In 2019, we introduced four research ‘themes’ into RISCS. These provide structure and strategy to our work and have been drawn from those issues that we feel are most relevant to supporting the UK’s efforts in improving sociotechnical cyber security. The research themes allow us to build sub-teams of interested academics, policy makers, industrial partners and NCSC leads. They also create areas of critical mass and focus that are large enough to attract funding from other sources to facilitate real change. These themes and the structural diagram below are the framework for how RISCS will complete Phase Two and move into Phase Three.
Leadership and Culture
Cyber security is central to the health and resilience of any organisation and this places it firmly within the responsibility of the Board. But it also means that enabling and facilitating good cyber security practices spans the whole of an organisation and is not simply the remit of the IT or technical teams.
Supporting those people in leadership positions of an organisation to make the best possible decisions about cyber security practices is desperately needed. This includes:
- Support to navigate cyber risk management,
- Providing accurate and relevant data/information presented in the most effective way,
- Understanding the economics and incentives of cyber markets,
- Facilitating a shared narrative and language between leaders, staff and cyber security experts
This theme will draw through the research from Phase One as well as the Cyber Readiness for Boards research project currently in progress. It will harvest the outputs of the recent work into economics, regulation and incentives by RISCS, NCSC and DCMS to provide input into future cyber security policy and legislation.
Understanding how people behave, both individually and in groups, is a central research theme for the Socio-Technical Research Group, RISCS’ partner in the NCSC. But this is mostly focused on those people whose intentions are non-malicious and who simply want to do a good job. To understand the full spectrum of people in cyber security, we need to understand the intentions, drivers and behaviours of those who have more malicious aspirations as well as those who inadvertently find themselves as “accidental insiders”.
This research theme pulls together the cybercrime research projects funded by Home Office and will further expand to include work that can provide insights into topics such as insider threat, online harms and supporting victims of cybercrime.
Secure Development Practices
Secure by Design is extremely high on HMG’s list of priorities, whether that is to facilitate secure by default IoT commodity products for the consumer or reducing online harm by ensuring that companies have the right processes and systems in place to fulfil their obligations. Secure by Design is the first cousin of Safety by Design and Privacy by Design, and the three need to work in harmony (via both a cross-government and global collaborative effort) to ensure clarity for manufacturers, developers and engineers.
There is a plethora of advice and guidance, standards and frameworks that has existed for a number of years for secure software development. However, real-world evidence and our own RISCS portfolio of Developer Centred Security has demonstrated that these resources have struggled to engage and be relevant to software developers. Existing resources also contain little on usability and resilience.
This theme will continue this work and expand the remit to reach across a number of engineering and manufacturing disciplines and sectors to address this issue and support businesses to embed security during the development or update of their products and services.
As we digitise and connect more and more of our products and services, we need to ensure that cyber security remains inclusive and that everyone is more secure. This theme will work across different existing research areas such as digital inclusion, digital disadvantage / poverty, digital accessibility, and trust, but through a cyber security lens. It will expand as required to deliver actionable advice into the various cyber security initiatives that HMG delivers, as well as important insights into UKRI led programmes such as Online Harms.