Leveraging the Multi-Stakeholder Nature of Cyber Security

Lead Research Organisation: University of Nottingham
Department Name: School of Computer Science


Cyber Security (CyS) is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is commonly not all available in one location; e.g. detail on the IT components within a company is available within that company, while detail on operating system software vulnerability may be available to the OS manufacturer and further expert insight may be available to public security agencies, such as CESG. It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of CyS assurance.

This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry.

The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users.

Importantly, the OCYSS framework:
- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly.
- Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.
- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).

Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.

Planned Impact

The proposed research will directly benefit UK stakeholders in the public and commercial sectors which are dependent on the UK's ability to perform informed, timely and accurate cyber security (CyS) assessments and decisions. Through enabling user-specific, comprehensive, up-to-date and actionable decision support, incl. dynamically updated cost-benefit analysis highlighting priority areas of investment to improve security, the project is designed to deliver clear benefits in CyS and thus UK IT system resilience. The latter is of direct benefits to the UK's economy and wider population. At an international level, insights gained will be applicable to supporting CyS efforts beyond the UK, in the US and world-wide.

As highlighted by CESG, the UK Government's National Technical Authority for Information Assurance, the work proposed addresses urgent challenges in CyS around the lack of availability and access to highly qualified CyS experts by large, medium and small-size users. This prevents the timely cyber-security assessments of users' IT systems, exposing them, their respective users and the wider UK public to cyber-attack incl. the theft of both commercial and personal data. The project is designed to leverage the distributed multi-stakeholder nature of CyS by introducing a framework (and required scientific underpinnings) which combines the expertise of CyS experts and trusted third parties (captured regularly) with the user-provided information on user IT systems, in order to deliver up-to-date, comprehensively informed, user-tailored CyS assessments and decision support. The project goes beyond the creation of an academic framework - producing a real world, open-source software prototype which will enable real world deployment, evaluation and facilitate both commercial up-take and academic replication.

Through working closely with the international partner - Carnegie Mellon University (CMU), and CESG, the project is in a unique position to deliver real impact that goes beyond academic output and real world tools - but that will lay the foundations for a novel sector in the UK CyS industry which provides CyS decision support by aggregating multiple, incl. human and digital sources.

- By working closely with and leveraging strong support from CESG, the project is designed to deliver the foundations for a new comprehensive approach to CyS assessment which combines the knowledge of the UK's world-leading CyS experts with cutting-edge interdisciplinary data, HCI, and Human Factors science for data elicitation, fusion and communication techniques in order to provide a step-change in the availability and quality of CyS decision support.
- Through strong collaboration with CMU, a world leader in CyS, the project provides a pathway for cross-learning between the UK and the US as well as creating a platform for extended networking both for the project partners but also for the wider UK CyS sector. For example, the project includes two outward facing workshops designed specifically for this purpose.

Beyond impact related directly to CyS assessments, the methods created during this research will also deliver impact through informing analysis in other contexts where the systematic fusion of generally qualitative human insight with often uncertain quantitative data is vital, such as environmental planning and market research.
The proposed research directly addresses the Partnership for Conflict, Crime and Security Research (PaCCS) RCUK priority area of CyS. No funding in EPSRC's portfolio addresses the essential research at the interface of data-science, modelling of uncertain data and HCI / Human Factors as the proposed project. Finally, as an underpinning aspect of the Digital Economy (DE), the combination of human insight & expertise with smart data processing and representation is directly relevant to the DE and ICT areas in HCI, AI Technologies, Graphics and Visualisation and Information Systems.
Description We have found evidence that modelling interval-valued (component) data enables a better approximation of overall assessments. This is important, as it for example shows that in a cyber security context, there is value in capturing the uncertainty associated with the vulnerability of components in an attack vector - in order to then better predict the vulnerability of attack vectors (containing said components), including associated uncertainty.
Exploitation Route The findings are generic and can be applied whenever (interval-valued) data can be captured and aggregated. This is for example applicable in polling, marketing, manufacturing and cyber security.
Sectors Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Government, Democracy and Justice,Manufacturing, including Industrial Biotechology,Security and Diplomacy

Description The findings have been fed into both public and prvate sector outputs, including an invited talk at CyberUK 2018 - the UKs premier, government led conference in cyber security; as well as a new collaboration with JPMC who, as one of the largest financial institutions in the UK form part of the UKs critical national infrastructure. Further, the findings have informed the creation of a publicly accessible, open-source package for capturing uncertain data from people (DECSYS) which has attracted funding from the NCSC and is available in its first version since late 2019.
First Year Of Impact 2019
Sector Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Security and Diplomacy
Impact Types Societal,Economic,Policy & public services

Title Ellipse-based response-format to capture interval-valued responses. 
Description This is a novel survey response-format. It allows respondents to quickly and easily provide interval-valued responses, to indicate uncertainty, vagueness or inherent range in their responses. Although it is already possible to capture interval-valued responses in a number of ways, this novel response-format allows provision of these more data-rich responses in a substantially more cohesive and intuitive manner. Specifically, respondents draw an ellipse, of variable size, that encompasses the full portion of the response-scale that they feel represents an appropriate response. Empirical assessment of the added-value and usability of this response-format is currently being conducted. This is being done in parallel with development of practical methods to capture these responses in digital format, taking advantage of the recent proliferation of touch-screen (and particularly stylus-based) devices. We believe that making software available to allow easy uptake and application of this response-format will facilitate its future use across a broad variety of domains, which each stand to benefit from capture of the additional information provided by interval-valued responses. 
Type Of Material Physiological assessment or outcome measure 
Year Produced 2019 
Provided To Others? Yes  
Impact Initial publication of this method is in progress (FUZZ-IEEE 2019). Full open-source release of the accompanying software is due later this year. 
URL http://www.lucidresearch.org/software.html
Title DECSYS - Discrete and Ellipse-based response Capture SYStem. 
Description This software enables the creation and administration of digital surveys that elicit both conventional and interval-valued responses (using a novel ellipse-based response format). DECSYS incorporates a range of features, and is designed to maximise versatility for experimenters and usability for participants. Surveys can be conducted either locally or online, and results easily exported. The key component of DECSYS is that it provides a vehicle for digital capture of survey responses using an ellipse-based response-format. DECSYS takes advantage of the recent proliferation of touch-screen (and particularly stylus-based) devices to do so in a fast, cohesive and intuitive manner. The ellipse-based format allows respondents to quickly and easily provide interval-valued responses, so as to indicate uncertainty, vagueness or inherent range in their responses. Specifically, respondents draw an ellipse, of variable size, that encompasses the full portion of the response-scale that they believe represents an appropriate response. Empirical assessment of the added-value and usability of this response-format is also currently being conducted. 
Type Of Technology Webtool/Application 
Year Produced 2019 
Open Source License? Yes  
Impact This software is due for open-source release in the summer (2019). We believe that its provision will facilitate uptake and application of the ellipse-based response-format across a broad variety of domains, which each stand to benefit from capture of the additional information provided by interval-valued responses. 
URL http://www.lucidresearch.org/software.html
Description DECSYS workshop at Carnegie Mellon University 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Postgraduate students
Results and Impact This was a presentation and workshop about the DECSYS survey software, at Carnegie Mellon University. This was attended by postgraduate students and academic staff from multiple departments, and involved a presentation, demonstration and opportunity for use of the DECSYS software. Following the visit, we left equipment at CMU to permit future use of this survey software and facilitate future collaborative research, which we hope to conduct this year.
Year(s) Of Engagement Activity 2019
URL http://www.lucidresearch.org/decsys.html
Description Poster presentation at MathPsych conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact This was a poster presentation detailing preliminary results of a study conducted this year, regarding the efficacy of interval-valued responses in capturing three sources of response uncertainty. This was presented at MathPsych 2019 (Montreal) during the main poster session. It involved discussion about and demonstration of the DECSYS software and associated ellipse-based interval-valued response format, over a period of a few hours, with many students and academics who attended the conference.
Year(s) Of Engagement Activity 2019
URL https://osf.io/s6y2d/