The quality of a state’s capacity to respond to the challenges of cyber security is rapidly coming to be recognised as an important element of global competitiveness. This project seeks to understand the challenges faced by the UK’s policy making community in interpreting, evaluating and understanding evidence about cyber security. Policy makers, sometimes with little relevant expertise and often in time-critical scenarios, are asked to assess evidence from a mix of sources including official threat intelligence, academic sources, and industry threat reports. Such a diverse evidence base is then used to make judgments on threat, risk, mitigation and consequences, and offer advice shaping the national regulatory landscape, foreign and domestic security policy, and a range of public and private sector initiatives. This element of the human dimension has significant relevance for the cyber security of the UK and is the main focus of this proposal.
Assessment of evidence is a particular problem for policy making in this context for three reasons:
First, some of the evidence is contradictory and/or potentially carries within it particular agendas or goals that may impede upon its rigour and reliability. The 'politicisation' of cyber security evidence is increasingly problematic as states sometimes privilege threat intelligence from sources located within their sovereign borders rather than based on the quality of the research they produce;
Attribution and Risks
Secondly, it has proven to be extremely difficult to conclusively attribute cyber attacks and to quantify the cost of cyber insecurity. These challenges mean that evidence can only support policy makers' decisions and evaluation of cyber security risks, threats and consequences to an extent;
Finally, the landscape of cyber security is developing rapidly and spans many issue areas including national security, human rights, commercial concerns, and related infrastructure vulnerabilities. Consequently, policy makers must work to balance a range of sometimes conflicting interests that compete for attention and they must do so in a field with little precedent to draw upon.
When exploring the problems (and possible remedies) of the human dimension of cyber security, many focus on end users. While this is important, equally important is the human dimension of decision making and advice offered by civil servants who collectively influence policy level responses to cyber threats. This project focuses on policy makers in the UK, specifically those civil servants who provide short and long term policy advice, either in response to specific crisis incidents or in the context of longer term planning for capacity building. This cohort is of particular importance given:
The unique set of technological, behavioural and policy challenges they currently face. They are a relatively small and disparate group, possessing varying levels of technical and behavioural experience.
Their responsibility and impact goes well beyond their own organisations to shape the national and international landscape.
Finally the lack of research to support this particular community, either in identifying specific challenges they face or in developing more effective mechanisms for doing so.
This leads to several questions: what evidence do UK policy makers rely upon in this context? What is the quality of that evidence? How effective are the judgements about threats, risks, mitigation and consequences based on that evidence? Understanding how UK policy makers select evidence, why they privilege one source over another, and how adept they are at recognising possible weaknesses or flaws in evidence is central to addressing these questions.