Productive Security - Improving security compliance and productivity through measurement

Lead Research Organisation: University College London
Department Name: Computer Science

Abstract

There has been a growing body of evidence that security policies and controls are not effective because employees either can't, or won't, comply. A key reason for non-compliance is the workload and complexity of security controls chosen - employees simply cannot cope with an ever-increasing number of ever-longer and more complex passwords. Yet most security-decision-makers do not factor the impact on employees, their tasks, and company's business processes, into their decision about which security controls to put in place. Current attempts to 'edcuate' employees about the need for security are largely ineffective because they simply push more information on people who are already overworked.
And even in organisations with a high security awareness, non-compliance can be observed because security policy cause excessive friction, or are not agile enough to meet the needs of the business.

There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key 'missing link' measurements of employee's workload, risk perception, and resulting security behaviours. The project will work with at least two major companies to collect such data, and build a model of that allows security decision-makers to 'calculate' the impact of the security controls on employees and business processes, and balance them against the risk mitigation the security control achieves. A further innovative step in this proposal is that well-chosen security controls could make contributions to the business process beyond security, if the imformation they provide can be used to improve quality of products or services - hence the title of the project.

Planned Impact

The proposed project will have relatively immediate benefits for the security and productivity of the companies participating in the project: the PIs, RAs and 2 PhD students will work with them to analyse security compliance issues, and help them to build a set of measurements for making decisions on how to improve them. By the end of the project, the organisations will have 1) a database of their security mechanisms and the employee effort associated with them, 2) a survey tool and set of organization-specific scenarios for measuring their employees' security attitudes and likely behaviour.

Their examples - which we will disseminate through publications and conferences aimed at practitioners - should encourage a wide range of both private and public sector organisations to adopt the measurements and tools developed by the project to improve their security decision-making. Each adopting organisation will be able to strengthen its security by increasing employee compliance and selecting effective security controls, and also improve its competitive position because those security controls improve, rather than reduce, productivity. From a national perspective, wide adoption of the measurements and approach will contribute to the aims of strengthening the digital economy, and making the UK a secure place in which to do business.

The evidence-based approach developed by the project will also have significant impact on both academic and professional security training, moving information security management from a craft-based discipline to a science-based one. The results and framework generated by the project will be used as part of the development of ongoing research agendas in information security, physical security, human-computer interaction (HCI), and security economics. The project seeks to address the underlying human and technological science behind observed security outcomes (both positive and negative). The project explicitly integrates social and technological factors and these are critical for development of each of the individual disciplines, both jointly and in isolation. As such, it will be a focus of intellectual leadership in a challenging interdisciplinary area that is currently badly in need of the introduction of a rigorous and structured framework and methodology.
 
Description Our research has provided significant evidence that current approaches to security management result in sub-optimal security and productivity outcomes, because of most current security measures drain resources and interfere with productive processes. We have developed an evidence-based approach, empirically tracking and modelling the impact of security on an organisation, to identify and transform such security measures - and shown that in many cases it is not only possible to reduce the negative impact of security measures, but identify ones that contribute to productivity (e.g. by using data collected for security monitoring for quality control).
Exploitation Route All organisations who want to improve their information security can use this as a guideline to reviewing and improving their policies and mechanisms.

Providers of security awareness and training can apply the framwork to develop more advanced campaigns and materials that, if used as part of the frameworks, that actually affect behaviour change (and we have started a collaboration with one such company, Blue Goose).

Developers of security products can use our methods to identify and eliminate 'friction potential' of their products with business processes. The modelling work using techniques from Prod Sec has been applied outside security, in collaboration with Prof. Kevin Fong at UCLH to model pateint flows and resource allocation in major incident response and other hospital operations.
Sectors Digital/Communication/Information Technologies (including Software),Healthcare,Government, Democracy and Justice

URL https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4http://www.riscs.org.uk/?page_id=15
 
Description Our research results and insights have been used by NCSC staff to promote the adoption of usable security policies and measures, and engaging staff in security. One key output is was the 2015 Password Guidance: Simplifying Your Approch https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach which guides system owners and service providers toward takng more responsibility for protecting accounts, rather than putting all workload on end- users: the new advice is: don't impose long passwords, complex rules or frequent changes on users. The Guidance Document is aimed at government departments, and many UK commercial organisations also adopt. The US National Institute of Standards and Technology (whose guidance is binding for suppliers to US Govt) since revised their guidelines largely following this new approach.The modelling work led by Prof. Pym, has been using techniques from Prod Sec in collaboration with Prof. Kevin Fongat UCLH to model pateint flows and resource allocation in major incident response and other hospital operations. Prof. Pym is currently working with UCLB on setting up a spin-out company. In 2018, the National Cyber Security Centre changed its Guidance on how to effectively combat phishing to include our results.
First Year Of Impact 2018
Sector Digital/Communication/Information Technologies (including Software),Healthcare,Government, Democracy and Justice,Security and Diplomacy
Impact Types Economic,Policy & public services

 
Description Password Guidance: Simplifying Your Approach
Geographic Reach National 
Policy Influence Type Participation in a advisory committee
URL https://cesgdigital.blog.gov.uk/2015/09/08/making-security-better-passwords/
 
Description Research results formed part advice for NCSC Guidance on Phishing
Geographic Reach National 
Policy Influence Type Influenced training of practitioners or researchers
Impact Anti-phishing training as currently practiced - phishing your own employees via email campaigns - wastes employees time, leads to legitimate emails not being dealt with, and destroys trust been employees and the organisation. Our results lead to national guidance on how to reduce phishing emails that reach employees, and place more emphasis on reporting.
URL https://www.ncsc.gov.uk/blog-post/announcing-ncscs-new-phishing-guidance
 
Description EPSRC Impact Acceleration Account (IAA)
Amount £5,812 (GBP)
Funding ID EPSRC Impact Acceleration Account (IAA), award nr. EP/K503745/1 
Organisation Engineering and Physical Sciences Research Council (EPSRC) 
Sector Academic/University
Country United Kingdom
Start 06/2015 
End 09/2015
 
Description EPSRC Impact Acceleration Account (IAA)
Amount £27,483 (GBP)
Funding ID EPSRC Impact Acceleration Account (IAA), award nr. EP/K503745/1 
Organisation Engineering and Physical Sciences Research Council (EPSRC) 
Sector Academic/University
Country United Kingdom
Start 07/2016 
End 12/2016
 
Description small grants scheme 2016-2017
Amount £119,149 (GBP)
Organisation Government Communications Headquarters (GCHQ) 
Sector Public
Country United Kingdom
Start 10/2016 
End 03/2017
 
Title julia systems modelling package 
Description Packages for the julia (www.julialang.org) modelling languages that capture our systems and security modelling approach. Presentation in progress. 
Type Of Material Improvements to research infrastructure 
Year Produced 2016 
Provided To Others? Yes  
Impact Presentations at the UK Research Institute in the Science of Cybersecurity (RISCS) first-phase final meeting. http://www.riscs.org.uk/?page_id=15 
URL https://github.com/tristanc/SysModels
 
Description Charity Commission 
Organisation Charity Commission for England and Wales
Country United Kingdom 
Sector Public 
PI Contribution Simon Parkin is an active member of the Charities Against Fraud (CAF) group, formerly the Charity Sector Counter Fraud Group (CSCFG). Parkin advises on current human-centred cyber security issues and security awareness approaches, looking specifically at security management challenges for micro/small charities and their members (less than 50 members). Parkin attends regular meetings of the CAF group and the associated cyber fraud resilience sub-committee. Research techniques have been applied to directly engage with representatives of small charities, such as through phone-based interviews and structured survey questions.
Collaborator Contribution Brokered discussions with associations of small charities, which in turn supported development of working relationships to facilitate interviews/surveys with representatives of small charities. Managed regular CAF meetings and the CAF website, signposting to recommended security practices and partner organisations (including UCL).
Impact Presentation of "cyber crime" session at FSI Skills Conference, London, March 2017
Start Year 2015
 
Description Hewlett Packard Enterprise (HPE) 
Organisation Hewlett Packard Enterprise (HPE)
Country United Kingdom 
Sector Private 
PI Contribution Relate research and expertise in the human factors of security to security awareness programmes as typically delivered in organisations, but also those delivered by HPE. Host the white paper on the Reseach Institute in Science of Cyber Security (RISCS) website. Promotion of the methodology described in the white paper, for instance at the SANS Security Awareness Summit in 2015.
Collaborator Contribution Relate experience of delivering security awareness programmes. Facilitate editing and publication of the white paper, and hosting of the paper online. Promotion of the white paper through relevant events and social media channels.
Impact "Awareness is only the first step" HPE business white paper, co-authored by HPE and RISCS members from UCL, and endorsed by CESG. The paper relates a number of existing works to real-world security awareness programmes and their delivery, from human factors of security, human factors of safety, and socio-technical aspects of security.
Start Year 2014
 
Description (IET) Cyber Security for Industrial Control systems 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation keynote/invited speaker
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Talk, "Human Behaviour and Security Compliance", at The Institution of Engineering and Technology (IET) event on Cyber Security for Industrial Control Systems: Enhancing Control System Security for SCADA and Real-Time Systems, Glasgow. (Adam Beautement)

-
Year(s) Of Engagement Activity 2013
URL https://tv.theiet.org/?event=3516
 
Description Armageddon in Cyberspace 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Talk given at Armageddon in Cyberspace, "Avoiding collateral damage: protecting people, not just systems"

A joint event hosted by Gresham College and The Worshipful Company of Stationers and Newspaper Makers, Stationers' Hall London, http://www.gresham.ac.uk/lectures-and-events/armageddon-in-cyberspace.

-
Year(s) Of Engagement Activity 2013
URL http://www.gresham.ac.uk/lectures-and-events/armageddon-in-cyberspace
 
Description BBC Data Day 
Form Of Engagement Activity A broadcast e.g. TV/radio/film/podcast (other than news/press)
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact invited expert on voice recognition, The Jeremy Vine show presented by Vanessa Feltz
Year(s) Of Engagement Activity 2016
URL http://www.bbc.co.uk/programmes/b0706025
 
Description BBC Moneybox 
Form Of Engagement Activity A broadcast e.g. TV/radio/film/podcast (other than news/press)
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact "How safe is your password?", BBC Radio 4's Moneybox programme
Year(s) Of Engagement Activity 2017
URL http://www.bbc.co.uk/programmes/b087rkx4
 
Description BBC News, "perfect password" 
Form Of Engagement Activity A press release, press conference or response to a media enquiry/interview
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Quoted expert, "How to pick the perfect password", BBC News

-
Year(s) Of Engagement Activity 2015
URL http://www.bbc.co.uk/news/technology-34221843
 
Description BX2015, London 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation keynote/invited speaker
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact invited talk, "Can we Transform Security Behaviour?", BX2015, London

-
Year(s) Of Engagement Activity 2015
URL http://www.bx2015.org/
 
Description Cisco Breakathon 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited Keynote, Cisco Breakathon, Greenwich, 18th March

-
Year(s) Of Engagement Activity 2014
 
Description Cyber Security & Electronic Terrorism 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation keynote/invited speaker
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Cyber Security as a Science", given at Cyber Security & Electronic Terrorism conference, London Olympia.

-
Year(s) Of Engagement Activity 2013
URL http://www.counterterrorexpo.com/page.cfm/link=238
 
Description Cyber Security - Breakfast Briefing 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Invited speaker, "Cybersecurity & The New Government: What Changes Should We Expect?", The New Government & Cyber Security - Breakfast Briefing, The Cyber Security Summit, London.

-
Year(s) Of Engagement Activity 2015
URL http://www.cybersecurityconference.co.uk/breakfast-briefing
 
Description EPSRC Identity Event 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact invited talk, "The Future of Identity: Technology, Money, or Authenticity?", EPSRC Identity Event

-
Year(s) Of Engagement Activity 2015
 
Description ESRC Cyber Security workshop 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Keynote, "Better design for a resilient digital society", ESRC Cyber Security workshop, London

-
Year(s) Of Engagement Activity 2015
 
Description End of Privacy event 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Public/other audiences
Results and Impact Invited panel member, Web We Want Festival, Southbank Centre, London.

-
Year(s) Of Engagement Activity 2015
URL http://webwewant.southbankcentre.co.uk/whats-on/end-privacy-1260
 
Description Ernst & Young 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation keynote/invited speaker
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Rule bending: what really goes on under the hood of the enterprise?", Investment Banking SiG, Ernst & Young.

-
Year(s) Of Engagement Activity 2013
 
Description European Association for Biometrics 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Convenient and trustworthy biometrics - let's get it right this time", Workshop on "Preserving Privacy in an Age of Increased Surveillance - A Biometrics Perspective", IBM & European Association for Biometrics (EAB), London

-
Year(s) Of Engagement Activity 2014
URL http://www.eab.org/events/program/70
 
Description FSI Skills Conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Third sector organisations
Results and Impact Presentation of "cyber crime" skills session by Simon Parkin, alongside a representative of the Charity Commission for England and Wales
Year(s) Of Engagement Activity 2017
URL http://www.thefsi.org/fsi-skills-conference/cyber-crime/
 
Description Finding Security Champions in Blends of Security Culture 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact The aim of this workshop is to bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security and privacy as well as researchers and practitioners from other domains such as psychology, social science and economics.
Year(s) Of Engagement Activity 2017
URL https://usec.cispa.uni-saarland.de/eurousec17/#program
 
Description Future Security (Berlin) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation keynote/invited speaker
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Invited talk, "'Rule breakers, excuse makers, and security champions' - working with people to improve security", Future Security, Berlin.

-
Year(s) Of Engagement Activity 2015
URL http://www.iaf.fraunhofer.de/en/press-events/events/future-security-2015.html
 
Description German Online Banking Security Workshop 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Protecting Users Against Online Attacks", Frankfurt German Online Banking Security Workshop, Heppenheim, Germany

-
Year(s) Of Engagement Activity 2015
 
Description Guardian usability v safety article 
Form Of Engagement Activity A press release, press conference or response to a media enquiry/interview
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact quoted expert, "Usability v safety: how to design our way to better security", Guardian article
Year(s) Of Engagement Activity 2015
URL http://www.theguardian.com/media-network/2015/nov/26/usability-safety-how-to-design-better-security-...
 
Description How safe is your password? Radio 4's Moneybox programme 
Form Of Engagement Activity A press release, press conference or response to a media enquiry/interview
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact BBC Radio 4 Moneybox programme - discussion about post-password society
Year(s) Of Engagement Activity 2017
URL https://www.bbc.co.uk/programmes/b087rkx4
 
Description I3P 10th Anniversary Meeting (Washington DC) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact talk given at I3P 10th Anniversary Meeting, "Science of Cybersecurity Research in the UK".

-
Year(s) Of Engagement Activity 2012
 
Description IAAC 2013 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation poster presentation
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Poster Presentation, "Productive Security", IAAC (Information Assurance Advisory Council) Annual Symposium 2013, BT Centre, London. (Simon Parkin)

-
Year(s) Of Engagement Activity 2013
URL http://www.iaac.org.uk/events/symposiums/2013-annual-symposium-new-horizons-for-ia/
 
Description IAAC Symposium panel 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited panel member, "How assured is your information?", IAAC Symposium, BT Newgate St, London, 11th September

-
Year(s) Of Engagement Activity 2014
URL http://www.iaac.org.uk/events/symposiums/2014-annual-symposium-agenda-released/
 
Description IAP Symposium 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited Keynote, IAP (Analysts and Programmers) Symposium, Cue Gardens, London, 8th April

-
Year(s) Of Engagement Activity 2014
 
Description IBM security community day 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Opening keynote, "How much security can we afford?", IBM security community day, London, 30th July

-
Year(s) Of Engagement Activity 2014
 
Description IDEALondon 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Cyber Security", Cyber Innovation Day at the Cyber Startup Summit, IDEALondon, London.

-
Year(s) Of Engagement Activity 2015
 
Description IFIP Summer School 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Undergraduate students
Results and Impact Invited talk, "There is no 'privacy paradox' - just technology that does not support users' privacy preferences", IFIP Summer School.
Reached students wanting to learn more about privacy.

http://www.ifip-summerschool.org/

-
Year(s) Of Engagement Activity 2015
 
Description INTEL Faculty Summit (CA) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact talk given at INTEL Faculty Summit, "Teaching security outcomes through serious games", Santa Clara, CA.

-
Year(s) Of Engagement Activity 2013
 
Description ISSA Dragon's Den 2014 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited keynote, "Security Awareness and Education - Time for a Re-Boot", Information Systems Security Association (ISSA) Security in the Spotlight - Dragon's Den 2014, London, 10th July

-
Year(s) Of Engagement Activity 2014
 
Description Information Assurance (IA14) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited session talk, "why do people not comply?", 17th June

-
Year(s) Of Engagement Activity 2014
 
Description Information Assurance (IA15) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Panel Member, "The Skills Balance", IA 15: Secure Digital Transformation, London
Year(s) Of Engagement Activity 2015
 
Description Information Security Forum talk 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited talk, "Influencing behaviour through system design", UK Chapter Summer Meeting, Information Security Forum, London. (A Beautement)

Resulted in invitation to host associated User Behaviour workshop.

-
Year(s) Of Engagement Activity 2015
 
Description Information Security Forum workshop 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited workshop, "User Behaviour", Chapter Summer Meeting, Information Security Forum, London. (A Beautement)

-
Year(s) Of Engagement Activity 2015
 
Description International Centre for Parliamentary Studies (ICPS) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Policymakers/politicians
Results and Impact Invited talk, "Cyber Security and Financial Crime", International Centre for Parliamentary Studies (ICPS), London.

-
Year(s) Of Engagement Activity 2015
 
Description Nature Magazine 
Form Of Engagement Activity A press release, press conference or response to a media enquiry/interview
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact "How to hack the hackers: The human side of cybercrime", Nature Magazine, 533, 164-167 (12 May 2016)
Year(s) Of Engagement Activity 2016
URL http://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872
 
Description Noord Group Infosec Dialogue 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact invited talk, "What Makes An Effective Security Awareness Programme?", Infosec Dialogue, Noord Group, Oxfordshire. (S Parkin)

-
Year(s) Of Engagement Activity 2015
URL http://www.noord-group.com/
 
Description Password-Based Protection of Privacy and Personal Data: Friend or Foe? 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Moderator of debate about the use of password-based authentication: is this still a secure and user-friendly security measure, potentially improved by intelligent password strength metrics, or is it outdated and in need of replacement by other means of authentication abandoning the paradigm "something you know" to "something you are" or "something you have"?
Year(s) Of Engagement Activity 2017
URL https://www.youtube.com/watch?v=icCQq4VxCAQ
 
Description Public sector conference (Edinburgh) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Invited talk, "User-centric security", Public sector conference, Edinburgh, 12th February

-
Year(s) Of Engagement Activity 2014
 
Description RISCS annual update 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Type Of Presentation workshop facilitator
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Annual event, including Research Institute in Science of Cyber Security (RISCS) update (including Productive Security). UK Cyber Security Research Conference / RISCS Annual Conference

-
Year(s) Of Engagement Activity 2013,2014,2015
URL http://www.riscs.org.uk/
 
Description Royal Holloway CDT 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Postgraduate students
Results and Impact Invited Talk, 'Learning from Shadow Security", Royal Holloway CDT in Cyber Security, Royal Holloway University of London (RHUL), Egham, 30th April

-
Year(s) Of Engagement Activity 2014
 
Description SANS European Security Awareness Summit 2016 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact "Top Awareness Challenges and Solutions for SMEs", Lightning Talk, SANS European Security Awareness Summit 2016, London (Parkin)
Year(s) Of Engagement Activity 2016
URL https://www.sans.org/event-downloads/43857/agenda.pdf
 
Description SANS Security Awareness Summit 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact "A New Approach to Transforming Security Behaviour", SANS Security Awareness Summit.

Resulted in further dialogue with the SANS Institute, towards collaboration between awareness experts across both academic and industry.

-
Year(s) Of Engagement Activity 2015
URL https://www.sans.org/event/european-security-awareness-summit
 
Description STS Kyoto 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Invited Talk, "Cybersecurity Challenges facing Society", Science and Technology in Society Forum (STS), Kyoto
Year(s) Of Engagement Activity 2015
 
Description Security behaviours in organisations 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Workshop on The Economics and Human Aspects of Cyber-Security. School of Economics, University of Kent, 20th November 2017 - attended by researchers
Year(s) Of Engagement Activity 2017
 
Description The Psychology Behind Cyber Attacks and How to Manage the Insider Threat 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Cyber Security Summit & Expo. London, UK, 16th November 2017
Year(s) Of Engagement Activity 2017
 
Description UCL MSc Open Evening 2015 
Form Of Engagement Activity Participation in an open day or visit at my research institution
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Undergraduate students
Results and Impact Talk, "Adventures in Policy Land", UCL MSc Open Evening, UCL.

-
Year(s) Of Engagement Activity 2015
 
Description Understanding Cyber and System Security Aspects 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact invited keynote speaker at 'Human Factors in Systems Safety and Security' Summer School, Bournemouth University
Year(s) Of Engagement Activity 2017
URL https://cybersecurity.bournemouth.ac.uk/?p=463
 
Description VIP lunchtime panel session 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Panel discussant at WIRED Security event - lunchtime session exploring how businesses can work to prepare against the ever-evolving threat of cyber attacks, and what to do if they suffer a breach.
Year(s) Of Engagement Activity 2017
URL http://www.wired.co.uk/article/wired-security-2017-exploring-cybersecurity
 
Description Vodafone 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Invited Talk, "Cyber Security and the Human-Technology Interface"
Year(s) Of Engagement Activity 2015
 
Description WIRED Magazine UK 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Quoted expert, "How we'll fight cybercrime over the next ten years", WIRED Magazine UK, January 2015

-
Year(s) Of Engagement Activity 2015
URL http://www.wired.co.uk/magazine/archive/2015/01/start/big-question-fighting-cybercrime
 
Description Work Magazine 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact Quoted expert, "Cybercrime 2015: No one is safe", Work Magazine, Winter 2015, Pg. 28, CIPD.

-
Year(s) Of Engagement Activity 2015
 
Description Workshop on Advanced Strategies in Cybersecurity (Berlin) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact talk given at Workshop on Advanced Strategies in Cybersecurity, "The impact of public disclosure", German Federal Foreign Office, Berlin.

-
Year(s) Of Engagement Activity 2013
 
Description Would you like some Anti-Virus Protection with that? Adventures in Point-of-Sale Security 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Keynote speaker at EuroUSEC workshop - interdisciplinary group of researchers and practitioners in human computer interaction, security and privacy as well as researchers and practitioners from other domains such as psychology, social science and economics.
Year(s) Of Engagement Activity 2017
URL https://usec.cispa.uni-saarland.de/eurousec17/#program