How do businesses decide what security precautions they must take to protect their information?
According to Professor Angela Sasse, head of information security research at UCL’s Computer Science department, the most common approach is for businesses to adopt what they think is ‘best practice’.
"We talk about best practice, but really it is standard practice – they just look at what their competitors are doing," she explains. "The truth is, what we call ‘best practice’ hasn’t always been evaluated."
Furthermore, she adds, the main source of information about security threats has to date been the security technology industry.
"A lot of the practitioners’ decision making has been vendor-led," Sasse argues. "And, of course, vendors like to spread fear, uncertainty and doubt in order to create a motivation for purchasing their products."
In the past, this perpetuated a product-centric view of IT security. “Organisations didn’t really want to think too much about security – they just wanted to install something that would fix it.”
What has been missing, Sasse says, is a scientific, evidence-based approach to security.
There have been scientists, including Sasse herself, who have looked at information security issues. Until recently, however, they were blighted by a reluctance among practitioners to reveal what is happening within their organisations.
"Practitioners tended to think that the less anybody knew about how they are doing security, the better," she says. "It was security by obscurity."
Meanwhile, she says, practitioners would criticise academia for failing to examine relevant issues. "There was a divide between academic research and practitioners, where the practitioners accused researchers of not really addressing the key problems and the scientists would say, you are not letting me have any of your data."
This situation has improved in the last three or four years, Sasse says, as economic circumstances have driven organisations to seek a more rational approach to security investments.
"There has been a shift towards discussing security in economic terms, looking at the actual costs and benefits of particular security measures," she explains. "This kind of thinking is only possible if you have hard evidence, and I’ve found that organisations are a lot more open to the idea of collaborating with researchers."
In September, a group of government departments lead by intelligence agency GCHQ announced an initiative that they hope will foster a more evidence-based approach to information security.
The Research Institute in the Science of Cyber Security (RISCC) is a virtual institution, funded to the tune of £3.8 million for the next three and a half years.
It comprises four teams of researchers across seven universities: UCL, working with University of Aberdeen; Imperial College, working with Queen Mary College; Newcastle University, working with Northumbria University and Royal Holloway on its own.
Each of these teams will focus on a particular project, chosen for its salience to practitioners’ everyday concerns (see box).
Not only will the teams collaborate with one another, they will also encourage the involvement of end-user organisations, explains Sasse, who has been appointed lead of the institute.
"Part of our activity will be regular communication with practitioners, through regular events and newsletters," she says. "And if it’s possible with the resources that we have, we would like to work on some concrete case studies. There may be a lot of organisations that are interested in working with the researchers."
Sasse’s aim is twofold. Firstly, she hopes that RISCC can lay the foundations of a science of cyber security. "The analogy I use is evidence-based medicine. We’re trying to achieve a similar shift," towards an empirical approach of making security investment decisions.
The second is to develop a useful and accessible body of knowledge for security practitioners. "We’ll take the knowledge that we have and package for practitioners in the form of advice, guidance and training modules for security professionals."
The government’s primary motivation, Sasse says, is “to boost UK industry overall by making the UK a secure place to do business”
Security in context: RISCC’s four research projects
Security game theory
Led by Professor Chris Hankin, director of Imperial College London’s Institute for Security Science and Technology, and including Queen Mary and Royal Holloway, this project aims to develop new approaches to decision-support – i.e. helping organisations and their employees decide which security measures to implement and how to handle data – by applying mathematical game theory.
Professor Aad van Moorsel, director of the Centre for Cybercrime and Computer Security at Newcastle University leads this project, looking at how to encourage employees using their own devices in the workplace to treat information securely.
“We borrow and adapt well-known techniques from the business and management sciences to nudge people to make the best decisions for their company or organisation,” says Moorsel.
Royal Holloway University’s Dr Lizzie Coles-Kemp takes lead of the project exploring how security manager develops, maintains and uses visibility security compliance. It aims to better understand how organisational controls and technical controls are used in combination, and evaluate the use of different visualisations in the risk management process as a means to extend a security manager’s ability to deploy combinations of organisational and technical controls in the cyber context.
The project lead by Professor Sasse, who specialises in the human factors of information security, will look at security precautions and employee behaviour. The aim is to assess the link between the intrusiveness of security measures into employee’s working lives, and the likelihood that they will behave in a risky way to avoid that intrusion.