Protective Security & Risk Assessment

This project aims to understand how we can ‘patch with people’ and considers security as a social practice enacted in an organisational context.

While we have policies and processes for implementing security in organisations, in the real-world security is always a negotiated compromise as projects have to finish, systems have to run and the organisation has to move forward.  This research programme confronts this truth and focuses on the areas of secure software development and cyber-physical security convergence to explore how we can leverage employee behaviour to manage security risks.

Current projects

Understanding the Social & Behavioural Aspects of Software Development

With shorter cycle times for software development driven by cloud infrastructures, agile development methods and continuous integration/continuous delivery, we need a better understanding of the social and behavioural factors that encourage or inhibit the inclusion of security in software development. Embedding security in software development requires the sharing of expertise and establishment of mutual trust between security experts and software developers.

This project examines software development as a social practice with a particular focus on open source development and the integration of security.  The research explores the organisational structures and practices within companies that develop software.  The research uses social practice theory to understand how software developers are working in the open source environment and their motivations, identity and allegiances across the open source community. This will be contrasted with approaches to delivering security in software projects in both open source and closed source environments in order to deliver recommendations for security interventions.

Ensuring Cyber-Physical Security in the Digital Built Environment

Buildings are now often planned, designed and the data shared online using building information modelling (BIM). When operational, buildings are increasingly being managed through digital building management systems (BMS).  As cyberspace and physical space are increasingly enmeshed, the need to secure both the digital built environment and its assets has given rise to the concept of cyber-physical security.

Cyber-physical vulnerabilities include BIM documentation that is insecurely transmitted and gives attackers the ability not only to understand physical weaknesses in a building but can also facilitate the insertion of fake building materials into the supply chain.  While there has been an increased focus on developing organisational cyber security, with an associated boost in the status of such professionals, there is often a disparity between cyber and physical security personnel, functions and policies in organisations. In a cyber-physical environment this leads to increased vulnerability for the organisation overall.  The examples given of cyber-physical vulnerabilities in the digital built environment demonstrates the need for organisations to develop processes that will ensure cyber-physical security.

To this end, this research will undertake a user-centred design methodology to develop cyber-physical security interventions.  The research will use a mixed-methods approach (interviews and focus groups) to understand how cyber and physical security personnel currently cooperate, their awareness of the appropriate protective measures required from each other, the gaps between the two approaches, and barriers to collaboration.  Findings from this will help guide the development of cyber-physical interventions.

The Workplace Village

The Workplace Village offers a radical approach to current ideas about Protective Security. It seeks to undermine people’s primary assumption of how security in the organisation works, by moving from individual to group responsibility for security.

Autonomous work groups are groups of employees who are given the ability to manage their own working practices. This research will comprise comparative case studies in organisations where autonomous work groups will be formed and given joint responsibility for how security is implemented.

Previous Projects

The Simple Model of Rational Security (SMORS)

An industry report suggested that 50% of employees breach security policies and of these 40% believed their actions will go undetected. When asked why they breach security, respondents said it’s because it gets in the way of their jobs. While employees continue to engage in low level breaches of security policy the consequences to the organisation of these activities are increasing in scale.

SMORS used an experimental approach to expose the limitations of implicit naïve assumptions about how employees act and how they maintain a positive self-concept in spite of their actions. In the first experiment, when presented with the opportunity to deceive about productivity, 10% of participants stated they had completed more than was true.

A second experiment explored if participants failed to comply or cheat with security to increase their reward with security. In the experiment participants were required to create passwords in an app designed to look outdated and low quality on a laptop, with a disinterested/busy researcher. They were rewarded for the number of passwords created; however, they did not have to follow the requirements for a correct password and they had the opportunity to misreport the number of passwords.
The results showed that if people have the opportunity to misreport the number of passwords created, they still made the same effort and number of passwords. If, however, they could get away with not meeting the password criteria 45% more passwords were created. Overall 13% of people followed all the rules. 87% of participants cheated a little.

Security Dialogues

The Security Dialogues workshop presents a response to the reality of organisational security for people who can deal with complexity. Protective Security is both a social and political activity in an organisation where often the only mature approach is to negotiate an optimal compromise.

This two-and-a-half-day workshop was designed to enable security practitioners to build effective relationships with employees and manage security dialogues more productively. Through the course of the workshop we supported security practitioners to become security facilitators.

We applied techniques for designing interventions that would encourage behaviour change, and questioning and conflict-resolution skills developed from counselling. Participants were given a broad base of tools and techniques to try, then refine and adjust over time. The workshop was developed using action research and extended to encompass both security practitioners and software developers to meet the needs of organisations implementing DevSecOps. The workshops demonstrated that a good relationship can make a flawed security process work, the importance of soft skills in delivering security should not be underestimated and that security practitioners continue to carry the baggage of a stereotype that labels them, ‘the people who say no’.

Principal Investigator

Professor Debi Ashenden


University of Portsmouth, UK


Project resources

In Their Own Words: Employee Attitudes towards Information Security

The purpose of this study is to uncover employee attitudes towards information security and to address the issue of social acceptability bias in information security research.


The study used personal construct psychology and repertory grids as the foundation for the study in a mixed-methods design. Data collection consisted of 11 in-depth interviews followed by a survey with 115 employee responses. The data from the interviews informed the design of the survey.


The results of the interviews identified a number of themes around individual responsibility for information security and the ability of individuals to contribute to information security. The survey demonstrated that those employees who thought the that organisation was driven by the need to protect information also thought that the risks were overstated and that their colleagues were overly cautious. Conversely, employees who thought that the organisation was driven by the need to optimise its use of information felt that the security risks were justified and that colleagues took too many risks.

Research limitations/implications

The survey findings were not statistically significant, but by breaking the survey results down further across business areas, it was possible to see differences within groups of individuals within the organisation.


The literature review highlights the issue of social acceptability bias and the problem of uncovering weakly held attitudes. In this study, the use of repertory grids offers a way of addressing these issues.

(From the journal abstract)

Debi Ashenden. 2018. ‘In Their Own Words: Employee Attitudes towards Information Security’. Information and Computer Security, 26 (3): 327–37.

Employees: The Front Line in Cyber Security

What happens if you lose trust in the systems on which you rely? If the displays and dashboards tell you everything is operating normally but, with your own eyes, you can see that this is not the case? This is what apparently happened with the Stuxnet virus attack on the Iranian nuclear programme in 2010.

Dr Debi Ashenden, CREST lead on protective security and risk assessment, writes that with cyber attacks set to rise, it’s important that we empower employees to defend our front line.

(From the journal abstract)

Ashenden, Debi. 2017. ‘Employees: The Front Line in Cyber Security’. The Chemical Engineer, February 2017, 908 edition. https://crestresearch.


Back to top