Research – Cyber Security Leadership

Collaborating with the Optus Macquarie University Cyber Security Hub

I recently had a chance to collaborate with researchers at The Optus Macquarie University Cyber Security Hub. Their interdisciplinary approach brings industry practitioners and academics from a variety of backgrounds to tackle the most pressing cyber security challenges our society and businesses face today.

Both academia and industry practitioners can and should learn from each other. The industry can guide problem definition and allow access to data, but also learn to apply the scientific method and test their hypotheses. We often assume the solutions we implement lead to risk reduction but how this is measured is not always clear. Designing experiments and using research techniques can help bring the necessary rigour when delivering and assessing outcomes.

I had an opportunity to work on some exciting projects to help build an AI-powered cyber resilience simulator, phone scam detection capability and investigate the role of human psychology to improve authentication protocols. I deepened my understanding of modern machine learning techniques like topic extraction and emotion analysis and how they can be applied to solve real world problems. I also had a privilege to contribute to a research publication to present our findings, so watch this space for some updates next year.

Can AI help improve security culture?

I’ve been exploring the current application of machine learning techniques to cybersecurity. Although, there are some strong use cases in the areas of log analysis and malware detection, I couldn’t find the same quantity of research on applying AI to the human side of cybersecurity.

Can AI be used to support the decision-making process when developing cyber threat prevention mechanisms in organisations and influence user behaviour towards safer choices? Can modelling adversarial scenarios help us better understand and protect against social engineering attacks?

To answer these questions, a multidisciplinary perspective should be adopted with technologists and psychologists working together with industry and government partners.

While designing such mechanisms, consideration should be given to the fact that many interventions can be perceived by users as negatively impacting their productivity, as they demand additional effort to be spent on security and privacy activities not necessarily related to their primary activities [1, 2].

A number of researchers use the principles from behavioural economics to identify cyber security “nudges” (e.g. [3], [4]) or visualisations [5,6]. This approach helps them make better decisions and minimises perceived effort by moving them away from their default position. This method is being applied in the privacy area, for example for reduced Facebook sharing [7] and improved smartphone privacy settings [8]. Additionally there is greater use of these as interventions, particularly with installation of mobile applications [9].

The proposed socio-technical approach to the reduction of cyber threats aims to account for the development of responsible and trustworthy people-centred AI solutions that can use data whilst maintaining personal privacy.

A combination of supervised and unsupervised learning techniques is already being employed to predict new threats and malware based on existing patterns. Machine learning techniques can be used to monitor system and human activity to detect potential malicious deviations.

Building adversarial models, designing empirical studies and running experiments (e.g. using Amazon’s Mechanical Turk) can help better measure the effectiveness of attackers’ techniques and develop better defence mechanisms. I believe there is a need to explore opportunities to utilise machine learning to aid the human decision-making process whereby people are supported by, and work together with, AI to better defend against cyber attacks.

We should draw upon participatory co-design and follow a people-centred approach so that relevant stakeholders are engaged in the process. This can help develop personalised and contextualised solutions, crucial to addressing ethical, legal and social challenges that cannot be solved with AI automation alone.

Online Safety and Security

We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?

Issues:

Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.

Solution:

A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.

A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.

Image courtesy ofwinnond / FreeDigitalPhotos.net

Find out how security controls affect productivity in your company

To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.

The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.

The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.

Please get in touch if you have any feedback or would like to discuss the underlying research findings.

Discussing Human Aspects of Information Security

I delivered a seminar on the human aspects of information security at the University of West London. We discussed conflicts between security and productivity in companies and possible solutions. Research students with different backgrounds helped to drive the debates around usability, awareness and policy design.

We also talked about the practical applications of behavioural theories, where I shared my views on user monitoring and trust in organisations within the context of security culture.

Daniel, one of the participants, summarised his experience in his blog.

Image courtesy of Vlado / FreeDigitalPhotos.net

Delivering a Seminar at the IT Security & Computer Forensics Pedagogy Workshop

I presented at the HEA STEM Workshop on human aspects of information security.

The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.

During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.

Giving a talk at the University of Greenwich

I was invited to the University of Greenwich to discuss career opportunities in the information security field. We had a productive discussion with the young people who are finishing their degree in Computer Security and Forensics. After the presentation I was introduced to several PhD students who are currently researching various issues around privacy and social media. I’m very happy that people are becoming more interested in solving information security and privacy issues.

Research Proposal: People and Security

Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls

Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks

Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.

Research benefits. The model points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company

Methodology of Research Study

Within the channel of research two main analytical methods can be used:

– Quantitative

– Qualitative

Bell [2] argues that quantitative and qualitative approaches each have their own weaknesses and strengths. Hence, researchers should choose the appropriate technique according to their objectives and needs. Moreover, researchers can move from one approach to the other if it will bring benefit to their study.

Quantitative Research Methods

Quantitative research methods help researchers to support their hypothesis by testing various theories and existing research results [10]. Large sample sizes are often used to collect data and draw more general conclusion [14]. However, quantitative research approaches may not provide a sufficient amount of detail regarding participants’ attitudes and motivations.

Questionnaires

A questionnaire can help a researcher to collect larger volumes of information compared to interviews. Furthermore, they have reduced bias, which interviews typically introduce through personal interactions. Questionnaires can provide anonymity for the participants; hence more honest responses may be expected. This is relevant when the subject matter is sensitive, for example, security.

However, the main limitation of questionnaires is low response rates, which makes it difficult to collect large amounts of data. To overcome this limitation and achieve higher response rates follow-up e-mails should be sent and follow-up calls should be made in order to remind participants to take part in the survey [8].

Qualitative Research Methods

Creswell [8] characterises the qualitative approach as being focused mainly on participants’ experience and perceptions as expressed in words rather than numbers. Qualitative research methods allow researchers to use less structured instruments to collect information on participants’ thoughts and motivations. This gives the researcher the opportunity to look for common patterns, which is particularly useful in areas where little or no existing research has been done.

However, qualitative research methods are more time consuming to undertake and may result in smaller samples being used. Further, small samples result in issues surrounding repeatability of the study, and also subjectivism of responses, hence less reliability and less ability to apply to other situations outside the test conditions

For instance, Bjorck [4] adopts qualitative methods to collect information and draw conclusions on the implementation of information security management systems according to ISO 17799 Standard. In his paper, the author studies the attitude and behaviour of information security consultants’.

Interviews

Interviews can be time consuming and expensive. Moreover, face-to-face interaction allows the researcher to introduce additional bias [11]. Nevertheless, interviews are still commonly used in various research fields, because of the flexibility and deep insight into human perceptions and motivations which they allow.

According to Berg [3], Patton [12], and Briggs et al. [5] interviews can be divided into the following categories:

– Structured interviews – these are standardised questionnaires, similar to quantitative research methods. They tend to be less biased, because the questions asked are always the same and in the same order. However, it reduces flexibility.

– Semi-structured interviews – these are guided discussions with open-ended questions. The interviewer prepares questions in advance, but some questions might very well emerge during the process of the interview.

– Unstructured interviews – these are similar to an informal conversation, which can be beneficial if the interviewer needs to collect additional information. However, it could be difficult to manage the interview and stay within the research question.

Using Grounded Theory

Following from Corbin and Strauss [7], a theory which is derived from collected information can provide valuable insights into real-world situations. For this reason, the Grounded Theory Method can be used to analyse interview data. Answers could be grouped into categories in order to discover possible patterns and derive meaningful conclusions. Corbin and Strauss [7] outline the following types of coding for analyzing the data

– Open coding – basic categorization based on identified similarities.

– Axial coding: – introducing sub-categories and connecting it with main categories.

– Selective coding – revealing the connections between main categories in the study, integration of categories.

Adopting this approach would allow the collection, documentation, and analysis of interview materials, whilst interviewees freely express their thoughts and attitudes towards security compliance and behavior issues in their company.

Using a combination of quantitative and qualitative methods

According to Tashakkori and Teddlie [15], Carr [6], and Bandyopadhyay et al. [1] using the combination of both quantitative and qualitative may yield better outcomes, because it will help to overcome the weaknesses of each particular method, as well as combining strengths and achieving high-quality results. For instance, Rainer et al. [13] adopted a similar approach when researching the issue of risk analysis processes for information technology. Doherty and Fulford [9] decided to use a questionnaire when carrying out their study on the question of application of information security policies in companies. They then identified the need to apply more qualitative methods to research this area.

References

[1] Bandyopadhyay, K. et al. 1999. A framework for integrated risk management in information technology. Management Decision. 37, 5 (Jun. 1999).

[2] Bell, J. and Goulding, S. 1984. Conducting small-scale investigations in educational management. Harper & Row in association with the Open University.

[3] Berg, B.L. 2004. Qualitative research methods for the social sciences. Pearson Boston.

[4] Bjorck, F. 2001. Implementing Information Security Management Systems–An Empirical Study of Critical Success Factors. Lic thesis. Stockholm University & Royal Institute of Technology. (2001).

[5] Briggs, A.R. et al. 2012. Research methods in educational leadership and management. Sage Publications.

[6] Carr, L.T. 1994. The strengths and weaknesses of quantitative and qualitative research: what method for nursing? Journal of Advanced Nursing. 20, 4 (1994).

[7] Corbin, J. and Strauss, A. 2008. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. SAGE.

[8] Creswell, J.W. 2013. Research design: Qualitative, quantitative, and mixed methods approaches. Sage Publications, Incorporated.

[9] Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).

[10] Flick, U. 2009. An Introduction to Qualitative Research. SAGE.

[11] McIlwraith, A. 2006. Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness. Gower Publishing, Ltd.

[12] Patton, M.Q. 2005. Qualitative Research. Encyclopedia of Statistics in Behavioral Science. John Wiley & Sons, Ltd.

[13] Rainer Jr, R.K. et al. 1991. Risk Analysis for Information Technology. J. of Management Information Systems. 8, 1 (1991).

[14] Scandura, T.A. and Williams, E.A. 2000. Research Methodology In Management: Current Practices, Trends, And Implications For Future Research. Academy of Management Journal. 43, 6 (Dec. 2000).

[15] Tashakkori, A. and Teddlie, C. 1998. Mixed Methodology: Combining Qualitative and Quantitative Approaches. SAGE.