In my last blog I talked a little bit about sociotechnical systems, and the fact that we need to consider the system as a whole rather than just its components. The NCSC believe that this system perspective is necessary to fully realise security. It's a conviction that's integral to all our work, and is reflected in the capabilities we are developing, including our wholesome guidance.
The team has already published a lot of wholesome blogs about system security, and whilst we hope you find them useful, we need to support them with more formal, actionable guidance. This blog outlines the guidance that we're currently working on, and it starts with laying the requisite foundations...
Laying the foundations
The Sociotechnical Security Group's research portfolio (PDF) is, rightly ambitious. As each of the specialisms have broad system-wide interests, it makes sense to begin by establishing frameworks for each of them, which we can then add to, iterate, and improve upon.
Engineering processes guidance
At the moment, having confidence that engineering processes adequately consider cyber security beyond compliance is really difficult. Helen L has been busy building the Engineering Processes and Assurance’s (EPA) research portfolio over the last year to address this hard problem, and we are now able to distil this initial work into some key messages for you.
The engineering processes guidance we are developing has been written for people who are buying, building or using a sociotechnical system, and need information about how to best realise usable and effective cyber security. It will support engineers from all disciplines to navigate through a whole-life model of security and assurance, and in an upcoming blog Helen will outline what we see as the key approaches, and challenges, to making this happen.
People-Centred Security guidance
Our People: The Strongest Link' guidance will build on the impassioned plenary talk given by Emma W, as well as complementing the great video presentation developed by Ceri J, at CyberUK this year. It will help reinforce our belief that people are the strongest cyber security link within organisations.
The guidance will be drawing on the multi-year research conducted under the Research Institute in Science of Cyber Security. This research aims to help organisations better elicit behaviour on the ground in order to understand how to best support the natural ways in which people work, rather than contributing to the friction that can occur between security and business. The team have already blogged about this on a number of occasions.
John Y is leading on our shiny new Risk Management for Cyber Security guidance. This is very different to our risk guidance of old, as it provides foundational risk management techniques, rather than just a single standard. The guidance will open by presenting the fundamentals of risk, and the purpose of risk management, before discussing the different types of risk information, and the various techniques for eliciting it, depending on whether or not you are taking a component or system view. John's recently published blog, provides more details on this.
A collaborative effort
As I’ve said before, we can't and don't do this on our own. Collaborating with others makes for better guidance. Much like the ongoing research that underpins it, guidance is not something that happens in isolation. We develop it in collaboration with academia, wider government and industry. A good example of this is the supply chain security guidance we are developing in conjunction with the Centre for the Protection of National Infrastructure (CPNI). This will provide baseline security advice for organisations' supply chains. In due course, it is hoped, that this guidance will be supported by case studies, as well as references to further reading.
We're also working with CPNI on phishing guidance, which will emphasise the need for creating a layered defence, and will help counter stereotypical viewpoints that regard phishing as an 'end user problem', that can be solved through training alone. We want people to think about phishing from a sociotechnical perspective, and to support this we will be highlighting other defences, both before and after the ‘click’. These might be technical (like email filtering), or possibly changing business processes, to make them less vulnerable to such attacks.
An NCSC first: collaboration with MIT
As well as collaborating with a wide range of organisations from across the UK, we also work with those from further afield. In particular, we are collaborating with Professor Nancy Leveson from the Massachusetts Institute of Technology (MIT), to develop a practitioners’ handbook on Systems-Theoretic Process Analysis (STPA). I will not steal John’s thunder, by talking about STPA and its theoretical framework STAMP (Systems-Theoretic Accident Model and Processes), other than saying that we will be briefly introducing them as one of the system-driven risk analysis techniques that we are advocating the use of. Our work with MIT represents a collaboration first for the NCSC, and we very much hope that it won’t be the last.
And if that wasn’t enough, we are also producing a password manager buyers guide in conjunction with our very own product assurance team. People often ask the NCSC what password manager to use, so we are producing guidance which will discuss those in common use, to help you make choices about which one to use, as well as explaining why. The guidance will include a list of properties that the NCSC believes password managers should have, and we will compare offerings against them.
Iteration and improvement
I have managed to get this far without mentioning our password guidance collection once! And as part of our commitment to iteration and improvement, the time has come for us to refresh this landmark guidance. Over the past few months we have published a number of blogs on the use and management of passwords. We now want to build upon and consolidate this work to provide guidance that focuses on helping people better use and manage their portfolio of passwords. Our current thinking is that the guidance will cover the following topics: user engagement and training, password generation, management and storage.
Phew - there's a lot going on!
As always, we welcome your feedback, so if you want to share your wisdom then please tweet @ncsc, reply to this blog below, or use the NCSC 'Contact us' form.
Head of the Sociotechnical Security Group