Cyber Security Cartographies
GCHQ/EPSRC has funded a 3.5 years project titled Cyber Security Cartographies (CySeCa). The project team is located at RHUL and is led by Lizzie Coles-Kemp supported by Lorenzo Cavallaro, Geraint Price, Allan Tomlinson, Makayla Lewis and Davide Papini.
The cyber context presents a fluid and complex environment. Security managers have to combine organisational, physical and technical controls if they are to provide robust information asset protection. Organisational controls include, for example: cultural techniques capable of influencing compliance, personnel management techniques etc. Physical and technical controls include, for example: technical authentication and access protocols and techniques. Control lists such as those found in the ISO 27000 standards series have long acknowledged the need for different types of controls but no systematic combination methods are available. Security managers in the complex cyber environment are hampered by limited visibility of technical, physical and organisational controls and associated compliance behaviours which makes it difficult to know when and how to select and combine controls. This problem is exacerbated by the lack of systematic research into the cultural and organisational techniques used by security managers and there is therefore limited guidance on cultural and organisational techniques as well as limited guidance on effective approaches for combining different types of controls. In addition, risk management techniques often fail to include visualisation methods capable of presenting visual narratives that combine both the technical and organizational perspectives.
In exploring this practical security management problem, the research aims to develop a sociotechnical research design in which organisational and computer and network security research techniques can interoperate. The interoperation primarily takes place through the use of visualisation techniques to systematically synthesise the outputs into a robust socio-technical response. This interoperation will lead to novel constructions of socio-technical research paradigms and the exploration of emergent ethical issues.
- Exploring how security managers develop, maintain and use visibility of both organisational and asset compliance behaviours in order to manage cyber security risks.
- Improving comprehension of the way organisational controls and technical controls are used in combination.
- Evaluating the use of different visualisations in the risk management process as a means to broaden the ability of security managers to deploy combinations of organisational and technical controls in the cyber context.
- Methods for combining and evaluating combinations of technical and organisational security controls.
- Methods and design principles for visualising and analysing combined organisational and technical compliance behaviours.
- Cases and case study reports for subsequent use