A key goal of RISCS is to approach security from myriad angles. Among RISCS researchers are psychologists and human-computer interaction specialists, as well as representatives of more traditional disciplines such as mathematics and computer science. RISCS deputy director, Royal Holloway professor Lizzie Coles-Kemp, represents multiple disciplines all by herself.
This contention is easily borne out by just a small selection of Coles-Kemp’s work. For RISCS1, she led Cyber Security Cartographies (CySeCa), which compared social information sharing and network data traffic flows within an organisation to find gaps. She also led the visualisation work package in Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (TREsPASS), which built an “attack navigator” to enable organisations to help security practitioners determine which attack opportunities are possible, which attacks are the most urgent to understand, and which countermeasures are most effective. For TREsPASS, Coles-Kemp’s team included a design critic and academic, an interactive design team, an artist, and three mathematicians. Together, they developed visualisations that reflected the work produced by the mathematical modeling and risk algorithm teams.
Coles-Kemp’s publications are equally multi-disciplinary. Her 2013 paper Granddaughter beware! An intergenerational case study of managing trust issues in the use of Facebook is a sociological study of privacy discussions between pairs of grandmothers and granddaughters and reveals the roles families and tools play in determining trust practices. The 2014 paper Watching You Watching Me: The Art of Playing the Panopticon, written with Alf Zugenmaier and Makayla Lewis, studied the impact of the monitoring and surveillance functionality built into many public services intended to protect the vulnerable. The researchers found that prioritising securing and monitoring the system makes the services’ users feel more insecure, and hinders the delivery of digital services. They concluded by arguing that such services must be designed to support the social networks their users interact with.
In a 2016 article with fellow TREsPASS member René Rydhof Hansen, Everyday Security: A Manifesto for New Approaches to Security Modelling Coles-Kemp argues that because people need both to produce and share information and to protect it in order to feel safe and secure, modelling everyday security is particularly complex. For this reason, a family of models is required to articulate people’s everyday security needs. Finally, in a paper written with Debi Ashenden, professor of cyber security at the University of Portsmouth and the lead for protective security and risk at the Centre for Research and Evidence on Security Threats (CREST) and presented at the 2017 Academic Archers conference, Coles-Kemp and Ashenden dispute the frequently-made assertion that social media are absent from the fictional world of the BBC’s long-running radio soap opera, The Archers, and explore what the show’s characters and their world can tell us about what security means to people in their everyday lives.
The path that led to this unusual approach to security began with a humanities degree in Scandinavian studies and linguistics from the University of Hull. After working briefly in theatre administration, an office temp job led Coles-Kemp to Uniplex, a software company that made a Unix equivalent of Microsoft Office. When the Swedish military needed a secure version of the software, Coles-Kemp’s fluent Swedish meant she was drafted in from training to help with porting and translating it.
Getting it to work on a secure platform was a complex job that piqued Coles-Kemp’s interest: “I got heavily involved with understanding how the secure version of the operating system was designed.”
Coles-Kemp believes that the fact that she only spoke about security in Swedish for the first few years has influenced how she thinks about the subject to this day.
“Linguistically, it does frame how you understand the concepts, particularly structure. When you’re talking about access control in Swedish it’s a different logic than when you talk about it in Anglo-Saxon languages,” she says. Partly, this is because the same word, “säkerhet”, can apply to both safety and security. Plus, “In the Scandinavian view of the world there is often a much more socio-technical bent for thinking about security. It’s a tradition that goes back to the 1970s and the early Scandinavian thinking about software design and interaction.” She went on to work for Dynasoft, a Swedish software house producing Unix access control products, which by the mid-1990s meant smart cards and a forerunner of public key infrastructure. Coles-Kemp ran Dynasoft’s UK subsidiary, winning the 1997 Oxfordshire Business Woman of the Year award.
In 1997, after the company was sold to Security Dynamics (later RSA Security), she became the security manager for the British Council and began an MSc at Royal Holloway. The former showed her that no two risk assessments worked the same way. As a result, “I became very interested in how organisational security processes work, what makes a risk assessment or audit process effective, and what ‘effective’ is.” She focused on these issues for her PhD at King’s College London, still very much a practitioner when she finished it in 2008. Her contemporaneous work for Lloyds Register Quality Assurance (LRQA) focused on ISO 27001 security management assessment for a wide range of organisations including one of the private hospital chains.
“Health care is fascinating because the need for clinical governance is completely enmeshed with security governance. You have to think about security from the perspective of the clinical, and information-sharing needs change as the patient’s condition changes.”
Her academic career began in 2005, when she began teaching undergraduates part-time at Royal Holloway; she moved to full-time in 2008. On arrival, she applied to participate in a “sandpit” run by the Engineering and Physical Sciences Research Council (EPSRC), the Economic and Social Research Council (ESRC), and the Technology Strategy Board. Coles-Kemp was part of a successful funding bid that emerged from this five-day immersive environment in which researchers collaborated on developing research questions, forming new teams, and preparing proposals. Led by Coles-Kemp, Visualisation and Other Methods of Expression (VOME) studied why people share what they do online and what they view as protection. Her remit: cover under-served communities. In partnership with Ashenden and Alison Adams, the Universities of Salford and Cranfield, the consultancy Consult Hyperion, and Sunderland City Council, Coles-Kemp worked directly with hard-to-reach communities such as the long-term unemployed in socio-economically deprived areas. In that environment, traditional research tools like focus groups and surveys were little help; new methods were needed
“We weren’t understanding what was of interest to those communities about data sharing because we were making all sorts of assumptions about what was important to them, and we had to get that out of the way to really understand data sharing in this context.”
For example, in these communities, few imagined they had much realistic chance of employment – so the risk that what they posted online might damage those prospects was meaningless. Similarly, in families who have been physically close for generations it often made more sense, for both safety and security, to share passwords. Coles-Kemp often heard, “We share a lot of other stuff.” The result was, “We got close enough to the communities to understand that it’s not that clear-cut, and we have to think about the overall safety and security of the individual within the family unit.”
Their solution happened almost by accident. In VOME’s first year, ESRC offered a bursary to take part in a festival of social science. The VOME group partnered with the theatre company Bimbilibausa, led by clown Freya Stang, to present a short play about privacy choices in the workplace based on their research to date. The group took the play to Sunderland and invited the participants they had worked with to use the council’s voting paddles to select the story’s privacy outcome. Because whole families attended, the play led to intergenerational conversations about privacy and a meta-narrative that showed Coles-Kemp’s team the value of creative engagement techniques. The results encouraged Coles-Kemp to continue working with researchers and artists to develop a range of creative methods, including story sheets and Legos, to create three to four provocations or open questions that then let them drill down into individual issues. This work led to the grandmother-granddaughter paper, developed the understanding that led the work for the panopticon paper, revealed the complexity of everyday security and therefore the need for a family of information security models, and highlighted the importance of community and family interactions such as dominates narratives such as those found in The Archers when regulating the flow of information.
Creative engagement methods have both utility to the participant communities and methodological value. A further study, funded by the Arts and Humanities Research Council (AHRC), focused on families separated by prison sentences with the goal of understanding why they didn’t engage with the support services provided to them. In this case, the families proved to be more interested in talking about the journeys involved in prison visiting. “We went with that, figuring that if support services were important that would manifest itself,” Coles-Kemp says. The group worked with one of the Northeast England prisons to develop questions and create a large wall collage that is still in use as part of rehabilitation training when offenders are set to leave prison as well as a series of story cubes which form part of visitor induction to help families understand the kinds of issues that will confront them and introduce the support that’s available.
The creative engagement described here – story cubes, collages, drawings, Lego building – remains part of Coles-Kemp’s practice. CySeCa’s researchers, for example, included Makayla Lewis, who used her sketch noting and HCI and User Experience expertise to create cartoons based on interviews with security practitioners. These were then used to initiate discussions that exposed the information flows among people; the results were then compared to the results of network traffic analysis to find policy conflicts and gaps. In September 2016, Coles-Kemp started a five-year, EPSRC-funded fellowship programme to develop these techniques in conjunction with wider political and sociological theories of security in order to design and evaluate alternative approaches to securing digital services. Her work in this programme focuses on essential public services including welfare, health, housing, employment, education, and criminal justice. Coles-Kemp will continue to work with academic and practitioner communities in RISCS to both develop and disseminate these theoretical frameworks, practical techniques, and expertise.