Games and Abstraction

Dates: January 2013 – June 2016

Lead researchers: Professor Chris Hankin, Imperial College London; Professor Pasquale Malacaria, QMUL; and Professor Carlos Cid, Royal Holloway

Overview

This project aimed to develop new techniques to support human decision making and enable well-founded security design decisions to be made. In particular, it supported professionals and systems administrators who are designing secure systems to optimise the use of their limited resources in defending systems against commodity style attacks. The system is designed to assume no technical knowledge of cyber security on the part of the user, but rather asks them to supply information about their organisation and its requirements and preferences. It enabled a precise analysis to provide a more robust decision support tool than pre-existing work.

A prototype web tool that gives advice to users about the implementation of their cyber defences was developed during this project. The web tool is being developed further in a subsequent EPSRC-funded project (see below).

Policy implications

The research team have engaged with companies to explore possible commercialisation of the tools. The follow on project involves case studies of prototype tools initiated in this work, and this ongoing project is expected to produce a tool which could be commercialised. This may have relevance to NCSC programmes of work on supporting businesses to be secure.

Methods

Theoretical, interviews with local systems administrators. Funders: EPSRC and NCSC

External collaborators: CESG (now part of NCSC).

Follow on work: EPSRC funded project EP/R002983/1 titled: Customized and Adaptive approach for Optimal Cybersecurity Investment (until 2021). This research builds on the Games and Abstraction project to help organisations to make better cybersecurity investment decisions. For example, in a given organisation is it better to prioritise a policy of changing passwords over patching software regularly? And how frequently should passwords be changed? Should all employees scan for malware all USB sticks?

Skills

Posted on

December 9, 2021