The NCSC's annual conference, CYBERUK 2018, is almost upon us. I'd like to introduce some of the fantastic talks and debates we have lined up in Track 4, titled Whole System Security.
Thinking about cyber risk...
The thought behind the Whole System Security track is that cyber security can't be considered in isolation. You can't realistically assess the cyber risks facing one part of a system, or an organisation, without considering how that part connects to the rest. Thinking about the risks faced by individual parts of a system is very different from thinking about systems as wholes*. This also means that you can't realistically assess your organisation's cyber security risks without thinking about how they interact with other stuff that you care about, like financial risk or safety. With Whole System Security Track we're aiming to put some practical meat onto these bones.
We'll be kicking things off with John Thomas from MIT who will introduce the STAMP framework. Originating from the safety engineering world, the STAMP techniques encourage you to think about how all parts of a system come together to contribute to security, or indeed safety.
... and quantifying it
We're also drawing on expertise from the financial services industry. Ben Payne from Lloyd's Banking Group will introduce techniques that he and his team use to bring assessments of cyber risk into their credit risk model. This will introduce important methods for quantifying cyber risk.
Christian Wagner from the Lab of Uncertainty in Data and Decision Making at the University of Nottingham will introduce his research into quantifying uncertainty. He's teamed up with Kev Jones from JP Morgan who will discuss how they intend to apply the research from Christian's team within their internal threat model.
Communication, Hoarding and Expertise
Communicating about Cyber Security is dead easy, right? If only! Bringing insights from the study of governance and organisations is Ruth Massie from Cranfield University. She will introduce her research into communication between management teams and cyber security staff and present practical advice as to how it can be improved.
Are you a digital hoarder? Do you cringe deleting emails? Or more likely, do you worry that data is being squirrelled away in emails, on local drives and hidden network folders that your organisation should not be holding? If so, you should definitely come to hear Nick Neave, from Northumbria University, who will introduce his research into the types of personality prone to digital hoarding, and what you can do to get the most out of this people with this characteristic.
On what knowledge is Cyber Security founded? What should we expect all practitioners in the field to know about? Awais Rashid and Yvonne Rigby from The University of Bristol will introduce the Cyber Security Body of Knowledge (CyBoK) project, which aims to codify the body of knowledge which our profession draws upon.
"Let's have a heated debate!"**
We will be hosting two lively and controversial panel debates as a part of this track. The panels for both have been selected to ensure that we have the full spectrum of views represented; from the evangelist to the sceptic.
In the first, we will explore the usefulness of AI in cyber security; is it a threat or our cyber saviour? We will try to separate the substance from the hype.
In the second, we'll will focus on the strengths and weaknesses of standards, regulation and guidance in cyber security. Is there enough? Is there too much? Do we expect too much of it? With 2018 bringing us both GDPR and the NIS directive, these questions are more relevant than ever.
We are hugely grateful to all of our speakers for coming to share their insights with us at CYBERUK 2018.
Last, but by no means least, our thanks to DXC Technology for sponsoring the Whole System Security track. Over the last year the NCSC's Risk Research team has collaborated closely with DXC to develop the content for our Risk Masterclass making them a natural fit for the content that we're presenting in this track. Victoria Axon from DXC Technology will be ‘joining the dots’ with our track's Industry Insights presentation (after Session 3 on Day 1), reflecting on how organisations can practically implement the wider stream’s advice in the commercial world. Don't miss it!
I hope that this has whetted your appetite for our track, and for the conference as a whole. I'm looking forward to seeing you in Manchester.
Risk Research Lead
- * As we have pointed out in our latest risk management guidance
- ** With apologies to the inimitable Mrs Merton