News >>

Sascha Fahl: The impact of code sources on cyber security

RISCS would like to congratulate friend and fellow researcher Sascha Fahl. Every year the US National Security Agency runs a competition for the best scientific cyber security paper. This year, 2017, the winning paper is You Get Where You’re Looking for: The Impact of Information Sources on Code Security; Fahl, along with Yasemin Acar, Michael Backes, Doowon Kim, Michelle L. Mazurek, and Christian Stransky, is one of the authors.

The paper traces one of the problems facing software developers trying to write secure programs by examining the information sources developers use. In a study involving 54 developers, they found, as Fahl explained in a talk he gave at a RISCS workshop last year on secure development, that given their choice developers tend to prefer to consult websites such as Stack Overflow, where the information provided is highly accessible but often leads to insecurity. Official documentation leads to correct security, but is hard to use, and although books are both accurate and functional, few developers choose to use them.

We gratefully acknowledge Sascha Fahl’s contribution to the workshop, which led to the formulation of the research call for projects on secure software development. The result has been to open up a new area of research for RISCS that includes new projects intended to identify the problems developers have in trying to write secure code; motivating them to do better; and identifying helpful interventions.

Ciaran Martin: Putting people first

In a wide-ranging speech for the Confederation of British Industry last week, National Cyber Security Centre chief executive Ciaran Martin credited work done by RISCS for several significant aspects of the NCSC’s current thinking.

First and foremost among these is the importance of human factors in designing security policies and controls: “Every solution must survive contact with the user,” Martin said. Users need to be able to do their work effectively while understanding how to do it safely; and leaders at all levels should check that they themselves could follow the security policies their staff are required to follow. Martin called the idea that human beings are the weakest link in cyber security “nonsense”, and said, “It’s a bit like saying the weakest link in a sports team is all the players”.

Among the research Martin cites is From Weakest Link to Security Hero: Transforming Staff Security Behavior (PDF), by Shari Lawrence Pfleeger, Angela Sasse, and Adrian Furnham,

Lizzie Coles-Kemp

Lizzie Coles-Kemp

which suggests how to transfer findings from social psychology about moral values and habit formation for use transforming staff security behaviour. Crucial to this effort, Martin noted, is fitting the task to the people required to accomplish it.

He also cites work done at Royal Holloway such as the Cyberspace Cartographies project, which was led by RISCS deputy director Lizzie Coles-Kemp.

As a result of RISCS work, NCSC changed its password guidance; more recently, recognising the error of its 2003 standard, the US National Institute for Standards and Technology has followed suit.

All of this is now part of the NCSC’s People: the Strongest Link campaign.

The hardest of targets

At the official opening of the National Cyber Security Centre on February 14, opening speech, director Ciaran Martin expressed his hope that prospective attackers would come to think of the UK as the “hardest of targets”. The comment reflects the government’s strategy, which has broadened from national security to supporting a resilient digital society.

Angela Sasse at CPDP2017

Angela Sasse at CPDP2017

At the European Information Security Summit, RISCS director and UCL professor Angela Sasse, welcomed the opening, saying that “There should be a single authoritative source for advice.” The deputy director, Royal Holloway professor Lizzie Coles-Kemp, spoke about the importance of finding common language among disparate disciplines to create awareness across an organisation.

A crucial point, said Sasse is to “stop asking people to do impossible things”. Instead of continuing to blame users, security needs to emulate other areas of technology to support business processes and recognise that good design and appropriate tools are essential to helping people do the right thing. Sasse’s interest in usability and security goes back to 1999, when she and Anne Adams wrote the paper Users Are Not the Enemy. In 2006, Sasse, with Mike Wonham and Adam Beautement, followed up with the concept of the compliance budget, which framed user time and cognitive capacity as a finite organisational resource like any other.

NCSC’s recent revised password guidance is an example of both the kind of collaboration Martin talked about in his speech and Sasse’s approach. Much of the advice derives from work done at RISCS to incorporate usability principles into actionable guidance based on scientific evidence. In an August 2014 paper (PDF), Cormac Herley, Dinei Florencio (Microsoft Research), and Paul C. van Oorschot (Carleton University) studied the impact on users of standard requirements to use a unique random string for every password. In their mathematical analysis, attempting to follow this advice does not scale to the numbers of passwords many people have to cope with today. Managing 100 such passwords is equivalent to memorising 1,361 places of pi or the ordering of 17 packs of cards – a cognitive impossibility for all but a very rare few.

Along with EPSRC, NCSC is a founding funder of this second phase of RISCS. In the first phase, RISCS was created to begin to build an evidence base for the science of cyber security. In its second phase, RISCS is different in two ways: first, it is broadening past its original purely organisational perspective to include consumers, citizens, SMEs, charities, and communities; second it is pursuing active collaboration outside academia via a practitioners panel led by Royal Holloway senior lecturer Geraint Price.

Over the coming years, this blog will publish news and commentary about both our own research and that of others with the goal of providing the community with the best up-to-date advice we can. We look forward to collaborating with the NCSC, with practitioners, and with the community at large.

Developer-Centred Security Call

Following the Developer-Centred Security Workshop in November, The National Cyber Security Centre (NCSC) is inviting proposals from academic researchers for research into the topic of Developer-Centred Security. Further information can be found here.

RISCS Hub RISCS Sponsors the 2016 International Symposium on Engineering Secure Software and Systems, ESSoS16

The Research Institute in Science of Cyber Security (RISCS) is pleased to annouce that it will be sponsoring the 2016 International Symposium on Engineering Secure Software and Systems, ESSoS16.

The goal of this symposium, which will be the eighth in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight.

Further details are available at https://distrinet.cs.kuleuven.be/events/essos/2016/ .

RISCS Hub White Paper Published Jointly by RISCS, Hewlett Packard Enterprise and CESG

Awareness is Only the First Step Thumbnail

The business white paper “Awareness is only the first step: A framework for progressive engagement of staff in cyber security” is the product of collaboration between RISCS researchers and security awareness experts at Hewlett Packard Enterprise (HPE), with oversight by the UK government’s National Technical Authority for Information Assurance (CESG).

Security communication, education, and training (CET) is meant to align employee behavior with the security goals of the organization, but it is not always designed in a way that can achieve this. The purpose of this paper is to set out a framework for security awareness that employees will actually engage with, and empower them to become the strongest link—rather than a vulnerability—in defending the organization.

A set of steps, required to deliver effective security CET as a natural part of an organization’s engagement with employees at all levels, is outlined. Depending on different needs, many vehicles are available from security games, quizzes, and brainteasers—and possibly prizes—to encourage employees to test their knowledge and explore in a playful manner. The most important output is that different approaches are needed for routine security tasks, and those tasks require application of existing security skills to new situations. There are many creative ways to improve security behaviors and culture, but it is essential to engage people in the right way. Then they can convert learning into tangible action and new behavior. Security CET needs to be properly resourced and regularly reviewed and updated to achieve lasting behavior change.

The report can be downloaded here.

RISCS Hub Inaugural Issue of the Journal of Cybersecurity Published

The inaugural issue of the Journal of Cybersecurity will be published online today, December 11th.   The Journal was created by RISCS members, in collaboration with colleagues in the UK and abroad, as a high-quality venue for publishing research into science of cyber security. The Journal welcomes submission of evidence-based research from all disciplinary backgrounds, and in particular multi-disciplinary research.