At the annual showcase for the four cyber security Research Institutes (RISCS, RIAPAV, RITICS, and RISE), director Angela Sasse outlined the progress RISCS has made in its first full year of phase two.
After a brief overview of RISCS phase one, Sasse noted that the work done by the four first-phase RISCS projects continues to have increasing impact. Most notably, RISCS research lay behind NCSC’s 2015 password guidance. That researh has also fed into the new advice US National Institute for Standards and Technologies issued in 2017. Soon after NIST’s announcement, the author of the previous advice admitted he was wrong.
Also based on RISCS research is NCSC’s People are the strongest link campaign, launched by Emma W at Cyber UK in February 2017. In a speech explaining the campaign to the Confederation of British Industry, NCSC head Ciaran Martin said, “Let’s stop talking nonsense about humans being the weakest link in cyber security: it’s a bit like saying the weakest link in a sports team is all the players.” Finally, in the US the National Academies of Sciences cited RISCS as an example of how research can change practice in its 2017 report Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions.
Sasse also gave credit to the RISCS advisory board for steering our research and engagement with practitioners: Martin Sadler, chair (former director of HP labs); Peter Davies (eThales); Larry Hirst (formerly IBM); Shari Lawrence-Pfleeger (former research director for I3P); Alex Ashby (Control-ESC); Adam Shostack (Shostack Associates); and a DSTL liaison.
For the upcoming few years, Sasse said, “What we are working on broadly is to help practitioners from government and industry to translate this new policy into workable and effective security policies and practices.” Achieving this will require understanding how to enable people to understand cyber security risks, acquire the right skills, learn how to react for themselves, and in general, “together with other stakeholders learn to be good citizens of the new digital society that we’re all participating in.”
Phase 2 began with funding of £670,000 from EPSRC and £2.5 million from NCSC over five years. The extended brief is to identify and develop effective security interventions for individuals and society at large as well as organisations, which were the primary focus of phase 1. The funding conditions required RISCS to raise a total of £5 million. A year on, now halfway through its second year, RISCS is nearing a total of £10 million including its own project, 11 small grants, six other funded projects that have joined RISCS, and two fellowships (Lizzie Coles-Kemp and Thomas Gross).
RISCS’ major projects are:
- Motivating Jenny to Write Secure Software – Helen Sharp, Open University
- Detecting and Preventing Mass Market Fraud – Monica Whitty (Warwick), funded by EPSRC TIPS. This project has already produced some good papers analysing who become victims. These are often wrongly stereotyped as being older people. However, at an industry engagement with Gumtree, a meeting of nearly 100 people from law enforcement and other organisations such as Innovate UK were asked who are victims or near-victims and everyone raised their hands; this is a growing and widespread problem. This project is also working on scam-baiting techniques to identify fraudsters. Gumtree and other service providers are setting themselves targets for spotting types of fraud and perpetrators with a view to removing them; they are also becoming proactive by placing ads that when clicked on teach people that this is what fraud looks like.
- Everyday Safety-Security for Everyday Services – Lizzie Coles-Kemp, Royal Holloway, funded by EPSRC TIPS. This project builds on the work done by Coles-Kemp’s RISCS phase one project, Cyber Security Cartographies. This project studies how security is constructed by individuals and groups in interactions with larger organisations such as service providers and governments; it is working on involving all stakeholders and understanding what their life goals are and how they fit in.
- Confidentiality-Preserving Security Assurance (CASCAde) – Thomas Gross (Newcastle), funded by an ERC Starting Grant fellowship.
EPSRC Human Dimensions of Security projects:
- EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS) – Eerke Boiten (De Montfort). This project has brought a new set of research skills into RISCS as part of its remit to build a broader community.
- Addressing Cybersecurity and Cybercrime via a co-Evolutionary aPproach to reducing human-relaTed risks (ACCEPT) – Shujun Li, (Surrey and Kent).
- Cyber-Security across the Life Span (cSALSA) – Adam Joinson (Bath), Debi Ashenden (Portsmouth), Pam Briggs (Northumbria).
- Leveraging the Multi-Stakeholder Nature of Cyber Security – Christian Wagner (Nottingham).
- Evaluating Cyber Security Evidence for Policy Advice: The Other Human Dimension (ECSEPA) – Madeline Carr (Cardiff) and Siraj Shaikh (Coventry).
- Why Johnny Doesn’t Write Secure Software: Secure Software Development by the Masses – Awais Rashid, Lancaster.
The small grants are as follows:
- Password policy change impact analysis – Angela Sasse, UCL.
- Improving secure software – Charles Weir, Lancaster.
- Eye tracking devices – Shujun Li, Surrey.
- Smart Buildings – Jose Such, Kings College London.
- Home data security – Ivan Flechais, Oxford.
- Beyond Dissemination – Rikke Jensen and David Denney, Royal Holloway.
- Visualisation in security – Charles Morisset, Newcastle.
- UNDERWARE – Monica Whitty, Warwick.
- Effective cyber security advice in the sales context – Angela Sasse, UCL.
- Evaluation and metrics for security awareness of a UK high street bank – Angela Sasse, UCL.
Helen L (NCSC), who runs the research team on engineering processes as well as developer-centred security. A workshop RISCS held last year on how to help developers write secure software has led to the creation of an entirely new sub-community on developer-centred security, which includes the two new Johnny and Jenny projects listed above. At a recent meeting on digital transformation, Helen was struck by the number of important subjects to the assembled group that never come up in discussing cyber security: creativity, innovation, inventiveness, and the ability to fail and make mistakes and try again. Engineers who build significant parts of our physical infrastructure – Helen’s example was the shielding inside the Thames tunnel, which Brunel invented and built in 1843 and is still used today as part of the Underground – need software to enable new techniques like augmented reality, which will let dispersed teams be inventive and collaborative.
All that is happening against a background of vastly increased speeds. Google commits 45,000 lines of code every day; doing that requires a culture that allows developers to fail fast and try again. Security, however, gets in the way of these primary drivers. Learning how to write correct secure software requires reading books and lengthy documentation or navigating around crypto APIs that expect developers to know how to implement them correctly. Along the lines of Emma W’s comment at Cyber UK that “Security that doesn’t work for people doesn’t work”, Helen began asking what we can do to help developers. Seeing security from their perspective is the first step.
The RISCS workshop on the subject led to a research call sponsored by NCSC; the Johnny and Jenny projects were the results, as well as the slightly tangential cSALSA. Sascha Fahl, who spoke at that workshop, recently won the NSA best paper award for the work he described.
Another unique aspect of RISCS is the practitioner panel, which aims to allow practitioners to share their experiences and shape the problems RISCS researchers study.
Geraint Price, the leader of the practitioner panel, noted that many of the above RISCS projects have industrial partners. The panel is intended to bring several benefits. First, it should broaden that practice and help develop new ways of looking at the world as well as bring in different disciplines. Second, as researchers solve some of the problems, the solutions can be showcased and studied in real-world situations, resulting in solid evidence. Practitioners should benefit from their involvement by helping shape the country’s research agenda, helping with testing and validating that research within their own organisations and seeing the benefits first-hand; and learning new methods for developing interventions.
The first practitioner panel meeting was held in January, and involved a several-stage process using the Well-Sorted tool to elicit and cluster themes. At the end of the day, four key themes had emerged from the practitioners’ input:
- Organisational structures are creating barriers;
- Boards struggle to understand and benchmark liability and risk;
- Different environments have different barriers;
- The need for metrics.
These led to a second workshop in June to consider how best to support boards in making decisions. As Price noted, this is close to the question RISCS began with in 2012, which was how to improve decision-making within organisations. This is the basis of NCSC’s latest call for research proposals.
Other ideas for the future include creating a living document from the original Well-Sorted exercise, helping RISCS shape the rules of engagement for researchers new to the field; contributing to the RISCS advisory board, and forming communities of practice around the outputs of specific research projects.
NCSC technical director Susan A, who has overseen RISCS from its beginning in 2012, noted that this year NCSC has become a minority funder of RISCS. She hopes that RISCS will become a nationwide hub for people interested in this whole system of security work in which research is carried out in order to create a paradigm shift that moves the profession from one of art to one that is evidence-based.
Sasse concluded by outlining next steps. The phase one project Games & Abstraction has won new funding for follow-up work on modelling with real data. In 2018 as part of getting serious about evidence-based security, RISCS intends to focus on framing the right questions and challenges. She believes there may be a new subcommunity in working to provide methodological rigour, ensuring that the right surveys and questionnaires are being used and examining the fundamental question of how to do high-quality research. RISCS researchers will also appear on the agenda of the upcoming SANS summit, hoping to work with this very practice-based community.
The whole practice of cyber security awareness training needs reform. Sasse said, “We can really do so much better. Who thinks that just repeating policies at people and making them work through web pages is going to change anything about their behaviour?”
Finally, she said, following on from the Royal Society report on cyber security, the field needs to move from thinking about resilience as well as security. If we want a resilient digital society, which stakeholders need to learn and what attitudes have to change? And how do we move in that direction while maintaining productivity?
In response to questions, Sasse noted that RISCS intends to create an online repository where its work can be systematically stored and made accessible to practitioners. A commenter noted, with reference to Helen’s comment about the need to be able to fail and recover and try again, that younger generations appear to be much more frightened of failure and that it may be important to look at generational differences in the tolerance of risk and uncertainty that could affect them as users, developers, and regulators. These generational differences are being explored in the cSALSA project.