You are here

BPF Cybersecurity

Cybersecurity Culture, Norms and Values

Background paper to the IGF Best Practices Forum on Cybersecurity 

The background paper was established with support from participants in the BPF Cybersecurity, and serves as introduction to the wider area of culture, norms and values in cybersecurity. It is highly recommended to anyone interested in the topic and in contributing to the work of the BPF. 

background document link /  join the BPF mailing list 



In 2016, the first Best Practice Forum on Cybersecurity started off with discussions enabling participants to understand the wider context of the word "cybersecurity" for each stakeholder group. The BPF made it clear right from the beginning that this work needed to be conceived as a multi-year project. It then worked to:

● Identify the communications mechanisms between stakeholder groups to discuss cybersecurity issues;

● Understand the typical roles and responsibilities of each group in making sure the Internet is a secure and safe place;

● Identify common problem areas in cooperation, and good best practices for doing so.

The 2017 BPF explored how cybersecurity influences the ability of ICTs and Internet technologies to support the achievement of the SDGs. Among other things, it

- examined the roles and responsibilities of the different stakeholder groups; and

- aimed to identify options for policy mitigations that could help ensure that the next billion(s) users can be connected in a safe and reliable manner and fully benefit from existing and future technologies.


About the 2018 Cybersecurity BPF

For 2018, a number of directions were considered for further examination. Two main themes found broad support: the digital divide which develops when some Internet users can afford security, and others cannot; and culture, norms and values of cybersecurity, and how they are important. While it was found that the two themes are interconnected, the proposal for 2018 is to focus on culture, norms and values in cybersecurity.

● Norms have become a very important mechanism for states and non-state actors to agree on responsible behaviour in cyberspace. There are numerous initiatives under way in this regard, but with limited exceptions, such as the Global Conference on Cyberspace (GCCS) and the Global Commission on the Stability of Cyberspace (GCSC), most of these norms discussions happen in inter-state forums, and they do not always provide an open and inclusive mechanism for non-state actors to participate and to contribute. In this way, a continuing BPF on Cybersecurity would build on the specificity of the IGF and add value in providing a complementary forum for multistakeholder feedback on this topic.

● The BPF could start the process by building on its previous work on the roles and responsibilities of the IGF stakeholder groups in cyberspace and explore what norms have developed that apply to each of these groups. Some of the questions to be looked into relate to the behaviour of each stakeholder group, such as “state behaviour” or “industry behaviour”. The discussion of civil society’s role in norms development would include social norms of safe and secure online behaviour by individual users.

● Further work will identify norms established by various forums, documenting and comparing them. Of particular value would be the IGF’s network of National and Regional IGF initiatives (NRIs). Through this network, the BPF can bring in a developing country perspective and connect the NRIs with the norms development communities, to promote a culture of cybersecurity. Part of this process would be to make sure that their norms are well known and understood, and to provide a space for discussion.

● This process will result in the development of a document, while the norms development bodies can participate in the BPF for more real-time feedback.

● The BPF can also leverage the work from last year to identify if any of the policy recommendations may see widespread acceptance, and may have developed into a recognized “best practice”. This could then lead to other norms development bodies considering them as new norms - consistent with one of the IGF’s purposes to bring emerging issues to the attention of the relevant bodies.

● Focusing on culture, norms and values will lead us down the path of understanding the impact of a “digital security divide” as well. When or where there’s no real universal implementation of a norm, it may result in a group of “haves” and “have nots” in terms of the protection the norms offer. Security controls will be sufficient ormeaningful in some parts of the world, and not in others. This will be an interesting area for investigation into the reasons for non-adherence or potential barriers preventing the implementation.


Multistakeholder Engagement and Horizontal Areas of Focus for 2018

The BPF intends to reach out to all stakeholders and make full use of its existing network of contacts and the mailing list. In addition, this year the BPF plans extra effort to:

● Work proactively to get more governments involved, by collecting best practices which everyone should apply, but which may not be universally known.

● Further engage with the NRIs and get them proactively involved. Perhaps try to find a volunteer in each region to present at their regional events on the topic of norms in cybersecurity, and drive conversation.


Mailing List Sign-up

The BPF Cybersecurity mailing list is open to all stakeholders interested in or with expertise on related issues.

Sign-up at



Proposal to MAG for 2018 Work

Background paper: Cybersecurity Culture, Norms and Values

Meeting Summaries


Virtual Meeting I - 5 June 2018

Virtual Meeting II - 5 July 2018

Meeting between the NRIs and the BPF Cybersecurity - 17 July 2018



Informal Virtual Meeting I - 17 January 2017

Informal Virtual Meeting II - 24 March 2017

Virtual Meeting I - 20 May 2017

Virtual Meeting II - 21 June 2017

Virtual Meeting III - 7 August 2017

Virtual Meeting IV - 18 September 2017

Virtual Meeting V - 11 October 2017


Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10

igf [at] un [dot] org
+41 (0) 229 173 678