Blog post

You'll never guess what's happening in Track 2 at CyberUK In Practice

Created:  13 Mar 2017
Updated:  13 Mar 2017
Author:  Jon L
CyberUK track 2

I wrote about the fascinating themes we've got coming up in Track 1 - Managing Threat at CyberUK In Practice. I'm now delighted to tell you about Track 2, which is the focal point for one of our big themes of CyberUK In Practice - 'People: The Strongest Link' .

As a technologist at heart, I used to focus heavily on technology solutions to cyber security problems. I would nod along when people spoke about the 'wetware' problem, or the challenges of getting users to stop making elementary cyber security mistakes.

And then a few years ago I started to look after one of our research teams looking at user-centric security. This was eye-opening. Susan, Emma, and Ceri talked about the research they, and their academic peers, have done which shows that users are expected to handle impossibly complex, contradictory and non-intuitive security rules as they go about their daily lives. When we say glib things like 'don't click on links' and 'don't open attachments' (and then blame victims who did), have we really thought through the practicality of this advice? If links and attachments are so bad, why don't we simply remove them at our email gateways and remove the decision point all together?

Of course we don't do this - the cost is too high. Yet the cost of expecting users to understand what's legitimate and what's problematic is also too high. 'People: The Strongest Link is a track that develops this theme, and explains how we can better support our users - wherever they sit in the organisation - to work as safely and securely as possible.

The first session in the track begins with some of our academic colleagues talking about the latest, cutting-edge, concepts in human behaviour and cyber security. Angela and Adam are noted experts in the field, and I'm delighted they'll be able to join us to share their experiences. After lunch, we have an hour to discuss one of the first examples of user-centric security that the NCSC were involved in - our password guidance. This set out a very different approach to developing password rules and policies for an organisation, with the users who have to deal with such policies at the very forefront of our thinking.

In the second session we will gather security experts from across government together to talk about their experiences of implementing this new guidance, the challenges they've faced doing so, and what we can learn from them.

In the final session of the day, we will be joined by some fantastic speakers who will present case studies about how they've gone about recognising that people really are the strongest link. 

On day 2 of CyberUK In Practice, we start with a session on Elicitation Techniques. Two leading researchers - Lizzie and David - will explain techniques we can use in our organisations to uncover hotspots in policy and practice that need our attention, and ways to address this. Having seen some of this work I think there's a lot we can take from them, and it's really eye-opening stuff.

The final session of Track 2 will lead on from this with what's set to be a lively panel debate that will discuss how we take forward some of the ideas for engaging with our users effectively, and developing approaches that work for all of us. There are so many good ideas, but where to begin? 

Track 2 is one that I'm absolutely delighted we are able to bring to CyberUK In Practice, as it covers topics that I think are all too often forgotten about when we talk about cyber security.

See you in Liverpool soon!

Jon L - Technical Director for Assurance


Jon Edwards - 14 Mar 2017
I agree with the points being made but I don't understand the title. Why are people the strongest link? Surely the message is that people are the weakest link but don't blame them when they cock-up.
NCSC Communications Team - 08 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No