Is it time cyber security drew from fields such as psychology and social science?
It seems every day that a new report is launched by an IT company promising new insights about the cyber security industry.
While some business-produced reports are authoritative and well-researched, some were simply commissioned to promote a new product and produce spurious conclusions.
Yet, where else can people turn to gain new insights about security? Academic institutions are conducting deep, focused research on cyber security, with the peer review system guaranteeing a certain standard of vigour, but their research can often lack practical applications.
Operating at the intersection of the business and academic research worlds, and aiming to combine the best aspects of both, is the Institute for Cyber Security Innovation at Royal Holloway, University of London.
Robert Carolina, Executive Director at the Institute is not afraid to criticise what could be called B2B research.
“I think of the range of commercial organisations that produce a wide variety of research reports and white papers: there is a wide disparity of quality. There are some organisations that produce very good, thought-out and focused reports that are extremely helpful.”
On the other hand, he says that academic research is curiosity-led and may only have applications or commercial significance, for example, 20 years from now.
“The middle ground is this idea of looking at something needed in the here and now by industry or government and applying academic rigour to that question,” says Carolina.
Carolina’s role consists partly of part-time lecturing at Royal Holloway, where he teaches a module for a masters degree on regulatory aspects of security and eCommerce.
However, with the Institute he spends his time engaging with industry and government to broaden cyber security engagement across different academic departments.
The Institute aims to research an identified need either now or in the near to mid-term future.
Exemplifying the approach at the Institute is a recent project with GSK which aimed to assess end-users’ understanding of risk.
The project started as a literature search, looking through work by the social psychology, sociology and organisational theory disciplines.
The academics produced a 70-page report on what they’d found from published peer-reviewed material. From that was produced a 15-page executive summary with 16 or 17 action points, made “as actionable as possible,” says Carolina.
On the basis of this, the Institute was commissioned to do the current research.
A research team was sent into GSK to talk to employees from its 140,000-strong workforce in Europe, Asia and North America.
The methodology was put together from people in different domains, blending social psychology and sociology.
“They took the more qualitative approach of sociology, such as very targeted focus groups with word parsing, controls as well as the more quantitative surveying approach of social psychology.”
The Institute produced results saying what they thought caused people to view something as risky or take bigger risks.
“GSK then launched a series of interventions amongst different parts of its population.”
The team has now gone back in to re-measure risk understanding.
As the above example shows, part of what academia can bring to the cyber security field is the accumulated common sense wisdom of the different disciplines.
“We recognise that these other academic disciplines are already contributing to cyber security. The challenge is that quite often the contributions are siloed.”
So how specifically have other disciplines helped?
“Imagine all the things you do as an employer to get your employees to act in a secure fashion,” says Carolina, invoking again the GSK example.
One of these is the “dreaded HR policy”, says Carolina, which means threatening a harsh punishment for non-compliance.
The initial literature search revealed, however, that the harsher the threatened punishment is in that situation, the less likely the company is to achieve compliance.
“When I say that to people trained in security, from IT or the police, they find it completely counterintuitive.
“Social psychologists just look blankly and say ‘yeah, well, obviously’,” says Carolina.
Other on-going projects include work with Huawei related to reconceptualising cryptographic endpoints on a network with an impact expected in a three to eight-year timeframe. Another project is working with a client to assess its product line.
Carolina says that this type of research is “very difficult to get it right”. However, his belief is that this is what makes it valuable.
It is unlikely that B2B research can be universally raised to the quality of academic research. However, the business world could benefit from looking beyond cyber security and towards other disciplines to see what they might have to offer.