News >>

Sascha Fahl: The impact of code sources on cyber security

RISCS would like to congratulate friend and fellow researcher Sascha Fahl. Every year the US National Security Agency runs a competition for the best scientific cyber security paper. This year, 2017, the winning paper is You Get Where You’re Looking for: The Impact of Information Sources on Code Security; Fahl, along with Yasemin Acar, Michael Backes, Doowon Kim, Michelle L. Mazurek, and Christian Stransky, is one of the authors.

The paper traces one of the problems facing software developers trying to write secure programs by examining the information sources developers use. In a study involving 54 developers, they found, as Fahl explained in a talk he gave at a RISCS workshop last year on secure development, that given their choice developers tend to prefer to consult websites such as Stack Overflow, where the information provided is highly accessible but often leads to insecurity. Official documentation leads to correct security, but is hard to use, and although books are both accurate and functional, few developers choose to use them.

We gratefully acknowledge Sascha Fahl’s contribution to the workshop, which led to the formulation of the research call for projects on secure software development. The result has been to open up a new area of research for RISCS that includes new projects intended to identify the problems developers have in trying to write secure code; motivating them to do better; and identifying helpful interventions.

Ciaran Martin: Putting people first

In a wide-ranging speech for the Confederation of British Industry last week, National Cyber Security Centre chief executive Ciaran Martin credited work done by RISCS for several significant aspects of the NCSC’s current thinking.

First and foremost among these is the importance of human factors in designing security policies and controls: “Every solution must survive contact with the user,” Martin said. Users need to be able to do their work effectively while understanding how to do it safely; and leaders at all levels should check that they themselves could follow the security policies their staff are required to follow. Martin called the idea that human beings are the weakest link in cyber security “nonsense”, and said, “It’s a bit like saying the weakest link in a sports team is all the players”.

Among the research Martin cites is From Weakest Link to Security Hero: Transforming Staff Security Behavior (PDF), by Shari Lawrence Pfleeger, Angela Sasse, and Adrian Furnham,

Lizzie Coles-Kemp

Lizzie Coles-Kemp

which suggests how to transfer findings from social psychology about moral values and habit formation for use transforming staff security behaviour. Crucial to this effort, Martin noted, is fitting the task to the people required to accomplish it.

He also cites work done at Royal Holloway such as the Cyberspace Cartographies project, which was led by RISCS deputy director Lizzie Coles-Kemp.

As a result of RISCS work, NCSC changed its password guidance; more recently, recognising the error of its 2003 standard, the US National Institute for Standards and Technology has followed suit.

All of this is now part of the NCSC’s People: the Strongest Link campaign.

The hardest of targets

At the official opening of the National Cyber Security Centre on February 14, opening speech, director Ciaran Martin expressed his hope that prospective attackers would come to think of the UK as the “hardest of targets”. The comment reflects the government’s strategy, which has broadened from national security to supporting a resilient digital society.

Angela Sasse at CPDP2017

Angela Sasse at CPDP2017

At the European Information Security Summit, RISCS director and UCL professor Angela Sasse, welcomed the opening, saying that “There should be a single authoritative source for advice.” The deputy director, Royal Holloway professor Lizzie Coles-Kemp, spoke about the importance of finding common language among disparate disciplines to create awareness across an organisation.

A crucial point, said Sasse is to “stop asking people to do impossible things”. Instead of continuing to blame users, security needs to emulate other areas of technology to support business processes and recognise that good design and appropriate tools are essential to helping people do the right thing. Sasse’s interest in usability and security goes back to 1999, when she and Anne Adams wrote the paper Users Are Not the Enemy. In 2006, Sasse, with Mike Wonham and Adam Beautement, followed up with the concept of the compliance budget, which framed user time and cognitive capacity as a finite organisational resource like any other.

NCSC’s recent revised password guidance is an example of both the kind of collaboration Martin talked about in his speech and Sasse’s approach. Much of the advice derives from work done at RISCS to incorporate usability principles into actionable guidance based on scientific evidence. In an August 2014 paper (PDF), Cormac Herley, Dinei Florencio (Microsoft Research), and Paul C. van Oorschot (Carleton University) studied the impact on users of standard requirements to use a unique random string for every password. In their mathematical analysis, attempting to follow this advice does not scale to the numbers of passwords many people have to cope with today. Managing 100 such passwords is equivalent to memorising 1,361 places of pi or the ordering of 17 packs of cards – a cognitive impossibility for all but a very rare few.

Along with EPSRC, NCSC is a founding funder of this second phase of RISCS. In the first phase, RISCS was created to begin to build an evidence base for the science of cyber security. In its second phase, RISCS is different in two ways: first, it is broadening past its original purely organisational perspective to include consumers, citizens, SMEs, charities, and communities; second it is pursuing active collaboration outside academia via a practitioners panel led by Royal Holloway senior lecturer Geraint Price.

Over the coming years, this blog will publish news and commentary about both our own research and that of others with the goal of providing the community with the best up-to-date advice we can. We look forward to collaborating with the NCSC, with practitioners, and with the community at large.

Developer-Centred Security Call

Following the Developer-Centred Security Workshop in November, The National Cyber Security Centre (NCSC) is inviting proposals from academic researchers for research into the topic of Developer-Centred Security. Further information can be found here.