Scaling Trust: An Anthropology of Cyber Security
Lead Research Organisation:
University of Warwick
Department Name: Centre for Interdisc. Methodologies
Abstract
With growing dependency on digital infrastructure, vulnerability to cyber disaster becomes a defining context for social life. Within the last two years Wannacry led to the cancellation of thousands of NHS appointments, NotPetya brought Maersk's global shipping operations to a halt, the Equifax hack compromised the details of 140 million people, and TSB's outage left thousands of customers defrauded. Behind these failures-to patch systems, to secure networks, to implement good governance-is a problem of scales: the smallest "weak link" can end up compromising the security of the whole system. Yet because complete security is unattainable in practice, living well with infrastructures has become a question of trust.
It is the premise of this fellowship that trust is not a "user's problem". Behind the services and utilities that we rely on in daily life, we can find an array of professional cyber security practices aiming to win and maintain trust, to question it and manage it across scales. How they go about doing that, their successes and failures, is the subject of this study.
The ambitious anthropological study of cyber security at the heart of this fellowship will be undertaken in collaboration with the UK's National Cyber Security Centre (NCSC). A broad programme of ethnographic research will focus on long term participant observation of governance processes and knowledge practices within Critical National Infrastructure (CNI) organisations. Three trajectories of investigation comprise the core of the fellowship:
In years 1-2, with an ethnographic study of the implementation of the Network and Information Systems directive in 2 CNI locations, it asks: how does cyber security policy "scale" best practice into diverse real-world contexts?
In years 3-4, with an ethnographic analysis of how trust is built through the "rituals" of corporate governance in 3 CNI locations, it asks: how do IT practitioners "scale up" local forms of trust to create "high level" holistic representations with which approval can be given, and responsibility taken?
In years 5-7, together with a postdoc, the fellow will conduct an examination of the impact of new technologies of automation and AI on cyber security practice, it asks: how do new technologies reconfigure trust?
Traditionally led by engineers, cyber security has a legacy of treating people or users simplistically: as problems, or attack vectors. Interdisciplinary approaches have had steady success over recent years in developing more nuances approaches. This fellowship advances the state of the art in interdisciplinary cyber security research with an anthropological style of empirically grounded critical conceptual analysis of professional practices involved in making and managing trust across scales. In doing so it will also make important contributions to several fields of research in the social sciences: the anthropology of governance and accountability, the sociology of trust, and interdisciplinary studies of the digital infrastructures that underlie contemporary social societies.
A comprehensive impact programme will ensure that the study stays aligned with policymakers' priorities, and contributes to cyber security policy and practice across industry and government. Academic audiences will be reached through presentation at leading conferences and an ambitious publication strategy targeting high impact journals, and an academic monograph, aiming to be a definitive anthropological account of cyber security.
The fellow's professional background managing digital and IT projects are indispensable to this research, as is his research experience in the ethnography of computational science. An extensive training and discipline hopping programme will make the fellow a research leader, standing between academic fields, industry, and policy, poised to produce the engaged interdisciplinary research needed to tackle the Grand Challenges of the UK's Industrial Strateg
It is the premise of this fellowship that trust is not a "user's problem". Behind the services and utilities that we rely on in daily life, we can find an array of professional cyber security practices aiming to win and maintain trust, to question it and manage it across scales. How they go about doing that, their successes and failures, is the subject of this study.
The ambitious anthropological study of cyber security at the heart of this fellowship will be undertaken in collaboration with the UK's National Cyber Security Centre (NCSC). A broad programme of ethnographic research will focus on long term participant observation of governance processes and knowledge practices within Critical National Infrastructure (CNI) organisations. Three trajectories of investigation comprise the core of the fellowship:
In years 1-2, with an ethnographic study of the implementation of the Network and Information Systems directive in 2 CNI locations, it asks: how does cyber security policy "scale" best practice into diverse real-world contexts?
In years 3-4, with an ethnographic analysis of how trust is built through the "rituals" of corporate governance in 3 CNI locations, it asks: how do IT practitioners "scale up" local forms of trust to create "high level" holistic representations with which approval can be given, and responsibility taken?
In years 5-7, together with a postdoc, the fellow will conduct an examination of the impact of new technologies of automation and AI on cyber security practice, it asks: how do new technologies reconfigure trust?
Traditionally led by engineers, cyber security has a legacy of treating people or users simplistically: as problems, or attack vectors. Interdisciplinary approaches have had steady success over recent years in developing more nuances approaches. This fellowship advances the state of the art in interdisciplinary cyber security research with an anthropological style of empirically grounded critical conceptual analysis of professional practices involved in making and managing trust across scales. In doing so it will also make important contributions to several fields of research in the social sciences: the anthropology of governance and accountability, the sociology of trust, and interdisciplinary studies of the digital infrastructures that underlie contemporary social societies.
A comprehensive impact programme will ensure that the study stays aligned with policymakers' priorities, and contributes to cyber security policy and practice across industry and government. Academic audiences will be reached through presentation at leading conferences and an ambitious publication strategy targeting high impact journals, and an academic monograph, aiming to be a definitive anthropological account of cyber security.
The fellow's professional background managing digital and IT projects are indispensable to this research, as is his research experience in the ethnography of computational science. An extensive training and discipline hopping programme will make the fellow a research leader, standing between academic fields, industry, and policy, poised to produce the engaged interdisciplinary research needed to tackle the Grand Challenges of the UK's Industrial Strateg
Planned Impact
1. PUBLIC SECTOR BENEFICIARIES
Several public agencies (for example Cabinet Office, the FCO, BEIS, security services and DCMS) have responsibilities for cyber security, and stand to benefit from this research.
- Enhanced understanding of the relations between trust and security generated by this project may lead to improvement in both content and style of cyber security policy and legislation, leading in the long term to enhanced security for the UK, with the social and economic benefits it brings.
- An empirically rich ethnographic account of governance processes is likely to produce new insights about how policymakers can make effective interventions, and how they formulate the problems of cyber security.
- An account of new developments in technology and delivery models for IT systems, and the differences these make to practices of managing and scaling trust, may help policymakers respond effectively to emerging challenges in cyber security as well as reconfigurations of old challenges.
- Policymakers in the UK are the most direct beneficiaries, but international policy stakeholders may also benefit through academic communication and participation in government and industry events and workshops.
2. INDUSTRY BENEFICIARIES
Organisations hosting ethnographic fieldwork stand to benefit through the frequent opportunities for knowledge exchange that this research method creates. This includes:
- For senior management, recommendations emerging from the research regarding effective cyber security practices, may drive improvements in governance processes
- For board members, insights into the management of trust may help facilitate more effective high-level oversight of risks
- For cyber security practitioners, collaboration with an ethnographer is an opportunity to catalyse new modes of reflection leading to improvements in processes and practices. Participative methods developed in this fellowship will further promote these opportunities, running 10 workshops, using a set of ethnographic vignettes selected for their ability to provoke discussion and critical thinking about the nature of trust in cyber security.
- Such improvements in cyber security practices lead to lower exposure to risks and better economic performance and corporate responsibility. While these benefits are directly anticipated for host organisations, through contributions to professional forums and through policy impacts, the indirect benefits extend to the wider sector of public and private organisations.
3. ACADEMIC BENEFICIARIES
- Content-based benefits: This fellowship will make strong contributions to the interdisciplinary understanding of trust, security, scale, governance and infrastructure. Please see the Case for Support section 4.2 for detail.
- Methodological benefits: This fellowship aims to go beyond the established tradition of ethnographic observation by developing a new mode of participation in the study of technology. This is done in this project by two moves: 1) through the development of the fellow as an interdisciplinary cyber security researcher rather than as an "outsider" social scientist; 2) through the development of participative methods that engage the community of practitioners, otherwise the subjects of research, in reflection on their professional activities and their relation to trust.
- Interdisciplinary benefits: This fellowship contributes to the vibrant interdisciplinary research culture at Warwick and beyond.
- Through dissemination of findings, collaboration, and workshop events, the fellowship will provide a significant boost to the growing international community of researchers at the interface between STS and cyber security.
In all these respects, the research activities under this fellowship will comprise a strong demonstration of the value of interdisciplinary methodologies to the "hard" problems of today, thus advancing the engagement of the social sciences to contemporary society.
Several public agencies (for example Cabinet Office, the FCO, BEIS, security services and DCMS) have responsibilities for cyber security, and stand to benefit from this research.
- Enhanced understanding of the relations between trust and security generated by this project may lead to improvement in both content and style of cyber security policy and legislation, leading in the long term to enhanced security for the UK, with the social and economic benefits it brings.
- An empirically rich ethnographic account of governance processes is likely to produce new insights about how policymakers can make effective interventions, and how they formulate the problems of cyber security.
- An account of new developments in technology and delivery models for IT systems, and the differences these make to practices of managing and scaling trust, may help policymakers respond effectively to emerging challenges in cyber security as well as reconfigurations of old challenges.
- Policymakers in the UK are the most direct beneficiaries, but international policy stakeholders may also benefit through academic communication and participation in government and industry events and workshops.
2. INDUSTRY BENEFICIARIES
Organisations hosting ethnographic fieldwork stand to benefit through the frequent opportunities for knowledge exchange that this research method creates. This includes:
- For senior management, recommendations emerging from the research regarding effective cyber security practices, may drive improvements in governance processes
- For board members, insights into the management of trust may help facilitate more effective high-level oversight of risks
- For cyber security practitioners, collaboration with an ethnographer is an opportunity to catalyse new modes of reflection leading to improvements in processes and practices. Participative methods developed in this fellowship will further promote these opportunities, running 10 workshops, using a set of ethnographic vignettes selected for their ability to provoke discussion and critical thinking about the nature of trust in cyber security.
- Such improvements in cyber security practices lead to lower exposure to risks and better economic performance and corporate responsibility. While these benefits are directly anticipated for host organisations, through contributions to professional forums and through policy impacts, the indirect benefits extend to the wider sector of public and private organisations.
3. ACADEMIC BENEFICIARIES
- Content-based benefits: This fellowship will make strong contributions to the interdisciplinary understanding of trust, security, scale, governance and infrastructure. Please see the Case for Support section 4.2 for detail.
- Methodological benefits: This fellowship aims to go beyond the established tradition of ethnographic observation by developing a new mode of participation in the study of technology. This is done in this project by two moves: 1) through the development of the fellow as an interdisciplinary cyber security researcher rather than as an "outsider" social scientist; 2) through the development of participative methods that engage the community of practitioners, otherwise the subjects of research, in reflection on their professional activities and their relation to trust.
- Interdisciplinary benefits: This fellowship contributes to the vibrant interdisciplinary research culture at Warwick and beyond.
- Through dissemination of findings, collaboration, and workshop events, the fellowship will provide a significant boost to the growing international community of researchers at the interface between STS and cyber security.
In all these respects, the research activities under this fellowship will comprise a strong demonstration of the value of interdisciplinary methodologies to the "hard" problems of today, thus advancing the engagement of the social sciences to contemporary society.
People |
ORCID iD |
| Matthew Spencer (Principal Investigator / Fellow) |
Publications
Spencer M
(2022)
Figure - Concept and Method
Spencer M
(2022)
Characterising assurance: scepticism and mistrust in cyber security
in Journal of Cultural Economy
Spencer M J
(2021)
Creative Malfunction: Finding Fault with Rowhammer
in Computational Culture: A Journal of Software Studies
| Description | Scaling Trust is an interdisciplinary research programme drawing on resources from anthropology, sociology, communication studies, literary theory, philosophy of science and computing. Using interviews, textual analysis, workshops and ethnographic observation, the project examines key transformations in Cyber Security policy and practice. The focus of the initial fellowship, which was adapted to the realities of conducting the first phase of the research during the Covid-19 pandemic, was on two domains: technology assurance and security architectures. In each case, we examined: how have novel models and methods reshaped trust and securing in contemporary society? How do new ways of narrativizing threats, problems of technology and scale, and security solutions define what a secure future may be? The project's key contributions so far have been primarily in two domains: A) Examining current transformations in technology assurance, we developed a communication-centred analytical framework, demonstrating its value in a case study of the shift in UK product assurance policy towards a new style of 'principles-based assurance' and clarifying the stakes of this transformation. B) We extended the framework to apply to the history of secure IT architectures, looking at the origins of 'de-perimeterisation' in a set of arguments about the nature of security that challenged intuitions of a protected 'inside' that focussed securing instead on the constitution of asset value. In both of these studies, the analysis demonstrates how the meanings of security and trust are changing over time, in close dialogue with shifts in the technological environment. Two further domains are proposed for a future 'renewal' period of the fellowship. The focus on communication, historiography, storytelling and figuration allows us to unpack the evolution of the cultural dimensions of a field that often appears primarily technical, and to make sense of these transformations for society, for organisations and for policymakers. The project has: - Created new knowledge in each domain studied, of interest to academics, the cyber security profession, and policymakers. - Contributed to cyber security policy and guidance - Built a novel synthesis of theoretical approaches from Science and Technology Studies, and Security Studies, raising new research questions for the Science and Technology Studies and Cyber Security communities. It asks: 'How are the meanings of security and trust renegotiated in cyber security practice?' - Created a novel empirical research methodology, 'Trust Mapping' designed to investigate the nature of assurance within complex organisations, and to facilitate reflective practice among the profession. - Fostered the community of interdisciplinary researchers conducting critical and sociocultural studies of cyber security, through the organisation of workshop events. |
| Exploitation Route | The fellowship is closely aligned with policymakers' priorities, and has engaged collaboratively with policy stakeholders from the initial design phase, and throughout delivery. The outcomes of 'Scaling Trust' are directly translated for policy audiences, via presentations, reports and consulting. Recommendations so far have included a commentary on the language used in the design of assurance schemes. These are taken up either directly as advice, or indirectly as a contribution to the breadth of debate on key issues. The Trust Mapping methodology is designed to enhance cyber security practices, and thus to the wider cyber security community, including companies across many different sectors of the economy. These workshops have been piloted and refined and will be launched in 2023, with the materials made freely available for reuse. Academic audiences for the research outcomes are reached via publications and conference presentations. For scholars in Science and Technology Studies, cyber security is an under-researched area. For scholars in Cyber Security, the fellowship contributes to the quality of interdisciplinary debate. |
| Sectors | Aerospace, Defence and Marine,Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Energy,Financial Services, and Management Consultancy,Healthcare,Government, Democracy and Justice,Security and Diplomacy,Transport |
| URL | https://warwick.ac.uk/fac/cross_fac/cim/research/scaling-trust |
| Description | Research that contributes to the enhancement of cyber security policies and practices has knock-on impacts on the quality of life, effectiveness of public services, and economic performance. All these aspects of society depend upon core technologies and infrastructures being safe and secure, a dependency that, as this research has demonstrated, is not only technically challenging, but also involves a significant cultural component, organising practices around what it means to do security. There are impacts realised as a result of conducting this project in close collaboration with policymakers. The fellowship was conceived in dialogue with stakeholders in government, and their participation continued to be significant, especially during the pandemic. Through a number of channels, the project has made contributions to the formulation of new UK assurance policy, cyber security guidance and threat reports. . The project also has impact through the production of a method/tool for cyber security practitioners. The Trust Mapping workshop methodology has been trialled and refined, and will be further promoted over the remainder of the project. These sessions are designed to enhance the quality of cyber security risk management, and thus contribute to societal outcomes across all key fields. Beyond the sessions run by the PI, the methodology is designed to be open and reusable for others in the community to adopt and adapt. . In the longer term, the project contributes to the evolving terrain of interdisciplinary cyber security research. Social and socio-technical approaches to security have blossomed since the late 1990s, but tend to draw on a limited repertoire of social thought. Critical security studies has developed greatly in the same timespan, bringing together discourse-centred and materialist approaches, but rarely makes contact with cyber security practice. Scaling Trust builds out a new synthesis between cyber security and social and cultural thought. It also develops a methodological strategy of engaged, participatory research, designed to participate in the 'doing' of security with practitioners, while also supporting the production of data and generation of theoretical analysis. In both these ways, a greater synthesis of social, cultural and technical dimensions is developed. |
| First Year Of Impact | 2021 |
| Sector | Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Societal,Economic,Policy & public services |
| Description | Contribution to the UK's cyber security guidance for corporate boards |
| Geographic Reach | National |
| Policy Influence Type | Contribution to new or improved professional practice |
| Description | Policy Research Report: 'Being Secure, Being Sure, Being Assured' |
| Geographic Reach | National |
| Policy Influence Type | Participation in a guidance/advisory committee |
| Impact | Most impacts are yet to become visible, but initial feedback from policymakers suggests that the report expanding the types of stakeholders being considered in current policy development. |
| Description | Research Collaboration with the National Cyber Security Centre |
| Organisation | National Cyber Security Centre |
| Country | United Kingdom |
| Sector | Public |
| PI Contribution | Contribution of expertise and evidence. |
| Collaborator Contribution | Contribution of expertise and access to data. |
| Impact | 'Being Secure, Being Sure, Being Assured' research report (February 2021) Multi-disciplinary: engineering, policy, sociology |
| Start Year | 2020 |
| Description | Interview for an article on hardware security |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | Interview for a journalistic article on the Italian 'Netwars' site, about hardware security. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Legal sector threat report working group |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Member of a working group drawing up a threat report for the UK legal sector. Responsible for bringing together expert perspectives, and advising on matters relating to communication. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Presentation to policymakers |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Research presentation for policymakers, audience of 8, sharing early research results and feeding in implications for current projects. Generated discussion and ongoing collaboration. |
| Year(s) Of Engagement Activity | 2021 |
| Description | Presentation with policymakers |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Presentation and Q&A session on research into cyber security assurance with a group of 23 government stakeholders. Feedback reported: 'It certainly got me thinking about those sociotechnical elements of assurance including things like what is the appropriate level of communication in assurance outputs for particular audiences and how that can be identified or whether it is possible to foster some sense of shared ownership in an assurance process in a way that is scalable.' |
| Year(s) Of Engagement Activity | 2021 |
| Description | Two workshops with security practitioners at a Telecommunications company |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A pair of 'trust mapping' workshops with security managers at a major telecommunications provider. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. In the words of my main contact, asked for the views of the team, "it was a hit!". Participants reported that the sessions improved their shared understanding of organisational structure. Other feedback included "I think this session is really good for sharing and learning. We do work in silos and it helps to get together like this." Another participant said "I think it is really good to share perspectives. And the format works." The organisation expressed an interest in running further sessions in the future. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Working group on cyber security guidance for corporate boards |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Membership of a workshop group producing the UK's guidance for corporate boards for cyber security. The group gathered extensive input from policymakers, private sector stakeholders, and academia. My participation brought academic expertise relating to this grant, around cyber security and communication, and skills in the synthesis of evidence. Following this work I was asked to contribute in a similar way to other projects. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | Facilitation of workshop with 12 practitioners at a private company, with collaborators. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Workshop with a UK bank |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A 'trust mapping' workshop run with the security team of a major bank. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. Participants said the session was 'really useful' and they 'liked the questions and prompts'. Another participant said it was helpful for thinking about 'how we can influence making changes to key issues'. A third remarked that 'this could be extremely beneficial when it comes to understanding control flows.' |
| Year(s) Of Engagement Activity | 2022 |
| Description | Workshop with a telecommunications provider |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | A 'trust mapping' workshop run with the security team of a telecommunications company. This is a format of workshop designed to enable reflective practice among security practitioners, and lead to improvements in security practice. In the session, participants follow a structured methodology to draw out a visualisation of the social distribution of trust in relation to a security critical system. The workshops are also designed to generate insights for research and policy, informing our understanding of how organisations process uncertainty about security, and distribute responsibility and knowledge. A participant remarked that 'it is good to see the sheer complexity... You can't rely on one person to know everything. You've got to trust it works, as you aren't an expert. It is really useful to see what it looks like.' Another said 'I think it has given me greater visibility. I think I would potentially give people a break if I am leaning on them for something, seeing this bigger picture.' A third said 'It gives a good sense of the huge complexity and scale of this stuff.' The organisation expressed an interest in hosting further workshops in future. |
| Year(s) Of Engagement Activity | 2022 |