The Protective Security and Risk Assessment programme is led by Professor Debi Ashenden (University of Portsmouth) and aims to understand how we can ‘patch with people’. The research under this theme considers security as a social practice enacted in an organisational context.
While we have policies and processes for implementing security in organisations, in the real-world security is always a negotiated compromise as projects have to finish, systems have to run and the organisation has to move forward. This research programme confronts this truth and focuses on the areas of secure software development and cyber-physical security convergence to explore how we can leverage employee behaviour to manage security risks.
Understanding the Social & Behavioural Aspects of Software Development
With shorter cycle times for software development driven by cloud infrastructures, agile development methods and continuous integration/continuous delivery, we need a better understanding of the social and behavioural factors that encourage or inhibit the inclusion of security in software development. Embedding security in software development requires the sharing of expertise and establishment of mutual trust between security experts and software developers.
This project examines software development as a social practice with a particular focus on open source development and the integration of security. The research explores the organisational structures and practices within companies that develop software. The research uses social practice theory to understand how software developers are working in the open source environment and their motivations, identity and allegiances across the open source community. This will be contrasted with approaches to delivering security in software projects in both open source and closed source environments in order to deliver recommendations for security interventions.
Ensuring Cyber-Physical Security in the Digital Built Environment
Buildings are now often planned, designed and the data shared online using building information modelling (BIM). When operational, buildings are increasingly being managed through digital building management systems (BMS). As cyberspace and physical space are increasingly enmeshed, the need to secure both the digital built environment and its assets has given rise to the concept of cyber-physical security.
Cyber-physical vulnerabilities include BIM documentation that is insecurely transmitted and gives attackers the ability not only to understand physical weaknesses in a building but can also facilitate the insertion of fake building materials into the supply chain. While there has been an increased focus on developing organisational cyber security, with an associated boost in the status of such professionals, there is often a disparity between cyber and physical security personnel, functions and policies in organisations. In a cyber-physical environment this leads to increased vulnerability for the organisation overall. The examples given of cyber-physical vulnerabilities in the digital built environment demonstrates the need for organisations to develop processes that will ensure cyber-physical security.
To this end, this research will undertake a user-centred design methodology to develop cyber-physical security interventions. The research will use a mixed-methods approach (interviews and focus groups) to understand how cyber and physical security personnel currently cooperate, their awareness of the appropriate protective measures required from each other, the gaps between the two approaches, and barriers to collaboration. Findings from this will help guide the development of cyber-physical interventions.
The Workplace Village
The Workplace Village offers a radical approach to current ideas about Protective Security. It seeks to undermine people’s primary assumption of how security in the organisation works, by moving from individual to group responsibility for security.
Autonomous work groups are groups of employees who are given the ability to manage their own working practices. This research will comprise comparative case studies in organisations where autonomous work groups will be formed and given joint responsibility for how security is implemented.
The Simple Model of Rational Security (SMORS)
An industry report suggested that 50% of employees breach security policies and of these 40% believed their actions will go undetected. When asked why they breach security, respondents said it’s because it gets in the way of their jobs. While employees continue to engage in low level breaches of security policy the consequences to the organisation of these activities are increasing in scale.
SMORS used an experimental approach to expose the limitations of implicit naïve assumptions about how employees act and how they maintain a positive self-concept in spite of their actions. In the first experiment, when presented with the opportunity to deceive about productivity, 10% of participants stated they had completed more than was true.
A second experiment explored if participants failed to comply or cheat with security to increase their reward with security. In the experiment participants were required to create passwords in an app designed to look outdated and low quality on a laptop, with a disinterested/busy researcher. They were rewarded for the number of passwords created; however, they did not have to follow the requirements for a correct password and they had the opportunity to misreport the number of passwords.
The results showed that if people have the opportunity to misreport the number of passwords created, they still made the same effort and number of passwords. If, however, they could get away with not meeting the password criteria 45% more passwords were created. Overall 13% of people followed all the rules. 87% of participants cheated a little.
The Security Dialogues workshop presents a response to the reality of organisational security for people who can deal with complexity. Protective Security is both a social and political activity in an organisation where often the only mature approach is to negotiate an optimal compromise.
This two-and-a-half-day workshop was designed to enable security practitioners to build effective relationships with employees and manage security dialogues more productively. Through the course of the workshop we supported security practitioners to become security facilitators.
We applied techniques for designing interventions that would encourage behaviour change, and questioning and conflict-resolution skills developed from counselling. Participants were given a broad base of tools and techniques to try, then refine and adjust over time. The workshop was developed using action research and extended to encompass both security practitioners and software developers to meet the needs of organisations implementing DevSecOps. The workshops demonstrated that a good relationship can make a flawed security process work, the importance of soft skills in delivering security should not be underestimated and that security practitioners continue to carry the baggage of a stereotype that labels them, ‘the people who say no’.
Professor Debi Ashenden
University of Portsmouth, UK
- Debi Ashenden (Security Dialogues)
- Rob Black
- Emma Boakes (Cyber-Physical Security)
- Duncan Hodges (SMORS)
- Helen Thackray (Software Developers)