What is the Scope of Digital Trust & Security?
Given our increasing dependence on digital technology, the issue of whether we can trust the systems we use and the people we interact with has become critical. Digital Trust & Security underpins a broad range of societal challenges and is profoundly multidisciplinary. It encompasses the security and resilience of the underlying technology, work practices and processes, law and regulation, human behaviour, social norms and context. Regulation, governance and standards, more traditional security concerns, such as cryptography, access control and verification to the societal and sociological concerns that emerge from big-data analytics, intrusion, cloud computing and the internet of things.
An apt starting point might be to clarify what cyber security is intended to achieve. For instance, taking the objectives of the UK’s National Cyber Security Strategy (defending systems, data and services, deterring hostile actors and developing capability) as a starting point highlights a set of research areas of potential relevance.
Defending systems, data, and services from potential attack.
This is the largest area in terms of potential research topics, as it includes developing and implementing defences against potential attacks. Effective defence requires a technical understanding of threats and vulnerabilities in the systems you are trying to defend it also covers the human element of responding to and recovering from attacks.
- Crimes that may be digitally-enabled or digitally-dependent, including fraud, theft (of personal data, money etc), harassment, child sexual exploitation, money-laundering, spying, system sabotage, spreading of viruses, malware, and ransomware.
- Potentially harmful but non-criminal activities, e.g., cyberbullying, the manipulation of social media to sow discord or influence democratic processes.
- Methods used to do harm: e.g., hacking or malware infection, hardware tampering, insider access and social engineering.
- Technical vulnerabilities that arise during software and hardware design and implementation (including through increased connectivity, for example; Industrial IoT), and that are perpetuated through failure to patch or replace insecure software and systems.
- Vulnerabilities in human systems: e.g., ‘insider threat’, failure to follow security procedures, use of workarounds.
- Secure software development: processes, tools and techniques, from the fundamental building blocks like cryptography to design and implementation.
- Secure hardware: e.g., anti-tamper techniques for processing chips, counterfeit detection and prevention.
- The nature and value of data held on digital systems and how it could be exploited (including through behavioural analytics and identity ‘profiling’).
- Risk-based decision-making, in particular risk assessment and mitigation, risk prioritisation and visualisation, communication of risk information, decision-support.
- Developing and improving monitoring and detection systems (both technical and human) to establish when a breach has occurred.
- Regulatory and other mechanisms to ensure organisations respond appropriately to data breaches.
- Once a breach/attack has been detected, organisational and individual decision making in complex, uncertain situations, where extent and nature of damage may be unclear, including the role of emotion and impact of stress, crisis management, internal/ external crisis communications.
- Resilience and recovery from an attack/breach, including damage assessment after data breaches, organisational decision making in post-crisis situations, organisational learning; betrayal, forgiveness and recovery of trust.
Deterring criminals, hostile states and terrorists.
Understanding malicious actors and discouraging them.
- Potential ‘adversaries’: criminals, terrorists, hackers or crackers, state-sponsored groups or individuals; their capabilities and intentions; modus operandi; strengths and limitations.
- Legal measures, policy interventions and investigative practices to improve the investigation and prosecution of digitally-facilitated crimes, including:
- the specific challenges of investigating/prosecuting digital crimes.
- the nature and effectiveness of such measures, in terms of interdiction, detection, and prosecution, and in in terms of deterrence.
- the ethical and social acceptability of such measures.
- how such measures are implemented in vivo by individuals / communities / organisations / governments, including potential unintended consequences.
Developing skills and capability in the workforce.
Enhancing cyber security skills across the population, improving the country’s understanding and expertise in digital security.
- The digital security education and information needs of citizens at all points of life.
- Ways to upskill people from all backgrounds and promote equal access to digital security opportunities.
- The training needs of diverse workforces in different sectors.
- Barriers to and enablers of investment in digital security training and knowledge sharing (where investment could be from government or industry etc.).
- Stimulating innovation and creativity in the digital security sector.
- Behaviour change and good habit formation (particularly around cyber-hygiene).
Levels of analysis.
Valuable research on digital security can focus on any of several different levels of analysis, from individuals to the international community. Researchers working at any one or more of these levels, can help shed light on or provide a different perspective on what digital security means in their particular context.
- Individuals, e.g., as citizens, as employees, as members of different generational / identity groups
- Communities, e.g., local / regional networks, cities, identity groups
- Organisations / sectors, e.g., critical national infrastructure, SMEs, manufacturing industry, healthcare, financial, third sector, tech, education
- Government - local, regional, national
- International partners and communities, e.g., EU, NATO, UN
Now and in the future…
Research that covers the ways in which social, demographic, technological, political, economic, environmental, legal, ethical, intercultural (etc) changes over the next 5, 10, 20, 50 years will alter the nature of digital security issues and how we understand and respond to them.
What you can do.
These are only initial ideas. Do let us know what you think about the scope and about how your activities and those of your colleagues might be relevant, and where the DT&S team could help you.