Protective Security and Risk Assessment

This is one of the core programmes of CREST’s research. It seeks to understand how we can better develop security as a social practice. It broadens our understanding of the social processes that characterise effective ‘collaborative’ security, giving stakeholders the tools to both elicit better risk information and make better risk decisions. Led by Professor Debi Ashenden at University of Portsmouth.

The technology industry estimates that by 2020 there will be 212 billion sensor-enabled objects and 30 billion of them will be connected to networks. Many of these devices will be responsible for managing physical objects such as buildings and offices. While technology is giving us new ways of living, it is also increasing our attack surface.

In turn this situation gives us an opportunity to question how we can do security differently. The Protective Security work programme starts from the premise that we need to question the nature of security in organisations and to think more creatively about potential solutions. We do this by starting from the premise that we should patch security vulnerabilities with people rather than relying solely on technology.

The Simple Model of Rational Security (SMORS)

A recent industry report suggests that 50% of employees breach security policies and of these 40% believe their actions will go undetected. When asked why they breach security, respondents say it’s because it gets in the way of their jobs.

While employees continue to engage in low level breaches of security policy the consequences to the organisation of these activities are increasing in scale. SMORS uses an experimental approach to expose the limitations of implicit naïve assumptions about how employees act and how they maintain a positive self-concept in spite of their actions.

The Workplace Village

The Workplace Village offers a radical approach to current ideas about Protective Security. It seeks to undermine people’s primary assumption of how security in the organisation works, by moving from individual to group responsibility for security.

Autonomous work groups are groups of employees who are given the ability to manage their own working practices. This research will comprise comparative case studies in organisations where autonomous work groups will be formed and given joint responsibility for how security is implemented.

Security Dialogues

The Security Dialogues workshop presents a response to the reality of organisational security for people who can deal with complexity. Protective Security is both a social and political activity in an organisation where often the only mature approach is to negotiate an optimal compromise.

This three-day workshop has been designed to enable security practitioners to build effective relationships with employees and manage security dialogues more productively. Through the course of the workshop we support security practitioners to become security facilitators.

Principal Investigator

Professor Debi Ashenden


University of Portsmouth, UK



In Their Own Words: Employee Attitudes towards Information Security

The purpose of this study is to uncover employee attitudes towards information security and to address the issue of social acceptability bias in information...Read More »

Employees: The Front Line in Cyber Security

What happens if you lose trust in the systems on which you rely? If the displays and dashboards tell you everything is operating normally...Read More »

Security Dialogues: Building Better Relationships between Security and Business

In the real world, there’s often a discrepancy between an organization’s mandated security processes and what actually happens. The social practice of security flourishes...Read More »

Protective Security and Risk

Protective Security and Risk by CREST Researcher Debi Ashenden. The poster presents Debi’s programme with the premise that we should patch security vulnerabilities with...Read More »

Security Dialogues

Security Dialogues by CREST Researcher Debi Ashenden. The poster gives an overview of Debi’s Security Dialogues workshop. It was first displayed at the annual...Read More »

Mindmap: Cyber Security Factcheck

Mindmap FactcheckIt isn’t just your bank account criminals are seeking to access. This poster, by Debi Ashenden, gives an insight into the size and complexity...Read More »

Phishing scams are becoming ever more sophisticated – and firms are struggling to keep up

Companies are bombarded with phishing scams every day. In a recent survey of more than 500 cyber security professionals across the world, 76% reported...Read More »

FactCheck: The Cyber Security Attack Surface

It isn’t just your bank account criminals are seeking to access. CREST Researcher Debi Ashenden gives an insight into the size and complexity of...Read More »

Your Employees: The Front Line in Cyber Security

Dr Debi Ashenden, CREST lead on protective security and risk assessment, writes that with cyber attacks set to rise, it’s important that we empower...Read More »

TalkTalk data breach is a wake up call for CEOs

Dr Debi Ashenden, Reader in Cyber Security and Dr Ruth Massie, Lecturer in Cyber Governance comment on the recent data breach at TalkTalk and...Read More »