Specialist researchers at Bristol are investigating the security of systems and the inputs required from human users.
Most people, when asked what cybersecurity is, would answer by saying that it’s making sure we stay safe online, by using strong passwords and up-to-date software. But human behaviour also has a large part to play.
Awais Rashid, Professor of Cybersecurity, is researching both critical aspects. His work investigates the security of that which we might consider to be obvious: computers, mobile phones, Internet of Things devices, as well as systems that are embedded in our critical infrastructure such as water treatment plants and power grids. To understand how people might add value, he also looks at the human component of cybersecurity – how attackers attack our systems, how we detect such attacks, and how we respond to attacks.
One of the things he’s analysed is how people make decisions around security. Because a lot of these decisions are about critical infrastructures there is a lot of confidentiality around them, making it difficult to get the information required.
He and his team devised a game which allows people to discuss how they make security decisions in a general context, without referring to their organisation. The game is effectively a set of building blocks and it represents a utility infrastructure. A lot of the gaming around cybersecurity is about attacking systems and learning from attacks, but Professor Rashid asks people to play the role of defenders, and to collectively make decisions around how to deal with the attacks.
Good patterns included attempts to balance between security priorities, open-mindedness and adapting strategies based on inputs that challenged one’s preconceptions.
Bad practices included tunnel vision, that is, disregarding information given by the environment that did not fit one’s self-proclaimed ‘security expertise’ and focusing excessively on expensive technological solutions while neglecting basic security hygiene. ‘In some cases, you can have a very high-tech network monitoring device, but if your employees are falling victim to social engineering through email, then your network remains vulnerable to attack,’ Professor Rashid says.
In some cases, you can have a very high-tech network monitoring device, but if your employees are falling victim to social engineering through email, then your network remains vulnerable to attack.’ Professor Rashid, Professor of Cybersecurity.
The human element
Professor Rashid is not alone in wanting to develop a better understanding of the human variable in cybersecurity. Dr Emma Williams, who has a background in psychology, a doctorate in deception, and a career that has included time spent working in both the public and private sector, is interested in what makes us engage in secure behaviour online. Dr Williams is conducting her research in her position in one of the newly created Vice-Chancellor’s Fellowships.
‘My research looks at how we can ensure that users are engaging in secure behaviour online,’ she says. ‘And understanding that means answering a range of questions, such as: are we more susceptible to so-called phishing scams at certain points in time? And can our devices adapt to these potential vulnerabilities? For example, if your device can detect that you’re busy or distracted, can it send a request to update important software at another, more appropriate, time?’ By looking at the ways in which people make decisions with regard to their own online security, Dr Williams aims to answer some of these questions.
One key issue is the simple idea that security must not be burdensome. Professor Rashid believes it is security experts who must lower the burden on the user. ‘We can’t have people changing passwords every few days, we can’t expect people to remember 30 passwords. Security is seen as a barrier, and as researchers we have to make it more seamless. We are looking at how the design of security systems acts as a barrier to usability and what can we do to empower users.’
Historically people think cybersecurity sits in the realm of Computer Science – that all you need to do is create an algorithm and everyone is secure. But a lot of these algorithms are based on mathematical ideas.’ Professor Oliver Johnson, Professor of Information Theory.
The mathematics
Bristol’s School of Mathematics will be offering a new MSc in Mathematics of Cybersecurity in autumn 2018. Oliver Johnson, Professor of Information Theory, says, ‘Historically people think cybersecurity sits in the realm of Computer Science – that all you need to do is create an algorithm and everyone is secure. But a lot of these algorithms are based on mathematical ideas. Bristol’s MSc programme will be unique in the UK because it is hosted in the School of Mathematics. Cybersecurity is a key area of emerging importance. With an Academic Centre of Excellence in Cybersecurity in Bristol, and our refurbished and expanded Fry Building giving us a lot more space for Mathematics, we have the platform for new, forward-looking courses.’
The new MSc will offer students the opportunity to prepare for future threats to encryption, such as quantum computers. Professor Johnson explains: ‘Encryption on the internet relies on the idea that factoring big numbers is hard. It’s known that quantum computers can do this efficiently, once somebody builds one. We’re not there yet, but when planning ahead, maybe the algorithms in use now aren’t secure long enough into the future. So, by including quantum computing on this course, students will be able to consider what the next generation algorithms could be.’
Professor Johnson goes on to add: ‘I don’t think it’s going to be a case of a quantum computer on every desk, but for certain high-level transactions, we need to have these quantum-secure protocols built in. But that’s part of the excitement, looking to the future.’
And it makes Bristol an exciting place to be, particularly with regard to the new Temple Quarter Campus and the Quantum Technologies Innovation Centre that will be hosted there, with cybersecurity one of the topics that has been identified for the new campus.
‘I think it’s clear that a lot of the exciting applications, driverless cars, 5G phones, healthcare, will be generating vast amounts of data and it’s going to be absolutely imperative to ensure that data is protected. It’s a huge challenge, and it’s also one of the exciting things about Temple Quarter: we’ll be looking at big problems that require a commonality between thinking and approaches,’ says Professor Johnson.
Alongside the benefits of collaboration between industry, government, and the University, is the opportunity to have an arena where not only technologists will look at cybersecurity. The new campus will have social scientists working alongside legal experts and ethicists, for example developing thinking around questions such as: if someone is hit by a driverless car, who’s responsible? The passenger, the person who wrote the code, the person who sold the car?
There’s a growing network of connected devices, so whereas in the past people may have thought ‘I can opt out of the internet’, now the internet is so ubiquitous, that’s not possible. Protecting that information is a huge challenge.’ Professor Oliver Johnson, Professor of Information Theory.
Though they may not conform to our preconceived notions around cybersecurity, these questions are becoming increasingly important. ‘It may have been in the past people thought of cybersecurity as the computer on their desk, but as the Internet of Things takes over it’s your fridge talking to your smart home hub,’ Professor Johnson says. ‘There’s a growing network of connected devices, so whereas in the past people may have thought ‘I can opt out of the internet’, now the internet is so ubiquitous, that’s not possible. Protecting that information is a huge challenge.’
And how is Bristol helping to keep all that information safe and secure? We’re working to better understand human behaviours around security, and decision-making processes. We’re developing new cryptography techniques, and working on stronger software engineering. We’re studying vulnerabilities across human and technological platforms. What’s more, the University has huge strengths in mathematics, computer science, cryptography, and engineering. And with our new MSc we’re making sure that the next generation has the skills to tackle the security risks we have yet to imagine.