and Law”, editors Jacques Berleur, Klaus Brunnstein, published by Chapman & Hall for the Information Federation for Information Processing (IFIP), 1996] What are the risks and challenges of the network society? [Refer to “Risks and Challenges of the Network Society”, Proceedings of the Second IFIP 9.2, 9.6/11.7 Summer School, August 2003, editors Penny Duquenoy, Simone Fischer Huber, Jan Holvast, Albin Zuccato, pub Karlstad University Studies] The IFIP community argued the move towards the Information Society may be:

  • Unstoppable – assuming we accept technological determinism [Diane Whitehouse comment 13 March 2012].

The demand for ICT is driven both by users and suppliers. Users want the convenience of integrated, powerful ICT systems. Suppliers drive profitable innovation.

  • Global  – assuming ICT is accepted by and available to all societies [Diane Whitehouse comment 13 March 2012].

International trade quickly spreads ICT to users even in remote locations. Satellite phones, powered by solar energy or battery, can be used anywhere in the world.

  • Beyond the control of any single state or person – assuming is no equivalent international agreement (eg like the United Nations Convention on the Law of the Sea).

Governments cannot totally control the use of ICT. Information flows, even when governments try to shutdown communication networks or apply stringent censorship.

2.2     In 2012, many societies and citizens are very dependent on computers and need to be prepared for the impacts if ICT is misused, malfunctions or fails.

An Information Society depends on ICT for:

a.   Information

Data is collected in digital form or may be digitized. Information from different media (eg books, photos, music) and independent sources can be stored electronically. Digital data can be analyzed and combined to provide additional information. For example, a digital telephone directory is more useful than a paper directory because it enables searching by phone number or address, and not just by name. “But it is less useful because you need to have an expensive electronic device to read it” [Chris Zielinski comment 13 March 2012].

b.  Communication

Most communication is now digital. Analogue technologies (eg TV transmissions) are being superseded.

c.   Transactions (eg personal, commercial and government)

Some organizations require customers to go ‘on-line’ to obtain services. Governments provide information through web portals. Internet banking is a prime example. “Not having a choice or alternative way of transacting with organizations other than using ICT becomes an ethical problem” [Chris Zielinski comment 13 March 2012].Consumers frequently find shopping for goods on the Internet (‘etailing’) is a cheaper option.

d.  Operations (eg facilities, transport)

Most forms of transport use computerized dispatch and control systems. Aircraft and even cars use inbuilt computerized systems to control and monitor essential components and performance.

e.   Life support (eg heating, health, critical systems)

Most life support systems depend to some extent on ICT. The Japanese experience of the March 2011 earthquake, tsunami and Fukushima nuclear disaster tragically illustrates the risks to life support arising from natural disasters. Even, water purification plants depend on automated computerized processes to produce and deliver clean water to citizens. The Chernobyl disaster demonstrated the effects of human error and system malfunction and recent events in the Iranian nuclear facilities show how vulnerable systems are to cyber attack.

Citizens need to understand the impact of ICT and protect themselves against harm caused by its use.

Society needs to ensure alternative methods to using digital ICT remain available for citizens.

And citizens need to prepare in case ICT malfunctions or fails.

3     ICT Is Complex and Transformative

The definition of ‘resilience’ includes ‘the ability to effectively adapt to change’. This means a resilient citizen in the Information Society needs to understand ICT and the way it can be used. Resilience implies citizens have the ability to assess the benefits and risks. However, in the Information Society it is debatable whether citizens can be truly aware of the actual and potential impacts of numerous types of ICT and systems. These impacts are even more complex when ICT and systems are integrated and interoperable. Unless they can take advantage of the benefits and protect themselves from risks, the resilience of citizens is limited.

3.1  Question: Can citizens identify the impacts of ICT?

Assessing the impacts of ICT is made extremely complicated because of the:

a.   Complexity of ICT

Most citizens do not understand how forms of ICT work. For example: When communication was by wireless telegraph using Morse code, citizens could see the wire or cable and knew the message was converted by the operator into dots and dashes that represented letters of the alphabet. They could hear the outgoing signals and responses when they attended the telegraph office. Modern communication is unseen. The ‘wire’ may initially be a copper wire, but then may be a satellite dish. The message (eg picture, voice or data) is now digital. The conversion and transmission is a ‘black box’. If there is an error, misdirection or interception, citizens will not necessarily know this has happened, or why, let alone who was responsible.

b.  Lack of transparency about the capability and use of new ICT

When new ICT is introduced the suppliers normally publicize the benefits. They want sales and return on investment. Citizens are not initially informed about any risks. Suppliers may not know how buyers or users will use the ICT (eg SMS messaging). Organizations that buy new ICT may suppress information about the impacts of systems for strategic or commercial reasons. They may adapt systems for uses the suppliers did not intend or predict.

c.   Integration

The integration of data and systems may have complex consequences and significant impacts. For example: a name and address provided by a citizen to government agencies for different purposes (eg for voter enrolment and taxation) may differ for appropriate reasons, but may also arouse suspicion of fraud.

d.  Function creep

Often ICT implemented for one purpose is extended and utilized for other functions by a different group of users. For example: Drivers’ Licenses are issued by a government agency to people approved to drive motor vehicles. However, banks and other organizations also use licenses as ‘proof of identity’.

e.   Speed and extent of change

ICT is constantly and rapidly changing. Citizens cannot know or understand all developments and assess their impact. For example: In Australia cameras placed beside the road were originally used to photograph offending vehicles either because the driver ran a red light or was speeding. Now vehicles can be tracked in real time using overhead digital cameras with high resolution, combined with optical character recognition that can scan and  ‘read’ vehicle register number plates and fast broad-band communication. [Refer to use of Number Plate Recognition by Enforcement Agencies –]

f.    Invisibility of ICT and systems

ICT is frequently invisible so that citizens are unaware it is being used. For example: Because embedded microchips and RFID used by manufacturers in clothing are invisible to consumers, they do not remove them.

g.  Lack of controls over development and introduction

In a global market, governments have little control over what is ICT developed and introduced into a country and how it is implemented. Legislators are usually reactive, not proactive.  Legislative change generally occurs only after misuse of ICT has taken place and users have been disadvantaged or harmed.

h.  Assumptions used in ICT products

Many ICT products utilize software programmed according to assumptions that are invisible to the user. For example: Algorithms, which are invisible sets of rules coded into computer programs, are assumed to be correct over time. There is also no reliable way of testing all the interactions among algorithms embedded in other products with which a program interacts prior to adoption. It is thought that algorithms used in stock trading may exacerbate the volatility of international share markets.

Answer: Few citizens can assess the specific impacts of ICT accurately.

3.2  Question: Can citizens identify generic benefits of ICT?

Despite the complexity of ICT and its impacts, information about the risks and benefits of similar and earlier types of technology can provide general guidance for citizens. Experience with telephones taught citizens that faults occur in the equipment and in transmission. Telephone exchanges get overloaded and calls ‘drop out’. Telephones created new business opportunities. However, telemarketing became intrusive and public access to home telephone numbers reduced privacy. Similar experiences occur on-line. By referring to past experience and observing benefits from early adopters of a specific ICT allows some generic benefits and opportunities to be identified including:

a.   Improved access to global information and knowledge

The quantity of information and data available has significantly increased even though the quality varies. Reliable sources enrich knowledge and experience. Internet searches can simplify sourcing and evaluating opportunities (eg for commercial ventures).

b.  Increased social global connectivity

Dispersed markets are viable. Products can be tracked from the producer to the consumer (eg a farmer in Australia can sell directly to a consumer in Austria!) International collaboration is routine (eg colleagues need never meet but successfully jointly author conference papers).Social media and social networks allow instant communication and have supported mass movements like the ‘Arab Spring’ in 2011.

c.   Increased productivity

Manufacturing can be dispersed. The quality and speed of delivery is improved using Just-in-Time methods enabled by sophisticated ICT – providing there are no outages or delays.

d.  New products and services

Products can be personalized and customized using ICT-enabled manufacturing. Electronic books are published on demand.

e.   Improved quality of life for people who are less advantaged

ICT has helped diagnosis and prognosis for many people who are sick, elderly or who experience certain disadvantages. Even the economically disadvantaged can be assisted as the costs of aids and equipment reduce over time.

Answer: Some citizens can identify generic benefits of ICT and, if they are prepared, can adapt effectively to change and exploit opportunities.

3.3  Question: Can citizens identify generic risks of ICT?

Specific risks from ICT are often difficult to identify. However, assumptions about general threats, including the following, enable some citizens to act proactively in some circumstances:

a.   All digital communications are monitored

For example: Mobile phones enable location tracking.Turn off GPS options, and mobile phones when not required, and use less sophisticated devices or non-electronic communication.

b.  Many places are under real-time surveillance

For example: CCTV is used in many buildings and public places, especially lobbies and including lifts.Be aware your image may be captured and behaviour monitored.

c.   ICT services and equipment may malfunction or fail at any time

Back-up and secure essential data. Be aware of non-electronic options. Retain paper copies of important documentation.

d.  Misuse of ICT by government, organizations and individuals may occur

For example: In April 2012, the British Government was reported to be planning to monitor email addresses of all emails in and out of its jurisdiction. The philosopher A. C. Grayling expressed concern about the attitude that: “We all need to be watched. We are all potential suspects”. [Source: interview on ABC Radio National 8.30am 14 April 2012.]For example: Unknown ‘others’ may upload and use personal data (eg hackers).Provide minimal personal data and use anonymous transactions whenever possible. Be aware of risks arising from social media, including loss of reputation.

e.   ICT and data will be used in new ways

For example: New applications like automated pattern recognition provide surveillance based on assumptions that are generally unknown. Some organizations use software that scans spending patterns. When used by banks abnormal patterns can help detect theft from customer accounts. When used by enforcement agencies, inconsistency can imply illegal activity.For example: The collection and storage of health data in electronic format may be used to disadvantage citizens. Data acquired by insurance companies could be used to evaluate risk prior to providing a citizen with insurance cover. “More elaborate eugenic scenarios can be envisaged where the state, for example may decide a citizen’s DNA should not be replicated because of perceived flaws and risks”  [Chris Zielinski comment 13 March 2012].

f.    Data will be integrated

For example: Data from on-line web transactions may be integrated and data mining used to provide profiles of people or their social networks.

g.  Errors and mistakes will occur

For example: Clerical errors may occur in data entry or linkage of records to the wrong person.Check personal records maintained by organizations and query inconsistencies or inaccuracies.

h.  Citizens may be denied services if they refuse to use ICT

For example: The Australia government is introducing full body scanners at international airports. In February 2012, the Minister of Transport announced, agreement to the scan is a precondition for travel!For example: “In some countries citizens are required to fill in forms online for social benefits, voting and all the myriad of things that make up citizenship. Citizens who are not able or not inclined to go on line may risk being denied their rights as citizens” [Chris Zielinski comment 13 March 2012].

i.    Poor ICT management practices

For example: A major cause of risk results from inadequate management controls over systems and/or data. Some organizations depend on automated system monitoring to ensure security.Whenever possible check the information held by organizations (eg bank statements).

j.    ICT will be superseded

For example: Previous versions of software will be replaced regularly and newer versions may not be backwardly compatible. Similarly, ICT devices quickly become obsolete and cannot be repaired economically.Convert and transfer essential data to updated ICT or retain the previous versions to enable continued access.

Answer: Some informed citizens can assess generic risks, avoid or mitigate damage arising from ICT and sometimes they can mitigate or recover from harm.

4     Resilient Citizens Require Government & Organizational Support

Because ICT is ubiquitous, complex and transformative, most citizens in the Information Society need governments and organizations to help them to adapt effectively to change and recover from harm.

Many organizations, including government agencies, aim to continually improve their outcomes by assessing their structures and procedures. When the experience and expertise of multiple organizations in handling specific events are assessed, the most effective methods are developed into a concept of ‘best practice’. For example, the European Union reviewed data management practices of various countries and the affects of data transfers on the privacy of its citizens. The result was the European Union Directive on Data Protection. The terms this legal structure embraced became ‘best practice’ for other jurisdictions. After review of its effectiveness, which included consideration of ICT developments and practices, this Directive is to be updated. In January 2012, the Commission published a Communication proposing new content for the next Directive. [Refer to: 2012_9_en.pdf]

Because of the dependence on ICT and the importance of resilience in the Information Society, we need to identify and implement ‘best practice’ by government and private sector organizations.

4.1  ‘Best Practice’ for Governments

A formal study of government practice in adopting and using ICT is required. However, based on observation and methods used to assess other functions, ‘best practice’ for governments aiming to support resilient citizens includes the following:

a.   Assess and monitor risks from ICT development and use

  • Reintroduce Technology Impact Assessment. Some governments in the 1980s undertook this process of examining the impact of new technology. Key organizations involved in Technology Assessment included the Danish Board of Technology and other agencies set up in Western European Countries; US Office of Technology Assessment established by an Act of the Congress in 1972; UK Office of Science and Technology. [Refer to The Commission of the European Communities Technology Assessment Programme: “The Demand for Technology Assessment in Europe” by A. A. Ster – A report to the 2nd European Congress on Technology Assessment, Milan November 1990. “New Challenge or the Past Revisited? The Office of Technology Assessment in Historical Context” by Gregory C. Kunkle, published in Technology In Society, Vol. 17, No. 2. pp. 175-196, 1995.]
  • Consult widely prior to introducing ICT or allowing existing ICT to be used in different way (eg use of biometrics for security) to identify the risk from ICT.
  • Review the outcomes from ICT development and use.
  • Address concerns about ICT and mitigate risks prior to implementing new systems (eg ehealth).
  • Ensure, where possible, protection is provided to citizens who use ICT legitimately.
  • Provide citizens with transparent, equitable and enforceable remedy for harm.
  • Provide legislation to protect “whistleblowers reporting on the misuse of ICT. [Chris Zielinski comment 13 March 2012]
  • Monitor threats and misuse of ICT and data and take meaningful action against offenders.
  • Inform citizens about the risks arising from data being held in external jurisdictions outside their control and using ICT located ‘off-shore’. For example: Websites owned by companies registered in the USA and holding data in the USA may be subject only to USA legislation and regulation.  This makes legal claims against company actions by citizens from other countries extremely difficult and very expensive.
  • Negotiate with other governments and organizations on behalf of citizens if a threat comes from outside their jurisdiction. For example: Data stored separately in databases located another country or in ‘the cloud’ may be vulnerable to misuse, particularly if the security and privacy protections are less rigorous than in the source country.
  • Inform citizens about new ICT and its capabilities (eg via the news media).
  • Train citizens to identify and mitigate risks from ICT (eg encourage life-time learning).
  • Provide basic skills to users to enable them to use ICT appropriately (eg teach students about privacy awareness and ethical use of ICT).
  • There is a need to have an alternative to ICT in case of failure because of society’s strong dependency on ICT. “Among members of the Organization for Economic Cooperation and Development, 70% of households and 94% of businesses with 10 or more employees are already online. Worldwide, the number of Internet uses is projected to rise from 6.4 per 100 inhabitants in 2000 to 29.7 per 100 by 2010 [Statistics:]” [F. Gokkus, & J. Memit, Informatik Ethik u. Gesellshaft, University of Zurich unpublished paper 8 March 2012]
  • Plan, maintain and test procedures for citizen support and recovery.
  • Inform and train citizens about survival strategies (eg New Zealanders are trained to respond appropriately in case of earthquake).
  • Plan and prioritize remediation and recovery (eg hospital services).

b.  Provide and enforce protective legislation and remedies that protect citizens from harm caused by the misuse of ICT

c.   Prepare citizens for ICT

d.  Provide alternatives to digital ICT to enable citizens to access services [Chris Zielinski comment 13 March 2012]

e.   Prepare Disaster Plans that assume failure of ICT

During a crisis, citizens are supported by government agencies and trained volunteer organizations responsible for search and rescue. While people are displaced they are provided with essential goods and services. After the crisis has passed, governments provide assistance to help recovery. Governments and search and rescue organizations need to factor ICT failure into their plans and strategies. For example: There are still reports from disasters where key organizations (eg fire services and police) were not able to communicate because they use different radio equipment and mobile phones and telephone lines in affected areas were inoperable.

Governments are accountable for providing generic information about impacts, benefits and risks of ICT to citizens.

Governments are responsible for mitigating the risks arising from the Information Society and helping citizens to recover from harm resulting from the misuse or malfunction of ICT.

4.2  ‘Best Practice’ for Organizations

Research into ‘best practice’ for organizations to aiming to support citizens in the Information Society is required. Many private sector and community organizations already utilise ‘best practice’ for ICT security and IT management. However, ‘best practice’ is often internally focused. It aims to protect the organization’s activities. Organizations can build on existing practice and ensure they consider the impact of harm from misuse, malfunction or failure of ICT on users and other citizens. ‘Best practice’ by organizations supporting citizen resilience includes the following:

a.   Assess and monitor risks from ICT development and use

  • Design systems that protect privacy and the security of data and transactions.
  • Adopt robust risk evaluation processes prior to introducing new ICT and systems. Some ICT increases or changes risk to business and their clients. For example: Use offshore data storage or ‘the cloud’ may reduce security.
  • Identify actual and potential risks to users and citizens from new uses of ICT. For example: ‘Google Street View’ created privacy concerns when detailed maps that showed individual properties were published. [Refer to:]
  • Monitor and audit ICT performance and actively regularly. Human oversight is expensive but required because software does not have the flexibility and perception to predict all risk or events.
  • Consult stakeholders. Consultation is good business practice particularly when tasks are transferred from the organization to the consumer as in activities like on-line banking, airline bookings.
  • Identify cultural concerns and sensitivities of local users.
  • Adopt an ethical approach to ICT development and use of data. Researchers need to follow codes of ethics – ‘first do no harm’ [Refer to Joe Weizenbaum]; just because you can does not mean you should! “But on the other side, just because you should not does not mean you will not.” [F. Gokkus, & J. Memit, Informatik Ethik u. Gesellshaft, University of Zurich unpublished paper 8 March 2012]
  • Provide guidelines and training on the ethical use of ICT in the private sector. [Chris Zielinski comment 13 March 2012] At the end of February 2012 the European Union’s BEPA/EGE published an Opinion on the Ethical Use of the Internet [Diane Whitehouse comment 13 March 2012].  [Refer to: opinions/index_en.htm]
  • Ensure employees and agents do not misuse ICT or the data they collect about citizens. “There are reputed to be examples in the United Kingdom of celebrities being in accidents/emergencies and sudden increases in numbers of healthcare personnel searching their records” [Diane Whitehouse comment 13 March 2012].
  • Ensure only essential data is collected and stored. Some organizations scan identification documentation rather than just recording the identification number of the documentation and the issuer. This creates additional risk of identity theft. For example: Some nightclubs in Australia scan the photo IDs (usually a driver’s license) that patrons must present to gain access.  [Refer to:]
  • Ensure access to confidential data is restricted to those who need to know, and that such data is not stored longer than required or indefinitely. [Chris Zielinski comment 13 March 2012]
  • Provide guidelines and training to employees on procedures required to protect users against risk. [Chris Zielinski comment 13 March 2012]
  • Explain what new ICT does and how it affects users (eg new transport ticketing like ‘etickets).
  • Inform users and clients about how data is used (in plain language).
  • Notify users and clients of any changes well in advance of implementation so they can remove their data or transfer their business dealings to an alternative supplier.
  • State what information is collected, who accesses it, why they need it and for how long. Some organizations share data within the group. For example: when a bank is also an insurer, information is often shared through Client Relationship Management Systems and with external organizations like marketers.
  • Obtain informed consent for use of personal data. This means allowing the user to opt-in to specific uses of data (eg permit doctors to view medical history, but deny access to management for planning purposes, or to researchers).
  • Inform users when systems will be changed in ways that reduce or prevent access (eg requirement for users to accept ‘cookies’ before they can access some sites).
  • Provide convenient access to customer service and information about local ICT implementations and help with using systems, free of charge.
  • Ensure appropriate clients are able to easily contact the organization and key managers. For example: In May 2011, Facebook did not provide email addresses for management roles. [Refer to:] They could be reached only by mail sent to the US headquarters!
  • Some organizations require customers to provide identification or log-in to systems even when it is not necessary because it enables the business to track usage and user behaviour.
  • Many organizations provide advantages and services only if personal data is provided. This means that citizens who are concerned about protecting their information are not able to access some goods and are denied services. They face discrimination.
  • When a user’s privacy is breached, (eg hackers obtain personal data and credit card information), organizations need to notify those affected immediately and, as far as possible remedy the harm.
  • When a user’s rights are affected (eg right to access services is denied because of behaviour by a 3rd party, including an employee) organizations need to provide an effective process for resolution and restitution.
  • Provide users with local contacts so they are able to report and discuss breaches or terminate services. For example: As at 3 February 2012 it was reported, Google’s “Code of Conduct” []. Section 13.2 states that if you want to “terminate your legal agreement with Google you may do so by (a) notifying Google at any time….Your notice should be sent, in writing, to Google’s address which is set out at the beginning of these Terms”…ie the principle place of business is a physical address in Mountain View, California USA.
  • Protect “whistle blowers” and encourage reporting of any misuse of ICT by employees or others, and any potential harm those who use or are affected by the organization’s ICT.
  • Plan, maintain and test procedures for maintaining services, especially those crucial for citizens (eg access to food and cash).
  • Train employees to operate without ICT.
  • Inform clients and citizens about alternative arrangements in case of malfunction or failure of ICT.
  • Plan and prioritize remediation and recovery.

b.  Embrace ethical development and use of ICT

c.   Protect users against risk

d.  Provide transparency

e.   Permit (where possible) anonymous transactions and no disadvantage.

f.    Provide appropriate remediation for harm

g.  Prepare Business Continuity Plans that assume failure of ICT

Organizations are accountable for providing specific information about the way they use ICT and how it may affect citizens.

Organizations are responsible for mitigating risk and helping their clients and other citizens recover from harm caused by ICT they or their employees and contractors use to conduct their activities.

5     Citizens Can Contribute to Resilience

Government and organizations are accountable for providing structures that support citizens the Information Society. However, citizens in the Information Society need to accept some responsibility for their own resilience.

Resilient citizens need to adopt ‘best practice’ to benefit from opportunities and protect themselves and others against adverse impacts of ICT. “It is not feasible for governments to completely protect citizens from harm caused by using ICT” [F. Gokkus, & J. Memit, Informatik Ethik u. Gesellshaft, University of Zurich unpublished paper 8 March 2012]. ‘Best practice’ in the Information Society can be incorporated into a Citizen Resilience Plan. The definition of ‘resilience’ includes ‘the ability to recover from harm. Resilient citizens need to prepare in case ICT is not available to them. Resilient citizens need an ICT Failure Survival Strategy.

5.1  ‘Best Practice’ for Citizens – A Citizen Resilience Plan

A Citizen Resilience Plan is a checklist that helps an individual to determine what actions they need to take to benefit from opportunities and avoid, mitigate damage, or recover from risk arising from ICT. It is a guide to ‘best practice’. The plan may include the following actions:

a.   Identify opportunities from ICT and acquire relevant skills and resources

Ensure relevant knowledge is updated regularly and learn to use new ICT. Identify key resources (eg some community groups offer assistance with on-line skills – senior citizens associations; some libraries offer free internet access).

b.  Protect against ICT risks

Adopt a back-up routine to ensure all data is copied and secured in case ICT equipement malfunctions or is lost. This must include converting key data and archives in superseded formats to current software so it can be accessed.

c.   Use safe practices

Use a pass-code and change on-line passwords regularly. Take time to understand the risks as well as the benefits of new products and services. Information about the experience of other users is helpful.  For example: Convenient smart phones store a large amount of sensitive information about the owner and others with whom they communicate. This data may become accessible by others if certain applications are downloaded onto the phone.

d.  Ensure actions do not jeopardize the safety or well-being of others

Be cautious about posting on line, especially in social media websites. For example: Posting a photo of friends in compromising poses or situations on Facebook or making disparaging remarks that can be viewed by on-line ‘friends’ is harmful to them. Ask permission before posting information about other people and their actions and uploading photographs, especially those that name the people shown (ie ‘tag’ images) or include GPS information (included in ‘properties’) about location.

e.   Identify who (if anyone) is responsible for remedying harm from ICT

Before providing personal information (especially on-line) check the jurisdiction of the organization (usually found in the ‘User Agreement’ and ensure there is a transparent way of contacting the organization and lodging complaints. Be informed about how data is used.

f.    Advocate for change when risks are identified

Inform others about risks you identify. ICT is rapidly changing and remedies may not be available. However, there are bodies that will assist citizens to advocate for change when risks occur. Some governments have set up agencies to protect users (eg The Australian Government’s Telecommunications Industry Ombudsman [Refer to]) and advocacy groups exist in most countries, including consumer protection, civil liberties and privacy protection associations.

g.  Be aware of possible changes in human behaviour, expectations and values

  • For example: The changes may be subtle but evidence is emerging that suggests ICT is affecting user behaviour. Constant use of ICT may change brain patterns. Neuroplasticity indicates habits can change our brain anatomy [Refer to:  “The Brain that Changes Itself” by Norman Doidge, published by Griffin Press, Australia, 2007]. Some scientists think that continual exposure to stimulus from ICT changes thought patterns [Refer to: “Future Tense” broadcast 8.30am on 16 June 2011; last three lines of Betsy Sparrow’s description of herself: SparrowB/faculty.html].
  • For example: Mobile smart phones mean citizens are expected to be contactable wherever they are and will respond quickly to requests. Many people report they are working longer hours because their employer and clients expect they will be available once they leave the office.
  • Values are affected by depersonalisation of responsibility made possible by ICT. For example: Drones guided remotely to bomb ‘selected targets’ do not risk the lives of the operators and digital video footage shown on mass media is similar to images shown in video games depicting wargames.

h.  Behave ethically when using ICT

Be aware of the risks and be careful how you treat others and their data.

5.2  A Citizen ICT Failure Survival Strategy

Citizens who have become dependent on ICT for essential functions and services need to prepare themselves in case ICT services and equipment fail or cannot be accessed. Evidence shows that we cannot assume ICT will be available at all times. We must assume the ICT on which be depend may be affected by:

  • Natural disasters
  • Malfunction of hardware and/or software due to accidents or human error
  • Malfunction of hardware and/or software due to deliberate acts of sabotage
  • Failure of power and other ICT infrastructure
  • Intervention or change to existing ICT or systems that reduces or prevents access.

The following checklist is one method of preparing a Citizen ICT Failure Survival Strategy.

a.   Understand the level of risk that might occur

Create scenario with different

  • Causes
  • Severity levels
  • Time periods (eg hours, days)
  • Geographical areas.


  • Failure of ICT (eg due to overload from high demand)
  • No or limited power supply
  • No or limited telecommunications.

b.  Predict the impacts of scenarios on yourself and others


  • Significant family and other relationships will be affected, or not if family and friends will want contact with you
  • Automatic Teller Machines will not operate and banks and shops may close or offer only limited goods and services
  • Electricity and other utilities may not be available.

c.   Prepare to mitigate consequences of scenarios and impacts

For example: if the scenario includes a major electrical power failure –

  • Estimate and retain the resources required (eg ensure a torch and batteries are working, store some non-refrigerated food; retain some cash).

For example: if the scenario includes evacuation –

  • Assign responsibilities (eg who will collect important documentation or equipment in case of evacuation).
  • Plan meeting points in case communication is not available (eg where you will meet family members).
  • Be informed about emergency procedures instigated by various authorities, including building evacuation, local assembly points, meanings of warnings, etc.
  • Be aware that electronic warning systems may not operate. If you observe danger, act appropriately.
  • Keep data back-ups separate from devices
  • Maintain critical information (eg list of key names and addresses; copies of identification documents; photos of family members and friends).
  • Test the survival strategy with your family and friends
  • Refine the plans over time especially on the basis of the experience of others
  • Revise plans as circumstances change (eg family members become less mobile; ICT controls more aspects of life).

d.  Identify and protect critical documentation and data

e.   Test and update the Citizen Survival Strategy


All citizens need to take responsibility for informing themselves and others about ICT and its impacts, benefits and risks and use appropriate behaviour and ethics to protect themselves and others.

Resilient citizens need to adopt ‘best practice’ when using ICT.

Resilient citizens need strategies in case ICT fails.

6     Conclusion

ICT has enhanced the lives of many people throughout the world. But with any great leap forward, change impacts communities, requires citizens to adapt and creates new accountabilities and responsibilities for governments, organizations and citizens.

The industrial age (with machines available to do heavy work), allowed citizens who were able to access its benefits to be more productive and live in greater comfort. However, the introduction of machines also meant many men, women and children toiled long hours in factories without safe working conditions. In some industrial societies, governments accepted accountability for providing the legal structures to protect workers and mitigate risk to communities. They employ inspectors to monitor conditions and enforce legislation. They provide education so citizens can adapt and benefit. They require organizations and citizens to accept responsibility for their use of machinery and industrial equipment. Over time, organizations using machinery and industrial equipment that caused more harm than benefit to communities (eg through pollution) and citizens (eg unhealthy work places) are forced to change to sustainable practices or close down. Citizens that use machines in way that cause harm (eg drunk vehicle drivers) are held accountable and punished.

To be sustainable, the benefits of the Information Society must outweigh adverse impacts and risks.

In the Information Society citizens need governments and organizations to be accountable and take responsibility for the appropriate provision and use of ICT. They need help to understand the impacts of ICT and adapt to change. In some cases ICT poses new threats. Citizens need protection from the misuse, malfunction and failure of ICT. Governments need to provide legal and regulatory structures to mitigate risk. Threats may come from the actions of people like hackers, thieves or organizations that misuse ICT and personal data. Laws need to include punishment for offenders and restitution or assistance to affected citizens to help them recover from harm. Over time ‘best practice’ in the Information Society needs to be reviewed and revised to ensure it promotes sustainable communities and resilient citizens.

Citizens need government and organizations to support their resilience.

Now that ICT is ubiquitous, citizens need to develop resilience.  Citizens need to identify, adopt and promote ‘best practice’ for the use of ICT to protect themselves and others from harm caused by malfunction or misuse of ICT.  The resilient citizen in the Information Society is alert and prepared but not alarmed.

Each citizen in the Information Society has a long-term responsibility for improving their resilience by adapting to change, mitigating risk to themselves and others and preparing to recover from harm due to ICT.

Governments, organizations and citizens share accountable for a ‘sustainable’ Information Society that promotes and maintains viable communities of citizens.

 Posted by at 12:58 pm

  3 Responses to “Resilient Citizens in the Information Society”

  1. 1) As first highlightlighted on July 29, 2012: Which ideas for improving resilience could a working group like 9.2 best support? Or an organisation like IFIP support? What other actions and principles capable of enhancing resilience are missing? What next steps need to be taken? What resilience-related topics should be raised again in February 2013 at WG 9.2′s next meeting?

    2) IFIP WG9.2 friend, Rowena Rodrigues, draws to our attention the work of IRISS European Commission co-financed project on Increasing Resilience in Surveillance Societies and

  2. Mick Phythian has submitted some comments, they are as follows:

    Julie’s paper is most interesting given my own background in e-government and current interest in ‘cloud’. However, I must make a couple of points:

    2.2.a – whilst citizens do not need to own an expensive electronic device, they need access to one, along with training in how to use it. A suitable analogy may be literacy – one does not need to own the book or library to become literate and employ that knowledge, but one does need access to education and a library. As long as education and library access is available, the citizen is on an equivalent footing with other perhaps better-equipped ones.

    3. Complex ICT requires resilience. Increased resilience requires additional cost to both citizen and supplier (government). Austerity reduces willingness for either to happen presenting need for risk awareness/management for both.

    ICT is becoming increasingly complex e.g. cloud, web 2.0 +, mobile etc taking any ability to control the complexity away from the citizen/customer. In fact, the citizen/customer is likely to be completely unaware of the complexity involved in facilitating any transaction.

    3.1.h. A classic example of the assumptions was revealed by the Millennium Bug. I was probably one of those programmers in the 1970’s who couldn’t see past 1999!

    4.2. ‘Best Practice’ – informed consent’ – one of the matters I am highlighting in a recent paper is the need for government to make citizens aware if their personal data is to be stored in any ‘cloud’ since the technology is so undeveloped that the information might be stored anywhere in the world, might be replicated without control, may not be deleted as required and thus may become open to abuse. How this informed consent or opt-out can be delivered is a matter that then makes ‘cloud’ less economically viable…

    5.2. Survival Strategy – are there direct lessons for bank customers or banks from the failure of RBS’s computer systems recently, apart from the inherent danger of off sourcing important applications and the loss of control resulting?

    6. One of my conclusions is that citizens have data rights given the developments in cloud and networks. These are cloud providers recently being demeaned by the major ISP’s and cloud providers but ‘terms and conditions’ for a citizen/customer point-of-view are required – it should not all be ‘buyer beware’, especially when the seller is lackadaisical.

  3. […] and citizens can focus on ICT resilience. You can view, and comment on, Julie’s paper at: We encourage you to make visible your comments on the paper at the bottom of the same page. […]