Dates: November 2012 – December 2016

Lead researchers: Professor Lizzie Coles-Kemp, Royal Holloway


Prior to this project, little research had been undertaken to understand how a security manager selects the appropriate control combination for cyber security in organisations. Risk management techniques do not include visualisation methods that can present a combined picture of organisational and technical asset compliance behaviours. This problem is exacerbated by the lack of systematic research of the cultural and organisational techniques used by organisations to protect their information.

This paucity of research results in limited practical guidance on cultural and organisational security management approaches.

The project goals were to:

  • Explore how a security manager develops, maintains and uses visibility of both organisational and asset compliance behaviours for the management of cyber security risks;
  • Better understand how organisational controls and technical controls are used in combination;
  • Evaluate the use of different visualisations in the risk management process as a means to extend a security manager’s ability to deploy combinations of organisational and technical controls in the cyber context.The project involved the development of a storyboard approach called “Current Experience Comic Strip” which has enabled security practitioners to document and reflect upon how organisational controls are selected and maintained. A narrative method for gathering people’s day to day experiences of using security technologies enabled participants to explore how security policies might be re‐designed and shortened to improve their effectiveness.The visualisations also provide a means for auditors and assessors to compare the compliance behaviours of two organisations.Policy implications: This work informed NCSC thinking on cybersecurity skills sets (see link below). The ‘Current Experience Comic Strip’ were used in three sites at a Central Government Department to identify security practices. It is now referenced as one of the engagement mechanisms in the National Cyber Security Centre’s engagement guidance.Applying a human‐centred perspective and design elicitation techniques, the team worked with frontline staff and security experts in the Department of Work and Pensions to identify new forms of secure data sharing needed to support service deliveryMethods: Social network analysis, applying and developing anomaly detection techniques at the technical asset cluster level and integrating interpretive cartography with informational cartography.

Funders: GCHQ, EPSRC
Find out more:


Posted on

December 9, 2021