The quality of a state’s capacity to respond to the challenges of cyber security is rapidly coming to be recognised as an important element of global competitiveness. This project seeks to understand the challenges faced by the UK’s policy making community in interpreting, evaluating and understanding evidence about cyber security. Policy makers, sometimes with little relevant expertise and often in time-critical scenarios, are asked to assess evidence from a mix of sources including official threat intelligence, academic sources, and industry threat reports. Such a diverse evidence base is then used to make judgments on threat, risk, mitigation and consequences, and offer advice shaping the national regulatory landscape, foreign and domestic security policy, and a range of public and private sector initiatives. This element of the human dimension has significant relevance for the cyber security of the UK and is the main focus of this proposal.

Assessment of evidence is a particular problem for policy making in this context for three reasons:

When exploring the problems (and possible remedies) of the human dimension of cyber security, many focus on end users. While this is important, equally important is the human dimension of decision making and advice offered by civil servants who collectively influence policy level responses to cyber threats. This project focuses on policy makers in the UK, specifically those civil servants who provide short and long term policy advice, either in response to specific crisis incidents or in the context of longer term planning for capacity building. This cohort is of particular importance given:

  • the unique set of technological, behavioural and policy challenges they currently face. They are a relatively small and disparate group, possessing varying levels of technical and behavioural experience;
  • their responsibility and impact goes well beyond their own organisations to shape the national and international landscape; and finally,
  • the lack of research to support this particular community, either in identifying specific challenges they face or in developing more effective mechanisms for doing so.
The unique set of technological, behavioural and policy challenges they currently face. They are a relatively small and disparate group, possessing varying levels of technical and behavioural experience. Their responsibility and impact goes well beyond their own organisations to shape the national and international landscape. Finally the lack of research to support this particular community, either in identifying specific challenges they face or in developing more effective mechanisms for doing so.

This leads to several questions: what evidence do UK policy makers rely upon in this context? What is the quality of that evidence? How effective are the judgements about threats, risks, mitigation and consequences based on that evidence? Understanding how UK policy makers select evidence, why they privilege one source over another, and how adept they are at recognising possible weaknesses or flaws in evidence is central to addressing these questions.