Cyber-Security across the Life Span (cSaLSA)
Lead Research Organisation:
University of Portsmouth
Department Name: Sch of Computing
Abstract
Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.
Publications
| Description | We have completed a literature review of physiological and environmental impact of risk decision making. Our analysis shows that the context in which risk decisions are made has an impact. We now want to apply this understanding to cyber security risk decision making in different contexts. The literature review is now being written up as a paper and we have designed an experiment to test what we've found in a cyber security context. We have now conducted the experiment and early analysis shows the participants do make different risk decisions online under different stress conditions. We are currently analysing the physiological data we collected. Our hope is that by understanding these risk decisions and how they vary we can support end users to make better decisions about online security. With a move to agile, continuous integration/continuous delivery, DevOps and DevSecOps, software development cycles are shorter and faster. Blending cyber security processes with those of software development is now more important than ever but is proving difficult to achieve. There is increased interest at the moment in how to ensure secure software development but initiatives tend to focus on tools, technology and processes without considering the social practice of software development or the relationship between cyber security professionals and software developers. We have made a case for using Social Practice Theory (SPT) to understand the lifeworld of software developers in order to be able to better blend cyber security with software development. Our rationale for taking SPT as our approach stemmed from existing research which suggests that to change behaviour we need to understand why people do what they do from their own perspective - in this case the perspective of software developers. SPT also enabled us to build on the current turn towards examining practices in software development research. Using SPT we have shown that we have a way to consider the lifeworld of software developers and the impact this has on secure software development. Through the framework of materials, meanings and competences we have a way of helping cyber security practitioners to understand why software developers do what they do and a starting point for understanding how to co-create solutions. By moving the focus away from individual responsibility, we avoid a zero-sum game where all the potential blame lies with the software developer, and encourage a shared responsibility where both the software developer and the cyber security practitioner can win. This is in no way a comprehensive study of the social practices of software developers as they relate to security; the next step is to carry out a much larger scale study. We believe though that we've provided a proof of concept that demonstrates the potential benefits of using SPT to develop practices that support secure software development effectively. Our next step will be to develop and trial a workshop that brings software developers and cyber security practitioners together to co-create solutions. This would build on other successful initiatives that take this approach. The aim is to facilitate generative dialogue between the two communities. Future research will focus on studies that cross cyber security and software development communities. There is a need for ethnographic studies not just in software development but in DevSecOps teams specifically. Two topics that warrant more in-depth focus from cyber security researchers because of the impact that they could have on risk profiles are the code review process and the affiliation and identity of software developers. |
| Exploitation Route | The early findings from the literature review demonstrate that risk assessment and risk mitigation strategies for cyber security need to take into account the context in which employees are making decisions - particularly in an increasingly mobile workplace where employees are accessing data from a range of devices and in a range of locations.l Our hope is that by understanding how individuals make risk decisions and how they vary we can support end users to make better decisions about online security especially in highly mobile environments where end users are accessing business information on the move. By better understanding the social practice of software development in the context of initiatives such as agile development and DevOps/DevSecOps we believe we will be able to design behavioural interventions and guidance to encourage more secure software development. |
| Sectors | Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
| Description | We contributed to discussions with NCSC about secure software development and briefed NCSC on our research in 2020. Since then the research has helped to inform the work of the Defence Science & Technology Group (DSTG) in Australia on DevOps and DevSecOps to improve secure software development for Australian Defence. We have extended the research to consider the impact of machine learning and have been able to secure a three-year funded project with the Australian Office of National Intelligence (ONI) that examines MLOps (the operationalisation of machine learning). We have also contributed to a Wilton Park workshop in the UK on Artificial Intelligence and Machine Learning (AI/ML) for the UK Govnerment. This consisted of a talk on the topic outlining the research followed by a question and answer discussion session to help them think about the organisational issues that they need to address to take advantage of AI/ML. |
| First Year Of Impact | 2022 |
| Sector | Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Societal,Policy & public services |
| Description | NISDRG |
| Amount | $542,482 (AUD) |
| Funding ID | NI210100139 |
| Organisation | Office of National Intelligence |
| Sector | Public |
| Country | Australia |
| Start | 01/2022 |
| End | 12/2025 |
| Description | PhishTray Experiment |
| Organisation | Cranfield University |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | Researchers at Cranfield University and the University of Bristol came together to develop an experiment using a software tool called PhishTray to test risk decision making under stress. The University of Portsmouth contributed the background knowledge, operationalising the experimental design and the research to develop the context for the experiment. |
| Collaborator Contribution | Cranfield University contributed technical expertise in setting up the experiment and Bristol University contributed their understanding and previous use of PhishTray. |
| Impact | Experimental results are still being analysed. The collaboration is multi-disciplinary bringing together software engineering and data science (Cranfield University), psychology (Bristol University) and psychology and cyber security (University of Portsmouth). |
| Start Year | 2019 |
| Description | PhishTray Experiment |
| Organisation | University of Bristol |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | Researchers at Cranfield University and the University of Bristol came together to develop an experiment using a software tool called PhishTray to test risk decision making under stress. The University of Portsmouth contributed the background knowledge, operationalising the experimental design and the research to develop the context for the experiment. |
| Collaborator Contribution | Cranfield University contributed technical expertise in setting up the experiment and Bristol University contributed their understanding and previous use of PhishTray. |
| Impact | Experimental results are still being analysed. The collaboration is multi-disciplinary bringing together software engineering and data science (Cranfield University), psychology (Bristol University) and psychology and cyber security (University of Portsmouth). |
| Start Year | 2019 |
| Description | Research collaboration with Defence Science & Technology Organisation (Australia) and the Office of National Intelligence (Australia) |
| Organisation | Australian Government |
| Department | Defence Science and Technology Group |
| Country | Australia |
| Sector | Public |
| PI Contribution | DSTG have consistently sought my advice about integrating security into their DevOps (software engineering) practice. This has led to a three-year research collaboration contract with them. |
| Collaborator Contribution | DSTG give me a real-world setting to apply the outcomes from my research and also amplify the research across other Australian Government Departments. |
| Impact | Outputs are internal to DSTG and not publicly available. |
| Start Year | 2022 |
| Description | Invited Talk at DST, Adelaide |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk to approximately 40 defence researchers at the Defence Science and Technology Group in Adelaide, Australia. Talk sparked considerable interest in the research looking at software developers, risk and security. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Invited talk for DXC (UK) on DevSecOps |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Invited talk on DevSecOps and our research to DXC employees followed by questions and discussions afterwards. Follow ups afterwards suggested that DXC got value from the engagement. |
| Year(s) Of Engagement Activity | 2022 |
| Description | NCSC Policy and Guidance Development Workshop |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | Contribution in the form of a presentation and discussion to a working group on secure software development convened by the UK's National Cyber Security Centre. |
| Year(s) Of Engagement Activity | 2020 |
| Description | SABSA World Congress 2019 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited keynote at the SABSA World Congress in Melbourne, 2019. The discussion after the talk focused on the importance of soft skills and understanding the social practice of software development to manage security risk. |
| Year(s) Of Engagement Activity | 2019 |
| Description | UK Government Software Testing Conference |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentation of the research interviews to date to an audience of software testers. I was asked to speak at their conference and run a workshop because they believed that my research with software developers was applicable to them. I gave a presentation and ran a one hour workshop. I'm now in discussion to do further workshop sessions with them. |
| Year(s) Of Engagement Activity | 2017 |
| Description | cSALSA public policy workshop |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Workshop to present and discuss cSALSA context-switching research with cyber security policy makers and practitioners. |
| Year(s) Of Engagement Activity | 2019 |