ICTworks

Surprise! Most cybersecurity guidance for rural communities in developing countries is actually harmful. Groundbreaking research from rural Ghana shows that well-intentioned security programs have made vulnerable populations even more vulnerable.

A new study from the Max Planck Institute in rural Ghana, reveals how communities adopt complex workarounds to access electricity and mobile networks, creating security vulnerabilities that traditional cybersecurity approaches completely fail to address.

As one research participant explained: “No, I can’t be a security personnel on your phone” when asked about protecting client devices. The findings should force every technology practitioner working in development to fundamentally rethink their security strategies.

Let’s be honest: telling someone to “use strong passwords” when they have to remove their screen lock entirely to let strangers charge their phone for three days is kinda insulting.

The infrastructure sharing reality

With over 2.6 billion people remaining offline globally and rural electricity access rates in countries like Ghana hovering around 77%, rural communities have developed sophisticated “human infrastructure” systems that our security models never anticipated.

In rural Ghana, residents routinely rely on intermediaries—family members, friends, neighbors, or motorcycle riders—to transport their devices to charging stations sometimes located 5 kilometers away, with transportation costs ranging from 10 to 30 Ghanaian cedis compared to charging fees of just 1-5 cedis.

Devices frequently remain at these charging locations for two to three days. As one participant explained: “My phone can be there for about four to six days… Sometimes the person who sent the phone there does not return to the town sooner until the day the person decides to go there again.”

During this time, multiple parties have access to the devices: charging shop operators, their relatives, other customers, and the intermediaries themselves.

The security implications are intense: unauthorized access to personal information, device theft and mix-ups, eavesdropping in shared “network zones,” and financial losses through unauthorized mobile money transfers. Yet these practices persist because they’re economically rational and culturally expected within communities that prioritize mutual support.

The truth is more complex than our individual-responsibility security frameworks can handle. Rural residents adopt protective measures like screen locks and removing SIM cards, but they’re forced to disable these protections to maintain access to essential services. The system is designed to fail them.

Why traditional cybersecurity approaches backfire

Research consistently shows that rural communities face heightened cybersecurity risks due to limited access to resources, technology infrastructure, and cybersecurity professionals, yet our response has been to double down on individual behavioral change.

We tell people to:

• Never share passwords (but they must to use intermediaries for digital services)
• Keep devices secure (but economic constraints force them to leave phones with strangers for days)
• Use strong authentication (but social pressures make it impossible to refuse device sharing requests)
• Report security incidents (but doing so risks destroying the human infrastructure they depend on for survival)

There is a fundamental mismatch between our security expectations and economic realities.

Four practical interventions that work

Based on evidence from Ghana and parallel research across developing countries, here are the interventions that technology practitioners should prioritize:

1. Design access controls for community-level sharing

Current access control mechanisms designed for domestic households fail completely in community-level resource sharing environments. Instead of fighting against communal device use, we need to design systems that accommodate it safely.

Actionable steps:

• Develop temporary access modes that automatically expire after set periods
• Create permission systems that allow limited functionality without full device access
• Design interfaces that clearly distinguish between personal and shared use modes
• Implement automatic data segregation for community-shared devices

2. Rethink device management at charging points

The current system of manually tagging mobile devices with sticky notes is inefficient, unreliable, and easily forged. Technology practitioners should work with local entrepreneurs to implement better identification systems.

Recommended approach:

• Deploy low-cost QR code systems pairing devices with plastic tokens
• Implement two-factor authentication requiring both physical tokens and agreed-upon PINs
• Provide simple inventory management tools for charging shop operators
• Design systems that work offline and require minimal technical literacy

3. Address shoulder surfing in shared network zones

Rural residents frequently share “network zones” where dozens of people gather to access mobile services, creating obvious opportunities for eavesdropping and shoulder surfing. But privacy screens and complex authentication aren’t realistic solutions.

Practical interventions:

• Develop simplified interfaces optimized for discreet use
• Create audio-based interaction modes for sensitive transactions
• Design systems that minimize screen time for critical operations
• Implement offline transaction capabilities to reduce exposure time

4. Go beyond education to address infrastructure gaps

The World Bank has supported 64 countries in building cyber resilience between 2014 and 2024, but most interventions focus on national-level capacity rather than community-level access. Real security improvements require infrastructure investments.

Priority areas:

• Advocate for distributed charging infrastructure to reduce device transportation needs
• Support community-owned network access points with built-in privacy protections
• Push for policy frameworks that recognize infrastructure sharing as a security issue
• Partner with local governments to integrate security considerations into rural electrification projects

Realities for cybersecurity in development

Current cybersecurity initiatives in developing countries primarily target urban populations and formal sector workers, while rural communities—who face the highest risks—receive minimal support. This is a systematic failure to understand how security works in resource-constrained environments.

As the Ghana research demonstrates, infrastructure failure subjects rural residents to threats beyond digital security, including amplified everyday insecurities affecting their broader well-being and survival. When people must choose between digital security and economic survival, survival wins every time.

We cannot continue to offer security advice that ignores these realities. The social norms that drive resource sharing in rural Ghana—and similar communities across the Global South—aren’t obstacles to overcome but foundations to build upon.

Infrastructure-first security thinking

Meaningful security improvements in rural communities require infrastructure investments, not behavior change campaigns. We need to advocate for infrastructure-first approaches to rural cybersecurity. This means:

• Pressuring funders to include security considerations in infrastructure projects
• Designing technologies that work with, not against, community sharing practices
• Advocating for policy frameworks that recognize community-level resource sharing
• Measuring security success by community resilience, not individual compliance

The Ghana research provides a roadmap, but implementation requires sustained commitment from the development community. We need to move beyond the comfortable fiction that rural cybersecurity is simply a matter of education and acknowledge the uncomfortable truth: our current approaches are making vulnerable communities more vulnerable.