| EPSRC Reference: |
EP/K006517/1 |
| Title: |
Productive Security - Improving security compliance and productivity through measurement |
| Principal Investigator: |
Sasse, Professor MA |
| Other Investigators: |
|
| Researcher Co-Investigators: |
|
| Project Partners: |
|
| Department: |
Computer Science |
| Organisation: |
UCL |
| Scheme: |
Standard Research |
| Starts: |
01 October 2012 |
Ends: |
30 June 2016 |
Value (£): |
1,168,260
|
| EPSRC Research Topic Classifications: |
| Human-Computer Interactions |
Management & Business Studies |
| Mathematical Aspects of OR |
Modelling & simul. of IT sys. |
| Psychology |
|
|
| EPSRC Industrial Sector Classifications: |
|
| Related Grants: |
|
| Panel History: |
| Panel Date | Panel Name | Outcome |
|
15 Jun 2012
|
Cyber Research Institute
|
Announced
|
|
|
Summary on Grant Application Form |
There has been a growing body of evidence that security policies and controls are not effective because employees either can't, or won't, comply. A key reason for non-compliance is the workload and complexity of security controls chosen - employees simply cannot cope with an ever-increasing number of ever-longer and more complex passwords. Yet most security-decision-makers do not factor the impact on employees, their tasks, and company's business processes, into their decision about which security controls to put in place. Current attempts to 'edcuate' employees about the need for security are largely ineffective because they simply push more information on people who are already overworked.
And even in organisations with a high security awareness, non-compliance can be observed because security policy cause excessive friction, or are not agile enough to meet the needs of the business.
There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key 'missing link' measurements of employee's workload, risk perception, and resulting security behaviours. The project will work with at least two major companies to collect such data, and build a model of that allows security decision-makers to 'calculate' the impact of the security controls on employees and business processes, and balance them against the risk mitigation the security control achieves. A further innovative step in this proposal is that well-chosen security controls could make contributions to the business process beyond security, if the imformation they provide can be used to improve quality of products or services - hence the title of the project.
|
|
Key Findings |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Potential use in non-academic contexts |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Impacts |
|
| Description |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk |
| Summary |
|
| Date Materialised |
|
|
|
|
Sectors submitted by the Researcher |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
| Project URL: |
|
| Further Information: |
|
| Organisation Website: |
|