Cyber Security Cartographies: CySeCa

Lead Research Organisation: Royal Holloway, University of London
Department Name: Information Security


"The growth of the internet has been the biggest social and technological change of my lifetime [...] It will have a huge role to play in supporting sustainable development in poorer countries. At the same time our increasing dependence on cyber space has brought new risks, risks that key data and systems on which we now rely can be compromised or damaged, in ways that are hard to detect or defend against." Francis Maude - UK Cyber Security Strategy.

In the cyber environment the balance between benefit and harm so clearly articulated by Francis Maude can also be found at the organisational, as well as national and global, level. Cyber space enables many opportunities and provides an environment in which businesses can diversify and tailor their services. At the same time, this range of opportunities also creates critical vulnerabilities to attack or exploit. In order to protect their estate security managers combine organisational , physical and technical controls to provide robust information asset protection. Control lists such as the one found in Annex A of ISO 27001 have long acknowledged the need for the three types of controls but no security management methods are available to systematically combine them. In the complex cyber environment a security manager has limited visibility of technical, physical and organisational compliance behaviours and controls and this makes it difficult to know when and how to select and combine controls. Research has, to date, not been undertaken to understand how a security manager selects the appropriate control combination. In addition, risk management techniques do not include visualisation methods that can present a combined picture of organisational and technical asset compliance behaviours. This problem is exacerbated by the lack of systematic research of the cultural and organisational techniques used by security managers resulting in limited guidance on cultural and organisational security management approaches.

In order to respond to this problem, we plan to:
- Explore how a security manager develops, maintains and uses visibility of both organisational and asset compliance behaviours for the management of cyber security risks.
- Better understand how organisational controls and technical controls are used in combination.
- Evaluate the use of different visualisations in the risk management process as a means to extend a security manager's ability to deploy combinations of organisational and technical controls in the cyber context.

The research will combine a novel application of social network analysis, apply and develop anomaly detection techniques at the technical asset cluster level and integrate interpretive cartography with informational cartography.

In exploring this practical security management problem, we aim to develop a socio-technical research design in which organisational and network security research techniques can both be deployed in their own research paradigm and use visualisation techniques to systematically synthesise the outputs into a robust socio-technical response.

The planned outputs and deliverables from the CySeCa research are:
- Methods for combining and evaluating combinations of technical and organisational security controls
- Methods and design principles for visualising and analysing combined organisational and technical compliance behaviours
- Use cases and case study reports

Planned Impact

Practitioner/industrial impact:
The research outlined in this proposal is contributing to governance innovation. The cyber context requires that both new security technologies and innovative approaches to governance are developed in order to respond to the fast developing and dynamic cyber threat landscape. At a general level the deliverables from this research stand to further increase industry's cyber defences by utilising a more robust security management approach better able to decrease cyber threat opportunities. Developing methods for identifying and visualising compliance controls and behaviours at both an organisational and technical asset level and providing a methodology for systematically combining controls at both levels, helps a security manager to identify the nature of the weak link, the issues that need to be addressed and the steps necessary to resolve the issues.

CySeCa's research in organisational compliance practices augments the descriptions of human vulnerabilities and human threats in risk management guidance such as ISO 27005 by adding new classes of vulnerabilities which include patterns of practice, constraints on practice leading to vulnerabilities, vulnerabilities in social networks and patterns of influence with in organisations, impact of organisational adversity (buy-out, merger etc.)

The CySeCa toolkit also provides a method through which service providers can assess the security management capabilities of their customers and supply chain using a more expressive asset register capable of showing compliance behaviours as well as policy settings and the relationship between the two. This is potentially extremely beneficial to public service providers including local government responsible for delivering personal budget programmes and on-line benefit transactions and central government delivering on-line tax services.

The CySeCa visualisations also provide a means for auditors and assessors to compare the compliance behaviours of two organisations.

Academic impact:
The research contributes to the state of the art in three distinct academic areas: security visualisations, anomaly detection approaches and organisational security management. The impact for security visualisations is that the CySeCa research potentially provides a bridge between socially-engaged visualisations found in humanities research communities and visualisations found in informatics and system design research communities. This bridge may offer routes to enrich both communities. The impact for anomaly detection approaches is that the CySeCa research potentially offers techniques at the asset cluster-level which could enable anomaly detection on a much larger scale. Cluster-level analysis could be used in areas other than security analysis, for example it could be used in quality of service analysis and in performance analysis. The impact for organisational security management is that the CySeCa research potentially offers new theories related to governance and compliance behaviours beyond the security domain.

There is further academic impact from this planned research in terms of its contribution to socio-technical studies. The implementation of the visualisation framework in this research approach will contribute a systematic approach to combining mathematical and organisational science outputs that can be used by socio-technical researchers in many interdisciplinary problem areas, not only cyber security.


10 25 50
Description We have developed a framework for identifying security controls at the social and data network layers. This enables a security practitioner to identify where there are security control gaps and where there are clusters of security controls.
Exploitation Route Our findings might be taken forward into the next generation of security practitioner guidance provided by central government.
Sectors Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice

Description CySeCa was part of the first cohort of projects funded by the Research Institute for Socio Technical Cyber Security (RISCS) and the creative engagement tools that were in part developed by the CySeCa project helped to make visible the wider social, political and economic values and issues that shape the effectiveness of technical security controls. This understanding of wider social backdrop informed the RISCS fellowship in Digital Responsibility: This RISCS fellowship has built on the foundations of the CySeCa work by creating and extending the academic community that examines these issues and by setting out a research agenda that focuses on this wider social backdrop. The work of CySeCa has also since been developed as part of the EPSRC funded fellowship: ESSfES: Everyday Safety-Security for Everyday Services (EP/N02561X/1). CySeCa's creative engagement tools have been used in a Central Government case study. The Current Experience Comic Strip (described in the 2014 publications for this project) were used in 3 sites at a Central Government Department to identify security practices. The Current Experience Comic Strip is now referenced as one of the engagement mechanisms in the National Cyber Security Centre's engagement guidance: CySeCa has been instrumental in building the case for using creative engagement tools in security analysis and the use of such approaches can now been seen quite widely in EPSRC's Digital Economy TIPS programme (Collard, H. and Briggs, J., 2020, September. Creative Toolkits for TIPS. In European Symposium on Research in Computer Security (pp. 39-55). Springer, Cham.).
First Year Of Impact 2016
Sector Government, Democracy and Justice
Impact Types Policy & public services

Description Creative engagemnt with security practitioners
Geographic Reach National 
Policy Influence Type Contribution to a national consultation/review
Impact CySeCa's Current Experience Comic Strip and Tactile Visual Library were used as the core to an engagement run by the National Cyber Security Centre to research the career pathways of cyber security practitioners. The aim of this engagement was to identify future skill sets for the security practice community.
Title Current Experience Comic Strip (CECS) 
Description A narrative method for gathering people's day to day experiences of using security technologies. 
Type Of Material Improvements to research infrastructure 
Year Produced 2014 
Provided To Others? Yes  
Impact The productions of CECS and the subsequent storysheets that were produced introduced a means for security practitioners to develop a better understanding of the barriers and challenges to using security technologies.