The Home Office, in collaboration with
the Research Institute in Science of Cyber Security
is pleased to release
A call for short research projects on
Understanding, preventing and responding to cyber crime
Closing Date: 26th June 2018
An invitation to apply for grant funding, from OSCT Research and Analysis, Home Office
Summary of requirement
The Research Institute in Science of Cyber Security (RISCS) is expanding its interdisciplinary research community to develop further collaboration between the social sciences and cyber security professions. This is being complemented by development of a new cyber crime-focused research programme, commissioned by the Home Office, via funding from the National Cyber Security Programme. The research programme will comprise both longer term, multi-year research projects and also shorter-term research. This grant call is for short research projects commencing in 2018/19 financial year and completing by end September 2019 at the latest.
In order to inform the grant calls, consultation activities were held with policymakers, law enforcement, academics and other stakeholders to discuss evidence gaps in the cyber crime field. This identified a range of key areas that need to be addressed to inform policy and operational priorities. The Home Office is now inviting proposals for short projects addressing these evidence gaps for funding in 2018/19 FY and into the first half of 2019/20 FY only. These themes include, but are not limited to:
- Costs and consequences of cyber crime.
- Cyber “Protect” – improving cyber security behaviours amongst the public and businesses.
- Cyber “Prepare” – understanding more about victims of cyber crime; resilience; victim support and advice and how to improve reporting of cyber crimes.
- Cyber “Prevent” – understanding offenders, pathways and offender interventions.
- Cyber “Pursue” – disruption techniques and offender business models.
- Future technological developments and policing of cyber crime.
- International dimensions for cyber crime.
Projects may start as soon as possible in 2018/19 and can deliver anytime up to end September 2019 with a total budget of up to £400k available for multiple projects. This comprises up to £250k funding available during 2018/19 FY and up to £150k during 2019/20 FY. The number of projects funded depends upon the proposals received.We welcome proposals with collaborative, multi-disciplinary approaches, employing any appropriate and justified methodological techniques. Social sciences should form a major contribution to the project and the role it plays should be clear in the proposal.
Applicants are required to provide in their proposals:
- An outline of the proposed approach and scope of the project.
- The research outputs and how they will provide impact for policy-makers or operational stakeholders.
- CVs for individuals who will be involved in the project, including any relevant background knowledge and expertise regarding the proposed area of work.
Full details can be found at Short Research Projects grant call May 2018 (opens PDF)
At the RISCS community meeting in February, I announced that I needed to work part-time for medical reasons for a period of time, and thus would have to step down as Director temporarily. After consultation with the RISCS leadership team and the funders NCSC and EPSRC, we approached my UCL colleague Dr Madeline Carr (PI of the Evaluating Cyber Security Evidence for Policy Advice and Supporting the Board projects), and she kindly agreed to take over as Interim Director.
I recently decided to accept an offer of a chair at Ruhr-Uni Bochum, and move to Germany later this year. I will retain an appointment at UCL to work with Madeline on the Supporting the Board project, and continue to attend community meetings whenever possible – but I cannot continue as Director. The RISCS leadership team asked Madeline Carr to take on the role of Director permanently, after consultation with the funders, and we are happy to report that she has accepted.
Leading RISCS during Phase 1 and half-way through Phase 2 has been an enormous privilege – the community of academics and practitioners and the ongoing dialogue between research and practice that we have built is unique and beneficial. To see the difference that our ongoing collaboration with NCSC staff has made to national security policies has been extremely rewarding, as has been the acknowledgement of the value of multi-disciplinary security research by the NCSC Chief Executive Ciaran Martin and other Senior Staff. I know Madeline will build on these achievements, working closely with the RISCS Deputy Director Lizzie Coles-Kemp, the Chair of the Practitioner Panel Geraint Price, and David Wall, who chairs the recently constituted RISCS Scientific Advisory Board.
Professor Angela Sasse
The RISCS Annual Report 2017 was released at the UK Cyber Security Research Institutes Conference in October 2017, and is available to download here (opens PDF)
RISCS would like to congratulate friend and fellow researcher Sascha Fahl. Every year the US National Security Agency runs a competition for the best scientific cyber security paper. This year, 2017, the winning paper is You Get Where You’re Looking for: The Impact of Information Sources on Code Security; Fahl, along with Yasemin Acar, Michael Backes, Doowon Kim, Michelle L. Mazurek, and Christian Stransky, is one of the authors.
The paper traces one of the problems facing software developers trying to write secure programs by examining the information sources developers use. In a study involving 54 developers, they found, as Fahl explained in a talk he gave at a RISCS workshop last year on secure development, that given their choice developers tend to prefer to consult websites such as Stack Overflow, where the information provided is highly accessible but often leads to insecurity. Official documentation leads to correct security, but is hard to use, and although books are both accurate and functional, few developers choose to use them.
We gratefully acknowledge Sascha Fahl’s contribution to the workshop, which led to the formulation of the research call for projects on secure software development. The result has been to open up a new area of research for RISCS that includes new projects intended to identify the problems developers have in trying to write secure code; motivating them to do better; and identifying helpful interventions.
In a wide-ranging speech for the Confederation of British Industry last week, National Cyber Security Centre chief executive Ciaran Martin credited work done by RISCS for several significant aspects of the NCSC’s current thinking.
First and foremost among these is the importance of human factors in designing security policies and controls: “Every solution must survive contact with the user,” Martin said. Users need to be able to do their work effectively while understanding how to do it safely; and leaders at all levels should check that they themselves could follow the security policies their staff are required to follow. Martin called the idea that human beings are the weakest link in cyber security “nonsense”, and said, “It’s a bit like saying the weakest link in a sports team is all the players”.
Among the research Martin cites is From Weakest Link to Security Hero: Transforming Staff Security Behavior (PDF), by Shari Lawrence Pfleeger, Angela Sasse, and Adrian Furnham,
which suggests how to transfer findings from social psychology about moral values and habit formation for use transforming staff security behaviour. Crucial to this effort, Martin noted, is fitting the task to the people required to accomplish it.
He also cites work done at Royal Holloway such as the Cyberspace Cartographies project, which was led by RISCS deputy director Lizzie Coles-Kemp.
As a result of RISCS work, NCSC changed its password guidance; more recently, recognising the error of its 2003 standard, the US National Institute for Standards and Technology has followed suit.
All of this is now part of the NCSC’s People: the Strongest Link campaign.