EPSRC Reference: |
EP/K006266/1 |
Title: |
Cyber Security Cartographies: CySeCa |
Principal Investigator: |
Coles-Kemp, Professor L |
Other Investigators: |
|
Researcher Co-Investigators: |
|
Project Partners: |
|
Department: |
Information Security |
Organisation: |
Royal Holloway, Univ of London |
Scheme: |
Standard Research |
Starts: |
12 November 2012 |
Ends: |
31 December 2016 |
Value (£): |
753,394
|
EPSRC Research Topic Classifications: |
Computer Graphics & Visual. |
Human-Computer Interactions |
Information & Knowledge Mgmt |
Networks & Distributed Systems |
Organisational Studies |
|
|
EPSRC Industrial Sector Classifications: |
|
Related Grants: |
|
Panel History: |
Panel Date | Panel Name | Outcome |
15 Jun 2012
|
Cyber Research Institute
|
Announced
|
|
Summary on Grant Application Form |
"The growth of the internet has been the biggest social and technological change of my lifetime [...] It will have a huge role to play in supporting sustainable development in poorer countries. At the same time our increasing dependence on cyber space has brought new risks, risks that key data and systems on which we now rely can be compromised or damaged, in ways that are hard to detect or defend against." Francis Maude - UK Cyber Security Strategy.
In the cyber environment the balance between benefit and harm so clearly articulated by Francis Maude can also be found at the organisational, as well as national and global, level. Cyber space enables many opportunities and provides an environment in which businesses can diversify and tailor their services. At the same time, this range of opportunities also creates critical vulnerabilities to attack or exploit. In order to protect their estate security managers combine organisational , physical and technical controls to provide robust information asset protection. Control lists such as the one found in Annex A of ISO 27001 have long acknowledged the need for the three types of controls but no security management methods are available to systematically combine them. In the complex cyber environment a security manager has limited visibility of technical, physical and organisational compliance behaviours and controls and this makes it difficult to know when and how to select and combine controls. Research has, to date, not been undertaken to understand how a security manager selects the appropriate control combination. In addition, risk management techniques do not include visualisation methods that can present a combined picture of organisational and technical asset compliance behaviours. This problem is exacerbated by the lack of systematic research of the cultural and organisational techniques used by security managers resulting in limited guidance on cultural and organisational security management approaches.
In order to respond to this problem, we plan to:
- Explore how a security manager develops, maintains and uses visibility of both organisational and asset compliance behaviours for the management of cyber security risks.
- Better understand how organisational controls and technical controls are used in combination.
- Evaluate the use of different visualisations in the risk management process as a means to extend a security manager's ability to deploy combinations of organisational and technical controls in the cyber context.
The research will combine a novel application of social network analysis, apply and develop anomaly detection techniques at the technical asset cluster level and integrate interpretive cartography with informational cartography.
In exploring this practical security management problem, we aim to develop a socio-technical research design in which organisational and network security research techniques can both be deployed in their own research paradigm and use visualisation techniques to systematically synthesise the outputs into a robust socio-technical response.
The planned outputs and deliverables from the CySeCa research are:
- Methods for combining and evaluating combinations of technical and organisational security controls
- Methods and design principles for visualising and analysing combined organisational and technical compliance behaviours
- Use cases and case study reports
|
Key Findings |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Potential use in non-academic contexts |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Impacts |
Description |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk |
Summary |
|
Date Materialised |
|
|
Sectors submitted by the Researcher |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Project URL: |
|
Further Information: |
|
Organisation Website: |
|