Initial activites
The Network Security Innovation Platform's early work identified that the ‘weakest link' is not usually a technological vulnerability but the people (or processes) used within the system.
Human vulnerabilities in network security may arise inadvertently, due to a lack of understanding of security by the user, or deliberately, due to insider subversion. Additionally, organisations need to establish effective security cultures and be able to assess the potential risks, (both benign and malign) which are posed by their employees.
To give a simple example, a secure system can be penetrated if staff with legitimate and authorised access write down their password or share it with someone else.
A recent poll of over 1800 adults found that:
- just over one third recorded their password or security information by either writing it down or storing it somewhere on their computer;
- nearly two thirds never changed their password; and
- 1 in 5 people used the same password for non-banking websites as well as their online bank.
The need to deal with these issues prompted a collaborative research and development program to look at the issues of the insider threat and human vulnerability. This was initiated in Autumn 2006 and led to the NSIP supporting 4 six-month feasibility studies. The assessment of the submitted studies led to the Technology Strategy Board funding one of the proposals for a three year research programme in "Trust Economics"
After consultation with relevant stakeholders, we initiated a second research programme looking at issues around Privacy and Consent. Stakeholders indicated that a major issue was "How to Ensure Privacy and Consent within identity management infrastructures (EPAC)". This was sponsored by the Identity and Passport Service, an executive agency of the Home Office, and funded by the Engineering and Physical Sciences Research Council (EPSRC) , Economic and Social Sciences Research Council (ESRC) and the Network Security Innovation Platform.
Future activities>