Scaling Trust: An Anthropology of Cyber Security
Lead Research Organisation:
University of Warwick
Department Name: Centre for Interdisc. Methodologies
Abstract
With growing dependency on digital infrastructure, vulnerability to cyber disaster becomes a defining context for social life. Within the last two years Wannacry led to the cancellation of thousands of NHS appointments, NotPetya brought Maersk's global shipping operations to a halt, the Equifax hack compromised the details of 140 million people, and TSB's outage left thousands of customers defrauded. Behind these failures-to patch systems, to secure networks, to implement good governance-is a problem of scales: the smallest "weak link" can end up compromising the security of the whole system. Yet because complete security is unattainable in practice, living well with infrastructures has become a question of trust.
It is the premise of this fellowship that trust is not a "user's problem". Behind the services and utilities that we rely on in daily life, we can find an array of professional cyber security practices aiming to win and maintain trust, to question it and manage it across scales. How they go about doing that, their successes and failures, is the subject of this study.
The ambitious anthropological study of cyber security at the heart of this fellowship will be undertaken in collaboration with the UK's National Cyber Security Centre (NCSC). A broad programme of ethnographic research will focus on long term participant observation of governance processes and knowledge practices within Critical National Infrastructure (CNI) organisations. Three trajectories of investigation comprise the core of the fellowship:
In years 1-2, with an ethnographic study of the implementation of the Network and Information Systems directive in 2 CNI locations, it asks: how does cyber security policy "scale" best practice into diverse real-world contexts?
In years 3-4, with an ethnographic analysis of how trust is built through the "rituals" of corporate governance in 3 CNI locations, it asks: how do IT practitioners "scale up" local forms of trust to create "high level" holistic representations with which approval can be given, and responsibility taken?
In years 5-7, together with a postdoc, the fellow will conduct an examination of the impact of new technologies of automation and AI on cyber security practice, it asks: how do new technologies reconfigure trust?
Traditionally led by engineers, cyber security has a legacy of treating people or users simplistically: as problems, or attack vectors. Interdisciplinary approaches have had steady success over recent years in developing more nuances approaches. This fellowship advances the state of the art in interdisciplinary cyber security research with an anthropological style of empirically grounded critical conceptual analysis of professional practices involved in making and managing trust across scales. In doing so it will also make important contributions to several fields of research in the social sciences: the anthropology of governance and accountability, the sociology of trust, and interdisciplinary studies of the digital infrastructures that underlie contemporary social societies.
A comprehensive impact programme will ensure that the study stays aligned with policymakers' priorities, and contributes to cyber security policy and practice across industry and government. Academic audiences will be reached through presentation at leading conferences and an ambitious publication strategy targeting high impact journals, and an academic monograph, aiming to be a definitive anthropological account of cyber security.
The fellow's professional background managing digital and IT projects are indispensable to this research, as is his research experience in the ethnography of computational science. An extensive training and discipline hopping programme will make the fellow a research leader, standing between academic fields, industry, and policy, poised to produce the engaged interdisciplinary research needed to tackle the Grand Challenges of the UK's Industrial Strateg
It is the premise of this fellowship that trust is not a "user's problem". Behind the services and utilities that we rely on in daily life, we can find an array of professional cyber security practices aiming to win and maintain trust, to question it and manage it across scales. How they go about doing that, their successes and failures, is the subject of this study.
The ambitious anthropological study of cyber security at the heart of this fellowship will be undertaken in collaboration with the UK's National Cyber Security Centre (NCSC). A broad programme of ethnographic research will focus on long term participant observation of governance processes and knowledge practices within Critical National Infrastructure (CNI) organisations. Three trajectories of investigation comprise the core of the fellowship:
In years 1-2, with an ethnographic study of the implementation of the Network and Information Systems directive in 2 CNI locations, it asks: how does cyber security policy "scale" best practice into diverse real-world contexts?
In years 3-4, with an ethnographic analysis of how trust is built through the "rituals" of corporate governance in 3 CNI locations, it asks: how do IT practitioners "scale up" local forms of trust to create "high level" holistic representations with which approval can be given, and responsibility taken?
In years 5-7, together with a postdoc, the fellow will conduct an examination of the impact of new technologies of automation and AI on cyber security practice, it asks: how do new technologies reconfigure trust?
Traditionally led by engineers, cyber security has a legacy of treating people or users simplistically: as problems, or attack vectors. Interdisciplinary approaches have had steady success over recent years in developing more nuances approaches. This fellowship advances the state of the art in interdisciplinary cyber security research with an anthropological style of empirically grounded critical conceptual analysis of professional practices involved in making and managing trust across scales. In doing so it will also make important contributions to several fields of research in the social sciences: the anthropology of governance and accountability, the sociology of trust, and interdisciplinary studies of the digital infrastructures that underlie contemporary social societies.
A comprehensive impact programme will ensure that the study stays aligned with policymakers' priorities, and contributes to cyber security policy and practice across industry and government. Academic audiences will be reached through presentation at leading conferences and an ambitious publication strategy targeting high impact journals, and an academic monograph, aiming to be a definitive anthropological account of cyber security.
The fellow's professional background managing digital and IT projects are indispensable to this research, as is his research experience in the ethnography of computational science. An extensive training and discipline hopping programme will make the fellow a research leader, standing between academic fields, industry, and policy, poised to produce the engaged interdisciplinary research needed to tackle the Grand Challenges of the UK's Industrial Strateg
Planned Impact
1. PUBLIC SECTOR BENEFICIARIES
Several public agencies (for example Cabinet Office, the FCO, BEIS, security services and DCMS) have responsibilities for cyber security, and stand to benefit from this research.
- Enhanced understanding of the relations between trust and security generated by this project may lead to improvement in both content and style of cyber security policy and legislation, leading in the long term to enhanced security for the UK, with the social and economic benefits it brings.
- An empirically rich ethnographic account of governance processes is likely to produce new insights about how policymakers can make effective interventions, and how they formulate the problems of cyber security.
- An account of new developments in technology and delivery models for IT systems, and the differences these make to practices of managing and scaling trust, may help policymakers respond effectively to emerging challenges in cyber security as well as reconfigurations of old challenges.
- Policymakers in the UK are the most direct beneficiaries, but international policy stakeholders may also benefit through academic communication and participation in government and industry events and workshops.
2. INDUSTRY BENEFICIARIES
Organisations hosting ethnographic fieldwork stand to benefit through the frequent opportunities for knowledge exchange that this research method creates. This includes:
- For senior management, recommendations emerging from the research regarding effective cyber security practices, may drive improvements in governance processes
- For board members, insights into the management of trust may help facilitate more effective high-level oversight of risks
- For cyber security practitioners, collaboration with an ethnographer is an opportunity to catalyse new modes of reflection leading to improvements in processes and practices. Participative methods developed in this fellowship will further promote these opportunities, running 10 workshops, using a set of ethnographic vignettes selected for their ability to provoke discussion and critical thinking about the nature of trust in cyber security.
- Such improvements in cyber security practices lead to lower exposure to risks and better economic performance and corporate responsibility. While these benefits are directly anticipated for host organisations, through contributions to professional forums and through policy impacts, the indirect benefits extend to the wider sector of public and private organisations.
3. ACADEMIC BENEFICIARIES
- Content-based benefits: This fellowship will make strong contributions to the interdisciplinary understanding of trust, security, scale, governance and infrastructure. Please see the Case for Support section 4.2 for detail.
- Methodological benefits: This fellowship aims to go beyond the established tradition of ethnographic observation by developing a new mode of participation in the study of technology. This is done in this project by two moves: 1) through the development of the fellow as an interdisciplinary cyber security researcher rather than as an "outsider" social scientist; 2) through the development of participative methods that engage the community of practitioners, otherwise the subjects of research, in reflection on their professional activities and their relation to trust.
- Interdisciplinary benefits: This fellowship contributes to the vibrant interdisciplinary research culture at Warwick and beyond.
- Through dissemination of findings, collaboration, and workshop events, the fellowship will provide a significant boost to the growing international community of researchers at the interface between STS and cyber security.
In all these respects, the research activities under this fellowship will comprise a strong demonstration of the value of interdisciplinary methodologies to the "hard" problems of today, thus advancing the engagement of the social sciences to contemporary society.
Several public agencies (for example Cabinet Office, the FCO, BEIS, security services and DCMS) have responsibilities for cyber security, and stand to benefit from this research.
- Enhanced understanding of the relations between trust and security generated by this project may lead to improvement in both content and style of cyber security policy and legislation, leading in the long term to enhanced security for the UK, with the social and economic benefits it brings.
- An empirically rich ethnographic account of governance processes is likely to produce new insights about how policymakers can make effective interventions, and how they formulate the problems of cyber security.
- An account of new developments in technology and delivery models for IT systems, and the differences these make to practices of managing and scaling trust, may help policymakers respond effectively to emerging challenges in cyber security as well as reconfigurations of old challenges.
- Policymakers in the UK are the most direct beneficiaries, but international policy stakeholders may also benefit through academic communication and participation in government and industry events and workshops.
2. INDUSTRY BENEFICIARIES
Organisations hosting ethnographic fieldwork stand to benefit through the frequent opportunities for knowledge exchange that this research method creates. This includes:
- For senior management, recommendations emerging from the research regarding effective cyber security practices, may drive improvements in governance processes
- For board members, insights into the management of trust may help facilitate more effective high-level oversight of risks
- For cyber security practitioners, collaboration with an ethnographer is an opportunity to catalyse new modes of reflection leading to improvements in processes and practices. Participative methods developed in this fellowship will further promote these opportunities, running 10 workshops, using a set of ethnographic vignettes selected for their ability to provoke discussion and critical thinking about the nature of trust in cyber security.
- Such improvements in cyber security practices lead to lower exposure to risks and better economic performance and corporate responsibility. While these benefits are directly anticipated for host organisations, through contributions to professional forums and through policy impacts, the indirect benefits extend to the wider sector of public and private organisations.
3. ACADEMIC BENEFICIARIES
- Content-based benefits: This fellowship will make strong contributions to the interdisciplinary understanding of trust, security, scale, governance and infrastructure. Please see the Case for Support section 4.2 for detail.
- Methodological benefits: This fellowship aims to go beyond the established tradition of ethnographic observation by developing a new mode of participation in the study of technology. This is done in this project by two moves: 1) through the development of the fellow as an interdisciplinary cyber security researcher rather than as an "outsider" social scientist; 2) through the development of participative methods that engage the community of practitioners, otherwise the subjects of research, in reflection on their professional activities and their relation to trust.
- Interdisciplinary benefits: This fellowship contributes to the vibrant interdisciplinary research culture at Warwick and beyond.
- Through dissemination of findings, collaboration, and workshop events, the fellowship will provide a significant boost to the growing international community of researchers at the interface between STS and cyber security.
In all these respects, the research activities under this fellowship will comprise a strong demonstration of the value of interdisciplinary methodologies to the "hard" problems of today, thus advancing the engagement of the social sciences to contemporary society.
People |
ORCID iD |
| Matthew Spencer (Principal Investigator / Fellow) |
Publications
Spencer M
(2024)
The de-perimeterisation of information security: The Jericho Forum, zero trust, and narrativity.
in Social studies of science
Spencer M
(2022)
Characterising assurance: scepticism and mistrust in cyber security
in Journal of Cultural Economy
Spencer M
(2022)
Figure - Concept and Method
Spencer M
(2024)
Navigating the landscape of security modelling: the MORS grid
in Journal of Cybersecurity
Spencer M J
(2021)
Creative Malfunction: Finding Fault with Rowhammer
in Computational Culture: A Journal of Software Studies
| Description | Scaling Trust is an interdisciplinary research programme drawing on resources from anthropology, sociology, communication studies, literary theory, philosophy of science and computing. Using interviews, textual analysis, workshops and ethnographic observation, the project examines key transformations in Cyber Security policy and practice. The focus of the fellowship, which was adapted to the realities of conducting the first phase of the research during the Covid-19 pandemic, was on two domains. In each case, we examined: how have novel models and methods reshaped trust and securing in contemporary society? How do new ways of narrativizing threats, problems of technology and scale, and security solutions define what a secure future may be? These domains were: A) Examining current transformations in technology assurance, we developed a communication-centred analytical framework, demonstrating its value in a case study of the shift in UK product assurance policy towards a new style of 'principles-based assurance' and clarifying the stakes of this transformation, for thinking about certification, markets and trust. B) We extended the framework to apply to the recent history of secure IT architectures, looking at the origins of 'de-perimeterisation' in industry debates about the nature of security during the 2000s and 2010s that challenged intuitions of a protected 'inside' that focussed securing instead on the constitution of asset value. We found in these debates the roots of the 'Zero Trust' model of security architecture that is increasingly dominant today, and based on this developed a new analysis of the potential flaws in Zero Trust. In both of these domains, we have been examining how the meaning of security and trust is changing in our contemporary digital society. The concept of cyber security assurance is changing, from a notion of due diligence to one of critical capacity. The concept of security, within large organisations, has likewise changed, from a general defensive model, to a value- and surveillance-centred approach. These shifts influence what it is like to work in organisations, how organisations can be regulated, how markets operate, and the risks that we are exposed to as consumers, and help us to understand contemporary digital transformations. The project has: - Created new knowledge in each domain studied, of interest to academics, the cyber security profession, and policymakers (5 papers published, and 2 forthcoming) - Contributed to cyber security policy and guidance through reports and involvement in 3 expert working groups - Built a novel synthesis of theoretical approaches from Science and Technology Studies, and Security Studies, raising new research questions for the Science and Technology Studies and Cyber Security communities. - Created a new empirical research methodology, 'Trust Mapping'. This is a workshop protocol designed to help researchers investigate the nature of assurance within complex organisations, and to facilitate reflective practice among the profession. - Delivered 5 Trust Mapping sessions with critical national infrastructure organisations in telecommunications, banking and energy sectors. - Fostered the community of interdisciplinary researchers conducting critical and sociocultural studies of cyber security, through the organisation of two interdisciplinary academic events, and running 2 critical modelling workshops. |
| Exploitation Route | The fellowship is closely aligned with policymakers' priorities, and has been shaped by collaborative engagement with policy stakeholders from the beginning, and throughout delivery. The outcomes of 'Scaling Trust' are directly translated for policy audiences, via presentations, reports and consulting. Key recommendations for this audience have been captured in a detailed policy report supporting the design of product assurance in the UK, and a policy brief on the future of Zero Trust architectures. These texts contribute to the quality of ongoing debate, and have been taken forward by policymakers, with discussions and policy development in these areas ongoing. The Trust Mapping methodology is designed to enhance cyber security practices, and thus to the wider cyber security community, including companies across many different sectors of the economy. These workshops have been piloted in 2022 and were launched in 2023, with the materials made freely available for reuse. Academic audiences for the research outcomes are reached via publications and conference presentations. For scholars in Science and Technology Studies, cyber security is an under-researched area. For scholars in Cyber Security, the fellowship contributes to the quality of interdisciplinary debate. The 'renewal' period of funding commenced in 2024, and directly takes forward and develops all the outcomes in an ambitious further programme of research, including a book length treatment of the theoretical approach, for a broad interdisciplinary audience. |
| Sectors | Aerospace Defence and Marine Communities and Social Services/Policy Digital/Communication/Information Technologies (including Software) Energy Financial Services and Management Consultancy Healthcare Government Democracy and Justice Security and Diplomacy Transport |
| URL | https://warwick.ac.uk/fac/cross_fac/cim/research/scaling-trust |
| Description | Research that contributes to the enhancement of cyber security policies and practices has wide ranging knock-on impacts on quality of life, effectiveness of public services, and economic performance. All these aspects of society depend upon core technologies and infrastructures being safe and secure, a dependency that, as this research has demonstrated, is not only technically challenging, but also involves a significant cultural component, organising practices effectively around what it means to do security. . The project develops a 'relational impact' strategy, recognising that the complexity of the field of cyber security means that policy problems are often weakly formulated or contested, and that a key value of academic contributions is in the clarification and diversification of problem formulations, ensuring that multiple perspectives are taken into account, and that many kinds of research and evidence are addressed. This approach also aligns with the theoretical foundations of the project in social studies of science and technology, which have long emphasised the complexities of problem formulation. . The impact strategy focuses primarily on policy and industry. These are areas requiring sustained programmes of engagement, to develop the relationships, evidence and materials required for successful impact. The Future Leaders Fellowship has enabled this approach, with long-term funding as well high quality training opportunities in impact and policy engagement. . On the side of policy, the project has built strong relationships, primarily with people in central government, assisted by the advisory board and project partner. This was particularly vital in steering the project focus during the disruptions of the Covid-19 pandemic to ensure that the research programme would be well aligned with current priorities. A variety of engagements, including a working group and presentation of work to a policymaker audience, developed this relationship, and led to the key project output, a policy report entitled 'Assurance by Principle', which makes a number of recommendations, particularly around communication and governance, and in the words of one UK government representative has "shaped our thinking" in the security assurance space. The report has reached a wide audience, featuring in the National Cyber Security Centre's Chief Technology Officer's newsletter. This line of work on assurance has led to requests for further consultation from policymakers in the UK and the US, industry stakeholders, the organisation of a 2024 round-table event on the future of assurance, bringing together academics, industry and government. Discussions with collaborators met through these activities about future research in this area are ongoing. Improvements to how security is evaluated directly affects businesses and other organisations, by improving their level of cyber security and reducing risks of financial losses, and by improving the cyber security of organisations, the work contributes to reducing the exposure of people across the UK to risks of data loss, cyber crime and harmful service outages. . The project seeks to further contribute to the quality of cyber security policy (aiming at impacts on the public and on industry, via improvements to policy), by collaborating with policymakers and industry experts on new guidance supporting industry in adopting cyber security best practice. These collaborative engagements are driven by policymakers, seeking academic input via expert working groups. The project has been able to contribute knowledge of the relevant research space, and to bring academic skills and expertise in synthesising and communicating complex information. So far, this has involved substantial inputs to two reports, one a sector-specific threat report, and one targeted at corporate boards, both of which have received acclaim from senior figures within government. . The project seeks direct impacts for collaborating businesses, driving improvements to their internal cyber security practices. Three CNI organisations hosted workshops involving their security teams, which were designed and facilitated by the PI, using a methodology designed to promote learning and reflective practice. These 'Trust Mapping' sessions pick a system of interest, where the participant group has current assurance challenges, and maps out the social relationship upon which their depend. Feedback from participants has been very positive (see details given elsewhere in this submission), and participants have also played a big role in supporting the development of the methodology, which involves a structured approach and card deck. Using social theory and empirical research, the project makes the argument that achieving sustained good security outcomes requires security practitioners to be able to think about security problems in creative ways, exploring diverse perspectives and challenging dominant modes of practice. Trust Mapping is one example of how these ideas can be put into practice in the research process. . To further develop the impact of the workshops, the Trust Mapping methodology (protocol and materials) has been released under a creative commons license, and presented at the "SPRITE+" network+ conference to a mixed audience of academics, policymakers and industry stakeholders. The ongoing goal of the project is to enable these methodologies to be widely adopted and adapted, and the next phase of the fellowship will build on this. . In the longer term, the project contributes to the evolving terrain of interdisciplinary cyber security research. Social and socio-technical approaches to security have blossomed since the late 1990s, but tend to draw on a relatively limited repertoire of social thought. Critical security studies has developed greatly in the same timespan, bringing together discourse-centred and materialist approaches, but rarely makes contact with cyber security practice. Scaling Trust aims to build out a new synthesis between cyber security and social and cultural thought. It also develops a methodological strategy of engaged, participatory research, in the sense that the research strategy involves participating in the 'doing' of security with practitioners, alongside the production of data and generation of theoretical analysis. In both these ways, a greater synthesis of social, cultural and technical dimensions is developed. |
| First Year Of Impact | 2023 |
| Sector | Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Societal Economic Policy & public services |
| Description | 'Think piece' report for industry partners |
| Geographic Reach | Local/Municipal/Regional |
| Policy Influence Type | Contribution to new or improved professional practice |
| Description | Contribution to cyber security guidance for corporate boards |
| Geographic Reach | National |
| Policy Influence Type | Contribution to new or improved professional practice |
| URL | https://www.ncsc.gov.uk/blog-post/i100-and-ncsc-collaborate-on-refreshed-guidance-for-boards |
| Description | Influence on cyber security assurance development |
| Geographic Reach | National |
| Policy Influence Type | Contribution to new or improved professional practice |
| Impact | After reviewing the report, one civil servant gave the following feedback: "I've found the draft you sent incredibly useful and have made use of it myself within our own [assurance policy] efforts so far. I like the structure and it works well for me." At a recent event bringing together academics, policymakers and industry, an NCSC representative as part of a presentation on the use of academic research in policy that my report was "invaluable in shaping our thinking" around assurance policy. The report featured as the top of the list in the NCSC Chief Technology Officer's newsletter, reaching a very wide audience (the newsletter is subscribed to by a very wide audience of technical cyber security leaders in the UK and beyond): https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-april The 'Assurance by Principle' report was featured in a blog by the Chief Technology Officer of the NCSC: https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-april |
| URL | https://bpb-eu-w2.wpmucdn.com/blogs.bristol.ac.uk/dist/3/939/files/2024/03/RISCS_ASSURANCE-BY-PRINCI... |
| Description | Policy Research Report: 'Being Secure, Being Sure, Being Assured' |
| Geographic Reach | National |
| Policy Influence Type | Participation in a guidance/advisory committee |
| Impact | Most impacts are yet to become visible, but initial feedback from policymakers suggests that the report expanding the types of stakeholders being considered in current policy development. |
| Description | Threat Report |
| Geographic Reach | National |
| Policy Influence Type | Contribution to new or improved professional practice |
| Description | Scaling Trust: An Anthropology of Cyber Security (Renewal) |
| Amount | £595,275 (GBP) |
| Funding ID | MR/X023338/1 |
| Organisation | Medical Research Council (MRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 03/2024 |
| End | 04/2027 |
| Title | Trust Mapping methodology |
| Description | The Trust Mapping methodology is designed to help cyber security practitioners to visualise their perspective on the trustworthiness of technology, by mapping out the space of agents, flows of information and forms of knowledge in which they find themselves. In addition to serving as a research methodology, Trust Mapping is intended to be of wider use to the professional community, and resources are openly available under a Creative Commons license. |
| Type Of Material | Improvements to research infrastructure |
| Year Produced | 2023 |
| Provided To Others? | Yes |
| Impact | The methodology has been developed in collaboration with, and used within, three large CNI organisations in the UK. Details of feedback are captured in the 'engagement' section of this report. |
| URL | https://doi.org/10.5281/zenodo.8074198 |
| Description | Interview for an article on hardware security |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | Interview for a journalistic article on the Italian 'Netwars' site, about hardware security. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Legal sector threat report working group |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Member of a working group drawing up a threat report for the UK legal sector. Responsible for bringing together expert perspectives, and advising on matters relating to communication. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Presentation to policymakers |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Research presentation for policymakers, audience of 8, sharing early research results and feeding in implications for current projects. Generated discussion and ongoing collaboration. This led to further engagement, for instance, one of the attendees would later give input into the questions addressed in the 'Assurance by Principle' policy report (2024). |
| Year(s) Of Engagement Activity | 2021 |
| Description | Presentation with policymakers |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Presentation and Q&A session on research into cyber security assurance with a group of 23 government stakeholders. The goal was to communicate emerging research results. The focus of this engagement can be described as 'relational' policy engagement, targeted at situations in which the problems being addressed in policy are relatively weakly defined, and the academic contribution can be understood as improving the way in which problems are formulated by demonstrating the value of different disciplinary approaches. In this case, the session looked at how sociological approaches to semiotics and communication can clarify the stakes of product assurance policy. Some feedback: 'It certainly got me thinking about those sociotechnical elements of assurance including things like what is the appropriate level of communication in assurance outputs for particular audiences and how that can be identified or whether it is possible to foster some sense of shared ownership in an assurance process in a way that is scalable.' |
| Year(s) Of Engagement Activity | 2021 |
| Description | Two workshops with security practitioners at a Telecommunications company |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A pair of 'trust mapping' workshops with security managers at a major telecommunications provider. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. In the words of my main contact, asked for the views of the team, "it was a hit!". Participants reported that the sessions improved their shared understanding of organisational structure. Other feedback included "I think this session is really good for sharing and learning. We do work in silos and it helps to get together like this." Another participant said "I think it is really good to share perspectives. And the format works." The organisation expressed an interest in running further sessions in the future. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Working group on cyber security guidance for corporate boards |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Membership of a workshop group producing UK guidance for corporate boards for cyber security. The group gathered extensive input from policymakers, private sector stakeholders, and academia. My participation brought academic expertise relating to this grant, around cyber security and communication, and skills in the synthesis of evidence. Following this work I was asked to contribute in a similar way to other projects. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | Facilitation of workshop with 12 practitioners at a private company, with collaborators. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Workshop with a UK bank |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A 'trust mapping' workshop run with the security team of a major bank. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. Participants said the session was 'really useful' and they 'liked the questions and prompts'. Another participant said it was helpful for thinking about 'how we can influence making changes to key issues'. A third remarked that 'this could be extremely beneficial when it comes to understanding control flows.' |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://github.com/m-j-spencer/trust-mapping |
| Description | Workshop with a telecommunications provider |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A 'trust mapping' workshop run with the security team of a telecommunications company. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. A participant remarked that 'it is good to see the sheer complexity... You can't rely on one person to know everything. You've got to trust it works, as you aren't an expert. It is really useful to see what it looks like.' Another said 'I think it has given me greater visibility. I think I would potentially give people a break if I am leaning on them for something, seeing this bigger picture.' A third said 'It gives a good sense of the huge complexity and scale of this stuff.' The organisation expressed an interest in hosting further workshops in future. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://github.com/m-j-spencer/trust-mapping |
| Description | Workshop with an energy firm |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Workshop with security practitioners from a large energy firm, examining the social distribution of trust in relation to a particular software application. This created a great deal of discussion about design and methodology. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://github.com/m-j-spencer/trust-mapping |