My backround is within the social sciences and with “Information Systems” as opposed to “Computer Science” or “Software Engineering”. Colleagues apply methodologies and theories from the social sciences to look at the multiple interactions between ICTs and organisations and individuals. So my security pre-occupations tend to focus on how security problems are identified and analysed, and how potential solutions are devised, implemented and managed. I am less interested (and probably not that capable) in designing a new encryption algorithm, improving technical protocols, disassembling specialist hardware, or finding neater ways to define signatures for intrusion detection systems, though of course I value the work of others and may wish to deploy their results.
Thus for me and my immediate colleagues the interesting features of PKIs, for example, are how they are deployed, why they have not been used more widely, issues of management, the legal liability of providers, and how rival systems may inter-operate.
My main research area is Digital Evidence but I am also interested in:
Changing Doctrines of Computer Security In other words, what do we think the problems and solutions are? Apart from the stuff in the box on the left: the consequences of low-cost popular computer ownership, the democratisation of the web, the mobile web, ubiquitous computing, the death of the computer “perimeter”
Risk Management / Economics / Metrics The practices, limitations and theories of risk management techniques and the viability of attempts at metrics
Evaluation of Security Technologies How do you relate security needs to available products? Against what criteria do you evaluate new products?
Certification / Compliance The value of the various standards for products, systems, management processes, both intrinsic and extrinsic
Incident Management, Business Continuity, Insurance If preventative measures fail, what are the disciplines involved in recovery and loss mitigation?
Out-sourced security How far and under what circumstances, can an organisation contract out its security to specialist 3rd parties? Security as a service.
Cybercrime, Cyberwarfare: One problem with both these terms that there are too many definitions and this thwarts sensible, non-hysterical discussion. How do we research these areas in a disciplined fashion, evaluate the available anecdotes and statistics , and reach useful conclusions?
Safer Internet issues What technologies, laws, regulations and educational strategies work to make the Internet safer to use while preserving freedom of expression and flexibility to develop?
Privacy, Data Protection, Privacy Enhancing Technologies What changes are needed in current doctrines of data protection? How far are PETs, which are designed to give individuals more control over their personal data, actually ready for mass deployment?
E-Identities / Identity Management Systems Which is better, the single, centrally managed electronic identity to mediate all your needs to the government, financial institutions, commercial organisations and your friends, or a series of credentials in which you only tell people as much as they need about who you are? But if we have multiple e-identities, how do we manage them? And on the corporate front: what should be looking for in a good IMS for sophisticated access control?
Management of Crypto Systems / Inter-operability A crypto system is much more than the underlying algorithm - who manages it, how are keys generated, exchanged, aged, repudiated? How well is it designed into the fabric of the environment it is meant to protect? As we now have a multitude of crypto-systems, how can they be made to inter-operate in a useful, legally-backed way?
E-Commerce There are many forms of e-commerce, from closed systems for particular industries to ones open to all, right across the web. Technical security and contract law can provide some measure of protection, but other mechanisms such as trust and reputation also seem to be very important. How can we understand these complex interactions?
E-Cash Pre-occupations with electronic replacements for cash come in and out of fashion. The problems are interesting and manifold. There is the technology: are the artefacts robust against fraud and compromise? What is the cost per transaction? But also: is e-cash to be as untraceable and unauditable as real cash? How does e-cash interact with the banking system? What factors are necessary to make q scheme acceptable to a wide public? Will new opportunities for money laundering and tax avoidance arise? Will the overall economics ever be sufficient to supplant coins and banknotes?
Security and the Cloud / the Grid Among some academics and vendors there is growing enthusiasm for cloud or grid computing, whereby organisations are able to purchase additional computing capacity from third parties on an as-needed basis. Related to this are claims for ubiquitous computing, where individuals have small portable devices and their data is made available to them anywhere and everywhere over a wireless connection. But these visions all seem to downplay the security problems - each connection will need to be authenticated and protected - how will this work and will the overhead be too great to make cloud/grid visions commercially viable?
Once upon a time there was a subject called “Computer Security”; it assumed that any problems with the operation of computers or threats to them were largely technical in nature and the solutions were simply a matter of finding the appropriate counter-technology. For a period, while computers were simple devices but isolated from the daily activity of most people and employees – Electronic Data Processing – this approach made sense.
But as computers became more widely available and the number of roles dependent on them increased and developed it became clear that there were factors beyond the technical that had to be considered if secure computing was going to be achieved; particularly important among these new factors were notions about the behaviour of individuals and organisations. “Computer Security” became “Information System Security”
But there still lingered a belief that, given the right moves, systems could be made fully secure. The fact is they can’t – because of the complexity of many systems in terms of their functionality, specification and design, and because of rate of change in information and communication technology (ICT). ICT systems never achieve stability because there are always reasons to introduce new features and change specifications.
From this realisation comes the need for a newer set of disciplines – where the ambition is not some ultimately secure facility, but a goal of “information assurance” in which information as handled, supplied and transacted has sufficient reliability or “assurance” for the context in which it is to be used.
The new area of information assurance encompasses the technical agenda of traditional computer security, the social science perspectives of how organisations work, risk analysis and management, economics and the law.