Productive Security - Improving security compliance and productivity through measurement
Lead Research Organisation:
University College London
Department Name: Computer Science
Abstract
There has been a growing body of evidence that security policies and controls are not effective because employees either can't, or won't, comply. A key reason for non-compliance is the workload and complexity of security controls chosen - employees simply cannot cope with an ever-increasing number of ever-longer and more complex passwords. Yet most security-decision-makers do not factor the impact on employees, their tasks, and company's business processes, into their decision about which security controls to put in place. Current attempts to 'edcuate' employees about the need for security are largely ineffective because they simply push more information on people who are already overworked.
And even in organisations with a high security awareness, non-compliance can be observed because security policy cause excessive friction, or are not agile enough to meet the needs of the business.
There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key 'missing link' measurements of employee's workload, risk perception, and resulting security behaviours. The project will work with at least two major companies to collect such data, and build a model of that allows security decision-makers to 'calculate' the impact of the security controls on employees and business processes, and balance them against the risk mitigation the security control achieves. A further innovative step in this proposal is that well-chosen security controls could make contributions to the business process beyond security, if the imformation they provide can be used to improve quality of products or services - hence the title of the project.
And even in organisations with a high security awareness, non-compliance can be observed because security policy cause excessive friction, or are not agile enough to meet the needs of the business.
There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key 'missing link' measurements of employee's workload, risk perception, and resulting security behaviours. The project will work with at least two major companies to collect such data, and build a model of that allows security decision-makers to 'calculate' the impact of the security controls on employees and business processes, and balance them against the risk mitigation the security control achieves. A further innovative step in this proposal is that well-chosen security controls could make contributions to the business process beyond security, if the imformation they provide can be used to improve quality of products or services - hence the title of the project.
Planned Impact
The proposed project will have relatively immediate benefits for the security and productivity of the companies participating in the project: the PIs, RAs and 2 PhD students will work with them to analyse security compliance issues, and help them to build a set of measurements for making decisions on how to improve them. By the end of the project, the organisations will have 1) a database of their security mechanisms and the employee effort associated with them, 2) a survey tool and set of organization-specific scenarios for measuring their employees' security attitudes and likely behaviour.
Their examples - which we will disseminate through publications and conferences aimed at practitioners - should encourage a wide range of both private and public sector organisations to adopt the measurements and tools developed by the project to improve their security decision-making. Each adopting organisation will be able to strengthen its security by increasing employee compliance and selecting effective security controls, and also improve its competitive position because those security controls improve, rather than reduce, productivity. From a national perspective, wide adoption of the measurements and approach will contribute to the aims of strengthening the digital economy, and making the UK a secure place in which to do business.
The evidence-based approach developed by the project will also have significant impact on both academic and professional security training, moving information security management from a craft-based discipline to a science-based one. The results and framework generated by the project will be used as part of the development of ongoing research agendas in information security, physical security, human-computer interaction (HCI), and security economics. The project seeks to address the underlying human and technological science behind observed security outcomes (both positive and negative). The project explicitly integrates social and technological factors and these are critical for development of each of the individual disciplines, both jointly and in isolation. As such, it will be a focus of intellectual leadership in a challenging interdisciplinary area that is currently badly in need of the introduction of a rigorous and structured framework and methodology.
Their examples - which we will disseminate through publications and conferences aimed at practitioners - should encourage a wide range of both private and public sector organisations to adopt the measurements and tools developed by the project to improve their security decision-making. Each adopting organisation will be able to strengthen its security by increasing employee compliance and selecting effective security controls, and also improve its competitive position because those security controls improve, rather than reduce, productivity. From a national perspective, wide adoption of the measurements and approach will contribute to the aims of strengthening the digital economy, and making the UK a secure place in which to do business.
The evidence-based approach developed by the project will also have significant impact on both academic and professional security training, moving information security management from a craft-based discipline to a science-based one. The results and framework generated by the project will be used as part of the development of ongoing research agendas in information security, physical security, human-computer interaction (HCI), and security economics. The project seeks to address the underlying human and technological science behind observed security outcomes (both positive and negative). The project explicitly integrates social and technological factors and these are critical for development of each of the individual disciplines, both jointly and in isolation. As such, it will be a focus of intellectual leadership in a challenging interdisciplinary area that is currently badly in need of the introduction of a rigorous and structured framework and methodology.
Publications
Abu-Salma R
(2017)
Obstacles to the Adoption of Secure Communication Tools
Becker I
(2017)
Finding Security Champions in Blends of Organisational Culture
Benenson Z
(2015)
Maybe Poor Johnny Really Cannot Encrypt
Beyer M
(2015)
Awareness is only the first step
| Description | Our research has provided significant evidence that current approaches to security management result in sub-optimal security and productivity outcomes, because of most current security measures drain resources and interfere with productive processes. We have developed an evidence-based approach, empirically tracking and modelling the impact of security on an organisation, to identify and transform such security measures - and shown that in many cases it is not only possible to reduce the negative impact of security measures, but identify ones that contribute to productivity (e.g. by using data collected for security monitoring for quality control). |
| Exploitation Route | All organisations who want to improve their information security can use this as a guideline to reviewing and improving their policies and mechanisms. Providers of security awareness and training can apply the framwork to develop more advanced campaigns and materials that, if used as part of the frameworks, that actually affect behaviour change (and we have started a collaboration with one such company, Blue Goose). Developers of security products can use our methods to identify and eliminate 'friction potential' of their products with business processes. The modelling work using techniques from Prod Sec has been applied outside security, in collaboration with Prof. Kevin Fong at UCLH to model pateint flows and resource allocation in major incident response and other hospital operations. |
| Sectors | Digital/Communication/Information Technologies (including Software),Healthcare,Government, Democracy and Justice |
| URL | https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4http://www.riscs.org.uk/?page_id=15 |
| Description | Our research results and insights have been used by NCSC staff to promote the adoption of usable security policies and measures, and engaging staff in security. One key output is was the 2015 Password Guidance: Simplifying Your Approch https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach which guides system owners and service providers toward takng more responsibility for protecting accounts, rather than putting all workload on end- users: the new advice is: don't impose long passwords, complex rules or frequent changes on users. The Guidance Document is aimed at government departments, and many UK commercial organisations also adopt. The US National Institute of Standards and Technology (whose guidance is binding for suppliers to US Govt) since revised their guidelines largely following this new approach.The modelling work led by Prof. Pym, has been using techniques from Prod Sec in collaboration with Prof. Kevin Fongat UCLH to model pateint flows and resource allocation in major incident response and other hospital operations. Prof. Pym is currently working with UCLB on setting up a spin-out company. In 2018, the National Cyber Security Centre changed its Guidance on how to effectively combat phishing to include our results. |
| First Year Of Impact | 2018 |
| Sector | Digital/Communication/Information Technologies (including Software),Healthcare,Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Economic,Policy & public services |
| Description | Password Guidance: Simplifying Your Approach |
| Geographic Reach | National |
| Policy Influence Type | Participation in a guidance/advisory committee |
| URL | https://cesgdigital.blog.gov.uk/2015/09/08/making-security-better-passwords/ |
| Description | Research results formed part advice for NCSC Guidance on Phishing |
| Geographic Reach | National |
| Policy Influence Type | Influenced training of practitioners or researchers |
| Impact | Anti-phishing training as currently practiced - phishing your own employees via email campaigns - wastes employees time, leads to legitimate emails not being dealt with, and destroys trust been employees and the organisation. Our results lead to national guidance on how to reduce phishing emails that reach employees, and place more emphasis on reporting. |
| URL | https://www.ncsc.gov.uk/blog-post/announcing-ncscs-new-phishing-guidance |
| Description | EPSRC Impact Acceleration Account (IAA) |
| Amount | £27,483 (GBP) |
| Funding ID | EPSRC Impact Acceleration Account (IAA), award nr. EP/K503745/1 |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 07/2016 |
| End | 12/2016 |
| Description | EPSRC Impact Acceleration Account (IAA) |
| Amount | £5,812 (GBP) |
| Funding ID | EPSRC Impact Acceleration Account (IAA), award nr. EP/K503745/1 |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 06/2015 |
| End | 09/2015 |
| Description | small grants scheme 2016-2017 |
| Amount | £119,149 (GBP) |
| Organisation | Government Communications Headquarters (GCHQ) |
| Sector | Public |
| Country | United Kingdom |
| Start | 10/2016 |
| End | 03/2017 |
| Title | julia systems modelling package |
| Description | Packages for the julia (www.julialang.org) modelling languages that capture our systems and security modelling approach. Presentation in progress. |
| Type Of Material | Improvements to research infrastructure |
| Year Produced | 2016 |
| Provided To Others? | Yes |
| Impact | Presentations at the UK Research Institute in the Science of Cybersecurity (RISCS) first-phase final meeting. http://www.riscs.org.uk/?page_id=15 |
| URL | https://github.com/tristanc/SysModels |
| Description | Charity Commission |
| Organisation | Charity Commission for England and Wales |
| Country | United Kingdom |
| Sector | Public |
| PI Contribution | Simon Parkin is an active member of the Charities Against Fraud (CAF) group, formerly the Charity Sector Counter Fraud Group (CSCFG). Parkin advises on current human-centred cyber security issues and security awareness approaches, looking specifically at security management challenges for micro/small charities and their members (less than 50 members). Parkin attends regular meetings of the CAF group and the associated cyber fraud resilience sub-committee. Research techniques have been applied to directly engage with representatives of small charities, such as through phone-based interviews and structured survey questions. |
| Collaborator Contribution | Brokered discussions with associations of small charities, which in turn supported development of working relationships to facilitate interviews/surveys with representatives of small charities. Managed regular CAF meetings and the CAF website, signposting to recommended security practices and partner organisations (including UCL). |
| Impact | Presentation of "cyber crime" session at FSI Skills Conference, London, March 2017 |
| Start Year | 2015 |
| Description | Hewlett Packard Enterprise (HPE) |
| Organisation | Hewlett Packard Enterprise (HPE) |
| Country | United Kingdom |
| Sector | Private |
| PI Contribution | Relate research and expertise in the human factors of security to security awareness programmes as typically delivered in organisations, but also those delivered by HPE. Host the white paper on the Reseach Institute in Science of Cyber Security (RISCS) website. Promotion of the methodology described in the white paper, for instance at the SANS Security Awareness Summit in 2015. |
| Collaborator Contribution | Relate experience of delivering security awareness programmes. Facilitate editing and publication of the white paper, and hosting of the paper online. Promotion of the white paper through relevant events and social media channels. |
| Impact | "Awareness is only the first step" HPE business white paper, co-authored by HPE and RISCS members from UCL, and endorsed by CESG. The paper relates a number of existing works to real-world security awareness programmes and their delivery, from human factors of security, human factors of safety, and socio-technical aspects of security. |
| Start Year | 2014 |
| Description | (IET) Cyber Security for Industrial Control systems |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | keynote/invited speaker |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Talk, "Human Behaviour and Security Compliance", at The Institution of Engineering and Technology (IET) event on Cyber Security for Industrial Control Systems: Enhancing Control System Security for SCADA and Real-Time Systems, Glasgow. (Adam Beautement) - |
| Year(s) Of Engagement Activity | 2013 |
| URL | https://tv.theiet.org/?event=3516 |
| Description | Armageddon in Cyberspace |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Talk given at Armageddon in Cyberspace, "Avoiding collateral damage: protecting people, not just systems" A joint event hosted by Gresham College and The Worshipful Company of Stationers and Newspaper Makers, Stationers' Hall London, http://www.gresham.ac.uk/lectures-and-events/armageddon-in-cyberspace. - |
| Year(s) Of Engagement Activity | 2013 |
| URL | http://www.gresham.ac.uk/lectures-and-events/armageddon-in-cyberspace |
| Description | BBC Data Day |
| Form Of Engagement Activity | A broadcast e.g. TV/radio/film/podcast (other than news/press) |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | invited expert on voice recognition, The Jeremy Vine show presented by Vanessa Feltz |
| Year(s) Of Engagement Activity | 2016 |
| URL | http://www.bbc.co.uk/programmes/b0706025 |
| Description | BBC Moneybox |
| Form Of Engagement Activity | A broadcast e.g. TV/radio/film/podcast (other than news/press) |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Public/other audiences |
| Results and Impact | "How safe is your password?", BBC Radio 4's Moneybox programme |
| Year(s) Of Engagement Activity | 2017 |
| URL | http://www.bbc.co.uk/programmes/b087rkx4 |
| Description | BBC News, "perfect password" |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | Quoted expert, "How to pick the perfect password", BBC News - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.bbc.co.uk/news/technology-34221843 |
| Description | BX2015, London |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | keynote/invited speaker |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | invited talk, "Can we Transform Security Behaviour?", BX2015, London - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.bx2015.org/ |
| Description | Cisco Breakathon |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited Keynote, Cisco Breakathon, Greenwich, 18th March - |
| Year(s) Of Engagement Activity | 2014 |
| Description | Cyber Security & Electronic Terrorism |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | keynote/invited speaker |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Cyber Security as a Science", given at Cyber Security & Electronic Terrorism conference, London Olympia. - |
| Year(s) Of Engagement Activity | 2013 |
| URL | http://www.counterterrorexpo.com/page.cfm/link=238 |
| Description | Cyber Security - Breakfast Briefing |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Invited speaker, "Cybersecurity & The New Government: What Changes Should We Expect?", The New Government & Cyber Security - Breakfast Briefing, The Cyber Security Summit, London. - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.cybersecurityconference.co.uk/breakfast-briefing |
| Description | EPSRC Identity Event |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | invited talk, "The Future of Identity: Technology, Money, or Authenticity?", EPSRC Identity Event - |
| Year(s) Of Engagement Activity | 2015 |
| Description | ESRC Cyber Security workshop |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Keynote, "Better design for a resilient digital society", ESRC Cyber Security workshop, London - |
| Year(s) Of Engagement Activity | 2015 |
| Description | End of Privacy event |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Public/other audiences |
| Results and Impact | Invited panel member, Web We Want Festival, Southbank Centre, London. - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://webwewant.southbankcentre.co.uk/whats-on/end-privacy-1260 |
| Description | Ernst & Young |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | keynote/invited speaker |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Rule bending: what really goes on under the hood of the enterprise?", Investment Banking SiG, Ernst & Young. - |
| Year(s) Of Engagement Activity | 2013 |
| Description | European Association for Biometrics |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Convenient and trustworthy biometrics - let's get it right this time", Workshop on "Preserving Privacy in an Age of Increased Surveillance - A Biometrics Perspective", IBM & European Association for Biometrics (EAB), London - |
| Year(s) Of Engagement Activity | 2014 |
| URL | http://www.eab.org/events/program/70 |
| Description | FSI Skills Conference |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Third sector organisations |
| Results and Impact | Presentation of "cyber crime" skills session by Simon Parkin, alongside a representative of the Charity Commission for England and Wales |
| Year(s) Of Engagement Activity | 2017 |
| URL | http://www.thefsi.org/fsi-skills-conference/cyber-crime/ |
| Description | Finding Security Champions in Blends of Security Culture |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | The aim of this workshop is to bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security and privacy as well as researchers and practitioners from other domains such as psychology, social science and economics. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://usec.cispa.uni-saarland.de/eurousec17/#program |
| Description | Future Security (Berlin) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | keynote/invited speaker |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "'Rule breakers, excuse makers, and security champions' - working with people to improve security", Future Security, Berlin. - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.iaf.fraunhofer.de/en/press-events/events/future-security-2015.html |
| Description | German Online Banking Security Workshop |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Protecting Users Against Online Attacks", Frankfurt German Online Banking Security Workshop, Heppenheim, Germany - |
| Year(s) Of Engagement Activity | 2015 |
| Description | Guardian usability v safety article |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | quoted expert, "Usability v safety: how to design our way to better security", Guardian article |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.theguardian.com/media-network/2015/nov/26/usability-safety-how-to-design-better-security-... |
| Description | How safe is your password? Radio 4's Moneybox programme |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Media (as a channel to the public) |
| Results and Impact | BBC Radio 4 Moneybox programme - discussion about post-password society |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://www.bbc.co.uk/programmes/b087rkx4 |
| Description | I3P 10th Anniversary Meeting (Washington DC) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | talk given at I3P 10th Anniversary Meeting, "Science of Cybersecurity Research in the UK". - |
| Year(s) Of Engagement Activity | 2012 |
| Description | IAAC 2013 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | poster presentation |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Poster Presentation, "Productive Security", IAAC (Information Assurance Advisory Council) Annual Symposium 2013, BT Centre, London. (Simon Parkin) - |
| Year(s) Of Engagement Activity | 2013 |
| URL | http://www.iaac.org.uk/events/symposiums/2013-annual-symposium-new-horizons-for-ia/ |
| Description | IAAC Symposium panel |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited panel member, "How assured is your information?", IAAC Symposium, BT Newgate St, London, 11th September - |
| Year(s) Of Engagement Activity | 2014 |
| URL | http://www.iaac.org.uk/events/symposiums/2014-annual-symposium-agenda-released/ |
| Description | IAP Symposium |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited Keynote, IAP (Analysts and Programmers) Symposium, Cue Gardens, London, 8th April - |
| Year(s) Of Engagement Activity | 2014 |
| Description | IBM security community day |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Opening keynote, "How much security can we afford?", IBM security community day, London, 30th July - |
| Year(s) Of Engagement Activity | 2014 |
| Description | IDEALondon |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Cyber Security", Cyber Innovation Day at the Cyber Startup Summit, IDEALondon, London. - |
| Year(s) Of Engagement Activity | 2015 |
| Description | IFIP Summer School |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Undergraduate students |
| Results and Impact | Invited talk, "There is no 'privacy paradox' - just technology that does not support users' privacy preferences", IFIP Summer School. Reached students wanting to learn more about privacy. http://www.ifip-summerschool.org/ - |
| Year(s) Of Engagement Activity | 2015 |
| Description | INTEL Faculty Summit (CA) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | talk given at INTEL Faculty Summit, "Teaching security outcomes through serious games", Santa Clara, CA. - |
| Year(s) Of Engagement Activity | 2013 |
| Description | ISSA Dragon's Den 2014 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited keynote, "Security Awareness and Education - Time for a Re-Boot", Information Systems Security Association (ISSA) Security in the Spotlight - Dragon's Den 2014, London, 10th July - |
| Year(s) Of Engagement Activity | 2014 |
| Description | Information Assurance (IA14) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited session talk, "why do people not comply?", 17th June - |
| Year(s) Of Engagement Activity | 2014 |
| Description | Information Assurance (IA15) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Panel Member, "The Skills Balance", IA 15: Secure Digital Transformation, London |
| Year(s) Of Engagement Activity | 2015 |
| Description | Information Security Forum talk |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "Influencing behaviour through system design", UK Chapter Summer Meeting, Information Security Forum, London. (A Beautement) Resulted in invitation to host associated User Behaviour workshop. - |
| Year(s) Of Engagement Activity | 2015 |
| Description | Information Security Forum workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited workshop, "User Behaviour", Chapter Summer Meeting, Information Security Forum, London. (A Beautement) - |
| Year(s) Of Engagement Activity | 2015 |
| Description | International Centre for Parliamentary Studies (ICPS) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Invited talk, "Cyber Security and Financial Crime", International Centre for Parliamentary Studies (ICPS), London. - |
| Year(s) Of Engagement Activity | 2015 |
| Description | Nature Magazine |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | "How to hack the hackers: The human side of cybercrime", Nature Magazine, 533, 164-167 (12 May 2016) |
| Year(s) Of Engagement Activity | 2016 |
| URL | http://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872 |
| Description | Noord Group Infosec Dialogue |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | invited talk, "What Makes An Effective Security Awareness Programme?", Infosec Dialogue, Noord Group, Oxfordshire. (S Parkin) - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.noord-group.com/ |
| Description | Password-Based Protection of Privacy and Personal Data: Friend or Foe? |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Moderator of debate about the use of password-based authentication: is this still a secure and user-friendly security measure, potentially improved by intelligent password strength metrics, or is it outdated and in need of replacement by other means of authentication abandoning the paradigm "something you know" to "something you are" or "something you have"? |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://www.youtube.com/watch?v=icCQq4VxCAQ |
| Description | Public sector conference (Edinburgh) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited talk, "User-centric security", Public sector conference, Edinburgh, 12th February - |
| Year(s) Of Engagement Activity | 2014 |
| Description | RISCS annual update |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Type Of Presentation | workshop facilitator |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Annual event, including Research Institute in Science of Cyber Security (RISCS) update (including Productive Security). UK Cyber Security Research Conference / RISCS Annual Conference - |
| Year(s) Of Engagement Activity | 2013,2014,2015 |
| URL | http://www.riscs.org.uk/ |
| Description | Royal Holloway CDT |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Postgraduate students |
| Results and Impact | Invited Talk, 'Learning from Shadow Security", Royal Holloway CDT in Cyber Security, Royal Holloway University of London (RHUL), Egham, 30th April - |
| Year(s) Of Engagement Activity | 2014 |
| Description | SANS European Security Awareness Summit 2016 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | "Top Awareness Challenges and Solutions for SMEs", Lightning Talk, SANS European Security Awareness Summit 2016, London (Parkin) |
| Year(s) Of Engagement Activity | 2016 |
| URL | https://www.sans.org/event-downloads/43857/agenda.pdf |
| Description | SANS Security Awareness Summit |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | "A New Approach to Transforming Security Behaviour", SANS Security Awareness Summit. Resulted in further dialogue with the SANS Institute, towards collaboration between awareness experts across both academic and industry. - |
| Year(s) Of Engagement Activity | 2015 |
| URL | https://www.sans.org/event/european-security-awareness-summit |
| Description | STS Kyoto |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Invited Talk, "Cybersecurity Challenges facing Society", Science and Technology in Society Forum (STS), Kyoto |
| Year(s) Of Engagement Activity | 2015 |
| Description | Security behaviours in organisations |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | Workshop on The Economics and Human Aspects of Cyber-Security. School of Economics, University of Kent, 20th November 2017 - attended by researchers |
| Year(s) Of Engagement Activity | 2017 |
| Description | The Psychology Behind Cyber Attacks and How to Manage the Insider Threat |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Cyber Security Summit & Expo. London, UK, 16th November 2017 |
| Year(s) Of Engagement Activity | 2017 |
| Description | UCL MSc Open Evening 2015 |
| Form Of Engagement Activity | Participation in an open day or visit at my research institution |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Undergraduate students |
| Results and Impact | Talk, "Adventures in Policy Land", UCL MSc Open Evening, UCL. - |
| Year(s) Of Engagement Activity | 2015 |
| Description | Understanding Cyber and System Security Aspects |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | invited keynote speaker at 'Human Factors in Systems Safety and Security' Summer School, Bournemouth University |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://cybersecurity.bournemouth.ac.uk/?p=463 |
| Description | VIP lunchtime panel session |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Panel discussant at WIRED Security event - lunchtime session exploring how businesses can work to prepare against the ever-evolving threat of cyber attacks, and what to do if they suffer a breach. |
| Year(s) Of Engagement Activity | 2017 |
| URL | http://www.wired.co.uk/article/wired-security-2017-exploring-cybersecurity |
| Description | Vodafone |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Invited Talk, "Cyber Security and the Human-Technology Interface" |
| Year(s) Of Engagement Activity | 2015 |
| Description | WIRED Magazine UK |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | Quoted expert, "How we'll fight cybercrime over the next ten years", WIRED Magazine UK, January 2015 - |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://www.wired.co.uk/magazine/archive/2015/01/start/big-question-fighting-cybercrime |
| Description | Work Magazine |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | Quoted expert, "Cybercrime 2015: No one is safe", Work Magazine, Winter 2015, Pg. 28, CIPD. - |
| Year(s) Of Engagement Activity | 2015 |
| Description | Workshop on Advanced Strategies in Cybersecurity (Berlin) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | talk given at Workshop on Advanced Strategies in Cybersecurity, "The impact of public disclosure", German Federal Foreign Office, Berlin. - |
| Year(s) Of Engagement Activity | 2013 |
| Description | Would you like some Anti-Virus Protection with that? Adventures in Point-of-Sale Security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Keynote speaker at EuroUSEC workshop - interdisciplinary group of researchers and practitioners in human computer interaction, security and privacy as well as researchers and practitioners from other domains such as psychology, social science and economics. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://usec.cispa.uni-saarland.de/eurousec17/#program |