Leveraging the Multi-Stakeholder Nature of Cyber Security

Dates: April 2017 – September 2021
Lead researchers: Professor Christian Wagner, University of Nottingham


Cyber security is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is usually available from different locations). It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of cyber security.

The project involved developing a framework with scientific underpinning to improve user access to tailored cyber security information. The tool, named ‘Online Cyber Security Decision Support System (OCYSS), is designed for small-to-large scale users in Government and industry sectors, to address the shortage of availability and access to highly qualified cyber security experts they might otherwise require.

The OCYSS tool is designed to efficiently deliver appropriate, user-tailored, balanced, informed and up-to-date threat analysis and decision support to users. It will do this by integrating inputs from experts and the user to efficiently capture, handle and integrate richer cyber security data (such as from vulnerability assessments).

The research also considered how to collect richer data that carries uncertainty (such as precisely how many tools are available to an expert to protect from attack) from people, using interval-valued rating scales. They have developed software ‘DECSYS’, which stands for ‘discrete and ellipse-based response Capture system’, to permit electronic capture of such data. This has received funding from the NCSC and was made available in late 2019.

Policy implications

DECSYS aims to expand the capacity of senior practitioners and policymakers to make better decisions, such as cyber investment decisions. The tool could help decision makers discern whether to invest in specific vulnerability controls or to diversify financial resources into mitigating a range of vulnerabilities. The tool was trialled with DSTL in 2019. The research team are looking for further engagement with both Government and industry stakeholders in order to better understand how decision makers can best make use of the uncertainty responses gathered.

Find out more

Lab website with links to the software tools: https://www.lucidresearch.org/decsys.html


Empirical studies, including surveys, combined with re-analysis of existing datasets. Software development in parallel.

Funders: EPSRC and NCSC (supported the software development).
External collaborators: Carnegie Mellon University (US), NCSC (UK), JPMorgan and Chase.


Posted on

December 9, 2021