How they grow up fast. As we’re approaching the 1st birthday of the Sociotechnical Security Group (StSG), I thought a blog from me was long overdue. I’ve got a bit of catching up to do as members of the team: Emma W, Helen L, Dr Kate R, Dr Rachel C, and Dr Sacha B have already been busy blogging their thoughts - the little scamps.
StSG origin story
A little under a year ago, people across what would become the NCSC were working on related cyber security problems. They all shared a common theme, and the problems were complex (opposed to things which are ‘merely’ very complicated). So for example, how can we design technology so it is resilient to attack yet instinctive and easy to use? How will people interact with technology? And how can we elicit, understand and manage the security risks from a connected society? Answers on a postcard, please....
Having a home for all of these wicked problems seemed like a sensible thing to do, and the StSG was born. StSG is built around people who can think creatively and critically. Basically we’re all nosy and ask 'Why?' a lot. We’re a diverse, multi-disciplinary team comprising of psychologists, physicists, computer scientists, systems engineers, and even a philosopher who all contribute in complementary ways to the cyber security problems we are working on. This diversity pays dividends as it generates ideas and produces a brilliant repository of skills to make them happen.
StSG has three areas of specialism, each with its own research focus. These comprise:
- Engineering Processes and Assurance (how to build things securely)
- People-Centred Security (how to support people to behave securely)
- Risk (how to manage it securely)
You're making this up....
Sociotechnical is not a new word that we’ve made up. Yet despite having been discussed in academic literature for at least 50 years, there is still some debate about what it means (even how it's spelled). Some interpret it is as a word which means a technically augmented society. Others argue it means the bringing together of people, technology and processes. The important point for me, is that we are now starting to realise it. Look around you. Look at the way we work, the way we socialise, the way we live. It is driven by technology. And it’s not just the technology we can see - what about the technology we can’t see? What about the technology that makes logistics decisions so you can receive your next day delivery while you sleep in bed? What about the technology that shapes public opinion? What about the technology that learns and adapts to what we do?
Anyway, enough of my 'you knew where you were with a modem' lamenting. This is presenting us with some very different security challenges compared to those we faced a decade or two ago. As cyber security practitioners, we need to adapt and think differently - very differently. As we begin to get our heads around the implications of the digital society we have built, our work at the NCSC has increasing immediacy and currency.
Complex problems call for a variety of approaches
Clearly, we can't do this on our own. That would be silly and a little bit naïve. Which is why we are working with both academia (including through the Research Institute in Science of Cyber Security) and industry, so that the capabilities we develop really are appropriate and effective. Bringing to bear a range of different disciplines is necessary if we stand any chance of sensibly risk managing today's sociotechnical systems. For example, just because an End User Device (EUD) is secured, it doesn't mean that you have realised system security. What about the interactions between the EUD and the applications it accesses? How will people use the EUD? What processes are in place to support people to work remotely?
Needless to say we are engaged in a lot of different research activities, as the infographic below illustrates. In some areas we are just at the beginning, digesting academic papers and existing thinking so we can form our own opinions about what is known, what is not known, and what is needed to be known. Then there are areas where we are (rightly, I think) leading some of the current thinking, and so we are busy field-trialling related capabilities. Regardless, everything that the StSG does is backed by research and will be made available to everyone.
Even though we're only just approaching our 1st birthday, we've been quite busy finding our feet, and I wanted to share some headline achievements with you. So far we have:
- published a number of blogs, pieces of guidance and a whitepaper on the NCSC website
- run a number of masterclasses and workshops
- given briefings about our research work at a number of national and international conferences
- reviewed and helped to develop a number of cyber security tools, methods and frameworks
- provided subject matter expertise to NCSC's own consultants or directly through customer engagement
- supported academic research through sponsorship and engagement
and we are also in the process of:
- running field-trials; and of course
- continuing with our own research
A plea to the like-minded
If there are things which you believe you can help us with, then please get in touch. Whether you're a researcher, a member of a think tank, or basically anyone who's got an interest in the challenges we face, we would love to hear from you (use the Contact Us form). The more brains we put to task on these wicked problems, the more chance we have of success, as we certainly don't have all the answers. I often liken cyber security to the complex challenge that is public health; there are lots of different people working together to improve things, and there is still lots to do, but we all have a role to play in making it better.
Head of the Sociotechnical Security Group