Cyber Security Cartographies: CySeCa

Lead Research Organisation: Royal Holloway, University of London
Department Name: Information Security

Abstract

"The growth of the internet has been the biggest social and technological change of my lifetime [...] It will have a huge role to play in supporting sustainable development in poorer countries. At the same time our increasing dependence on cyber space has brought new risks, risks that key data and systems on which we now rely can be compromised or damaged, in ways that are hard to detect or defend against." Francis Maude - UK Cyber Security Strategy.

In the cyber environment the balance between benefit and harm so clearly articulated by Francis Maude can also be found at the organisational, as well as national and global, level. Cyber space enables many opportunities and provides an environment in which businesses can diversify and tailor their services. At the same time, this range of opportunities also creates critical vulnerabilities to attack or exploit. In order to protect their estate security managers combine organisational , physical and technical controls to provide robust information asset protection. Control lists such as the one found in Annex A of ISO 27001 have long acknowledged the need for the three types of controls but no security management methods are available to systematically combine them. In the complex cyber environment a security manager has limited visibility of technical, physical and organisational compliance behaviours and controls and this makes it difficult to know when and how to select and combine controls. Research has, to date, not been undertaken to understand how a security manager selects the appropriate control combination. In addition, risk management techniques do not include visualisation methods that can present a combined picture of organisational and technical asset compliance behaviours. This problem is exacerbated by the lack of systematic research of the cultural and organisational techniques used by security managers resulting in limited guidance on cultural and organisational security management approaches.

In order to respond to this problem, we plan to:
- Explore how a security manager develops, maintains and uses visibility of both organisational and asset compliance behaviours for the management of cyber security risks.
- Better understand how organisational controls and technical controls are used in combination.
- Evaluate the use of different visualisations in the risk management process as a means to extend a security manager's ability to deploy combinations of organisational and technical controls in the cyber context.

The research will combine a novel application of social network analysis, apply and develop anomaly detection techniques at the technical asset cluster level and integrate interpretive cartography with informational cartography.

In exploring this practical security management problem, we aim to develop a socio-technical research design in which organisational and network security research techniques can both be deployed in their own research paradigm and use visualisation techniques to systematically synthesise the outputs into a robust socio-technical response.

The planned outputs and deliverables from the CySeCa research are:
- Methods for combining and evaluating combinations of technical and organisational security controls
- Methods and design principles for visualising and analysing combined organisational and technical compliance behaviours
- Use cases and case study reports

Planned Impact

Practitioner/industrial impact:
The research outlined in this proposal is contributing to governance innovation. The cyber context requires that both new security technologies and innovative approaches to governance are developed in order to respond to the fast developing and dynamic cyber threat landscape. At a general level the deliverables from this research stand to further increase industry's cyber defences by utilising a more robust security management approach better able to decrease cyber threat opportunities. Developing methods for identifying and visualising compliance controls and behaviours at both an organisational and technical asset level and providing a methodology for systematically combining controls at both levels, helps a security manager to identify the nature of the weak link, the issues that need to be addressed and the steps necessary to resolve the issues.

CySeCa's research in organisational compliance practices augments the descriptions of human vulnerabilities and human threats in risk management guidance such as ISO 27005 by adding new classes of vulnerabilities which include patterns of practice, constraints on practice leading to vulnerabilities, vulnerabilities in social networks and patterns of influence with in organisations, impact of organisational adversity (buy-out, merger etc.)

The CySeCa toolkit also provides a method through which service providers can assess the security management capabilities of their customers and supply chain using a more expressive asset register capable of showing compliance behaviours as well as policy settings and the relationship between the two. This is potentially extremely beneficial to public service providers including local government responsible for delivering personal budget programmes and on-line benefit transactions and central government delivering on-line tax services.

The CySeCa visualisations also provide a means for auditors and assessors to compare the compliance behaviours of two organisations.

Academic impact:
The research contributes to the state of the art in three distinct academic areas: security visualisations, anomaly detection approaches and organisational security management. The impact for security visualisations is that the CySeCa research potentially provides a bridge between socially-engaged visualisations found in humanities research communities and visualisations found in informatics and system design research communities. This bridge may offer routes to enrich both communities. The impact for anomaly detection approaches is that the CySeCa research potentially offers techniques at the asset cluster-level which could enable anomaly detection on a much larger scale. Cluster-level analysis could be used in areas other than security analysis, for example it could be used in quality of service analysis and in performance analysis. The impact for organisational security management is that the CySeCa research potentially offers new theories related to governance and compliance behaviours beyond the security domain.

There is further academic impact from this planned research in terms of its contribution to socio-technical studies. The implementation of the visualisation framework in this research approach will contribute a systematic approach to combining mathematical and organisational science outputs that can be used by socio-technical researchers in many interdisciplinary problem areas, not only cyber security.

Publications


10 25 50
Burdon M (2016) The regulatory challenges of Australian information security practice in Computer Law & Security Review
Lewis M (2014) A Tactile Visual Library To Support User Experience Storytelling in Proceedings of NordDesign 2014. Design Society, 2014
 
Description We have developed a framework for identifying security controls at the social and data network layers. This enables a security practitioner to identify where there are security control gaps and where there are clusters of security controls.
Exploitation Route Our findings might be taken forward into the next generation of security practitioner guidance provided by central government.
Sectors Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice
URL https://www.riscs.org.uk/projects/psp/
 
Description Our tools have been used in a Central Government case study. The Current Experience Comic Strip (described in the 2014 publications for this project) were used in 3 sites at a Central Government Department to identify security practices. The department is now looking at how these techniques can be made a department-wide practice.
First Year Of Impact 2015
Sector Government, Democracy and Justice
Impact Types Policy & public services