Protective Security and Risk Assessment

The Protective Security and Risk Assessment programme is led by Professor Debi Ashenden (University of Portsmouth) and aims to understand how we can ‘patch with people’. The research under this theme considers security as a social practice enacted in an organisational context.

While we have policies and processes for implementing security in organisations, in the real-world security is always a negotiated compromise as projects have to finish, systems have to run and the organisation has to move forward.  This research programme confronts this truth and focuses on the areas of secure software development and cyber-physical security convergence to explore how we can leverage employee behaviour to manage security risks.

Current projects

Understanding the Social & Behavioural Aspects of Software Development

With shorter cycle times for software development driven by cloud infrastructures, agile development methods and continuous integration/continuous delivery, we need a better understanding of the social and behavioural factors that encourage or inhibit the inclusion of security in software development. Embedding security in software development requires the sharing of expertise and establishment of mutual trust between security experts and software developers.

This project examines software development as a social practice with a particular focus on open source development and the integration of security.  The research explores the organisational structures and practices within companies that develop software.  The research uses social practice theory to understand how software developers are working in the open source environment and their motivations, identity and allegiances across the open source community. This will be contrasted with approaches to delivering security in software projects in both open source and closed source environments in order to deliver recommendations for security interventions.

Ensuring Cyber-Physical Security in the Digital Built Environment

Buildings are now often planned, designed and the data shared online using building information modelling (BIM). When operational, buildings are increasingly being managed through digital building management systems (BMS).  As cyberspace and physical space are increasingly enmeshed, the need to secure both the digital built environment and its assets has given rise to the concept of cyber-physical security.

Cyber-physical vulnerabilities include BIM documentation that is insecurely transmitted and gives attackers the ability not only to understand physical weaknesses in a building but can also facilitate the insertion of fake building materials into the supply chain.  While there has been an increased focus on developing organisational cyber security, with an associated boost in the status of such professionals, there is often a disparity between cyber and physical security personnel, functions and policies in organisations. In a cyber-physical environment this leads to increased vulnerability for the organisation overall.  The examples given of cyber-physical vulnerabilities in the digital built environment demonstrates the need for organisations to develop processes that will ensure cyber-physical security.

To this end, this research will undertake a user-centred design methodology to develop cyber-physical security interventions.  The research will use a mixed-methods approach (interviews and focus groups) to understand how cyber and physical security personnel currently cooperate, their awareness of the appropriate protective measures required from each other, the gaps between the two approaches, and barriers to collaboration.  Findings from this will help guide the development of cyber-physical interventions.

The Workplace Village

The Workplace Village offers a radical approach to current ideas about Protective Security. It seeks to undermine people’s primary assumption of how security in the organisation works, by moving from individual to group responsibility for security.

Autonomous work groups are groups of employees who are given the ability to manage their own working practices. This research will comprise comparative case studies in organisations where autonomous work groups will be formed and given joint responsibility for how security is implemented.

Previous Projects

The Simple Model of Rational Security (SMORS)

An industry report suggested that 50% of employees breach security policies and of these 40% believed their actions will go undetected. When asked why they breach security, respondents said it’s because it gets in the way of their jobs. While employees continue to engage in low level breaches of security policy the consequences to the organisation of these activities are increasing in scale.

SMORS used an experimental approach to expose the limitations of implicit naïve assumptions about how employees act and how they maintain a positive self-concept in spite of their actions. In the first experiment, when presented with the opportunity to deceive about productivity, 10% of participants stated they had completed more than was true.

A second experiment explored if participants failed to comply or cheat with security to increase their reward with security. In the experiment participants were required to create passwords in an app designed to look outdated and low quality on a laptop, with a disinterested/busy researcher. They were rewarded for the number of passwords created; however, they did not have to follow the requirements for a correct password and they had the opportunity to misreport the number of passwords.
The results showed that if people have the opportunity to misreport the number of passwords created, they still made the same effort and number of passwords. If, however, they could get away with not meeting the password criteria 45% more passwords were created. Overall 13% of people followed all the rules. 87% of participants cheated a little.

Security Dialogues

The Security Dialogues workshop presents a response to the reality of organisational security for people who can deal with complexity. Protective Security is both a social and political activity in an organisation where often the only mature approach is to negotiate an optimal compromise.

This two-and-a-half-day workshop was designed to enable security practitioners to build effective relationships with employees and manage security dialogues more productively. Through the course of the workshop we supported security practitioners to become security facilitators.

We applied techniques for designing interventions that would encourage behaviour change, and questioning and conflict-resolution skills developed from counselling. Participants were given a broad base of tools and techniques to try, then refine and adjust over time. The workshop was developed using action research and extended to encompass both security practitioners and software developers to meet the needs of organisations implementing DevSecOps. The workshops demonstrated that a good relationship can make a flawed security process work, the importance of soft skills in delivering security should not be underestimated and that security practitioners continue to carry the baggage of a stereotype that labels them, ‘the people who say no’.

Principal Investigator

Professor Debi Ashenden


University of Portsmouth, UK



Algorithmic Decision Making

How can re-designing system interactions help build trust between governments and citizens, enhance the security and wellbeing of individuals and protect the security of...Read More »

Data and the Social and Behavioural Sciences

The science of how we manage and leverage data is unsurprisingly an increasingly ubiquitous topic. Data is often thought of as the base of...Read More »

In Their Own Words: Employee Attitudes towards Information Security

The purpose of this study is to uncover employee attitudes towards information security and to address the issue of social acceptability bias in information...Read More »

Employees: The Front Line in Cyber Security

What happens if you lose trust in the systems on which you rely? If the displays and dashboards tell you everything is operating normally...Read More »

Security Dialogues: Building Better Relationships between Security and Business

In the real world, there’s often a discrepancy between an organization’s mandated security processes and what actually happens. The social practice of security flourishes...Read More »

Protective Security and Risk

Protective Security and Risk by CREST Researcher Debi Ashenden. The poster presents Debi’s programme with the premise that we should patch security vulnerabilities with...Read More »

Security Dialogues

Security Dialogues by CREST Researcher Debi Ashenden. The poster gives an overview of Debi’s Security Dialogues workshop. It was first displayed at the annual...Read More »

Mindmap: Cyber Security Factcheck

Mindmap FactcheckIt isn’t just your bank account criminals are seeking to access. This poster, by Debi Ashenden, gives an insight into the size and complexity...Read More »

Phishing scams are becoming ever more sophisticated – and firms are struggling to keep up

Companies are bombarded with phishing scams every day. In a recent survey of more than 500 cyber security professionals across the world, 76% reported...Read More »

Employees behaving badly

Understanding the problem of everyday insider threats. Most of the literature on insider threat focuses on either the ‘malicious’ insider or the ‘accidental’ insider....Read More »

FactCheck: The Cyber Security Attack Surface

It isn’t just your bank account criminals are seeking to access. CREST Researcher Debi Ashenden gives an insight into the size and complexity of...Read More »

Creativity and Cyber Security

Debi Ashenden explains how art and tech are unlikely but insightful bedfellows when it comes to cyber security. Cyber security risk has traditionally been...Read More »

Your Employees: The Front Line in Cyber Security

Dr Debi Ashenden, CREST lead on protective security and risk assessment, writes that with cyber attacks set to rise, it’s important that we empower...Read More »

TalkTalk data breach is a wake up call for CEOs

Dr Debi Ashenden, Reader in Cyber Security and Dr Ruth Massie, Lecturer in Cyber Governance comment on the recent data breach at TalkTalk and...Read More »