Evaluating Cyber Security Evidence for Policy Advice: The Other Human Dimension (ECSEPA)
Professor Siraj Ahmed Shaikh, Atif Hussain (Research Assistant)
National Cyber Security Centre (NCSC)
When exploring the problems (and possible remedies) of the human dimension of cyber security, many focus on end users. While this is important, equally important is the human dimension of decision making and advice offered by civil servants who collectively influence policy level responses to cyber threats.
This project focuses on policy makers in the UK, specifically those civil servants who provide short and long term policy advice, either in response to specific crisis incidents or in the context of longer term planning for capacity building.
Civil servants across the UK Government are working on policy advice for cyber security, but how they acquire and use evidence to make recommendations is not well understood. This is important as the source and credibility of evidence affects the effectiveness and authority of the judgements made about threats, risks, mitigation and consequences. The ECSEPA project throws light on on how evidence is being incorporated into developing effective cyber security policies across UK Government.
The project has set out towards a first iteration of a framework which rates evidence samples relative to each other based on source and credibility, designed to help policy makers assess the credibility of their evidence. As such, it serves to help policy makers understand how could a tool for assessing evidence quality change the way they use evidence? How could the next iteration of this framework be improved? What are the outstanding barriers and challenges to developing good cybersecurity policy? How can the research community support this?