Practice-Based Cyber Security Research

I recently read about David Gauntlett's "basket of things" approach. It gave me validation to my thinking and the apporach i'd been taking in my own research. for years, the only real inspiration was drawn from a paper by Linda Candy, who had written about practice-based research many years before. 

Guide to Practice-Based Research for Beginners

Practice-based research, also known as research-creation, distinguishes itself from traditional research methodologies by integrating hands-on creative practices into the exploration of research questions. Unlike conventional approaches, practice-based research sees making, experimenting, and experiencing as integral components of the research process, leading to the generation of new insights.

Key Principles

Here are some key principles that underpin practice-based research:

• Exploration Through Practice: The core idea is that the researcher doesn't just observe or analyze existing phenomena but actively engages in the creative process of making. This could involve designing artefacts, developing workshops, composing music, or any other form of creative activity relevant to the research question. 
• "Basket of Things" Approach: As described by David Gauntlett, a practice-based research project often unfolds as a journey, gathering a collection of processes, experiments, and experiences. Instead of a single, rigidly defined project, practice-based research often involves a series of interlinked "mini-projects" that emerge from the research process itself. Each "mini-project" might offer a partial solution or insight, leading to new questions and the next stage of exploration.
• Real-World Validation: Practice-based research emphasizes the practical relevance of findings. Validation often involves case studies, knowledge transfer to practitioners, and demonstrable impact on real-world practices.
• Ethical Considerations: The sources stress the importance of ethical conduct in practice-based research, particularly in sensitive fields like cyber security. Researchers must carefully consider informed consent, data confidentiality, and the potential impact of their findings.

Tools and Techniques

Practice-based research borrows tools and techniques from both creative practices and qualitative research methods:

• Conceptual Frameworks: These are visual representations that help to organise key concepts and their relationships, evolving as the research progresses. An example is the LACES (Local Authority Cyber Ecosystem) framework, which emerged from a decade-long practice-based research project.
• Ethnography: This method emphasises immersive observation and participation to understand behaviours, motivations, and beliefs within a specific context. The LACES project used ethnography, with the researcher acting as an observer-participant over the ten-year research period.
• Reflective Documentation: This involves systematically recording thoughts, decisions, challenges, and insights throughout the research process. Reflective documentation can take various forms, such as research diaries, journals, or annotated portfolios of creative outputs.

Examples of Practice-Based Research

• The LACES Project: This project exemplifies practice-based research in cyber security. It involved a ten-year study of cyber security in UK local governments, leading to the development of the LACES framework. The research included surveys, workshops, presentations, and case studies to refine and validate the framework.
• Developing a Cyber Security Awareness Game: A researcher might design an interactive game to educate users about cyber threats and prevention methods. The game's effectiveness could be evaluated through user testing and feedback, with findings potentially informing cyber security awareness training programmes.
• Creating a Simulated Phishing Attack Platform: A researcher could develop a platform that allows organizations to simulate phishing attacks on their employees. This platform could be used to assess vulnerabilities, provide training, and improve organizational resilience to phishing attacks.

Reporting Practice-Based Research

Reporting practice-based research often involves a combination of text and creative outputs. A written thesis provides context, explains the research process, and analyzes the findings. However, the creative outputs themselves are crucial for a complete understanding of the research. The thesis might include descriptions of how to interpret the creative outputs, highlighting their significance and contribution to knowledge.

Key Considerations for Beginners

• Clearly Define Your Research Question: Start with a well-defined research question that can be explored through creative practice.
• Embrace the Iterative Process: Be prepared for the research to unfold in unexpected ways, leading to new questions and directions.
• Document Your Journey Thoroughly: Keep detailed records of your thoughts, decisions, and the evolution of your creative outputs.
• Seek Feedback and Validation: Engage with practitioners and experts in your field to get feedback on your work and its practical implications.
• Reflect on Ethical Implications: Carefully consider the potential impact of your research and take steps to mitigate any potential harms.

Practice-based research offers a powerful approach to investigating complex issues and generating new knowledge that is grounded in real-world experience. By embracing the principles and tools of practice-based research, beginners can embark on a journey of discovery and make meaningful contributions to their field.

Enjoy the journey! 

 

Understanding the LACES Framework

The LACES  (Local Authority Cyber Ecosystem) model is a comprehensive framework developed by Mark Brett in 2024 for managing and enhancing cybersecurity posture within organisations, particularly in the context of local government in England and Wales. It acknowledges the intertwined nature of physical and digital security, adapting to various situations and use cases. The framework revolves around six interconnected variables: Governance, Assurance, Processes, Data, Resilience, and Knowledge Sharing.

Governance

• Purpose: Provides the overarching direction and oversight for cybersecurity activities.
• Key Aspects:
  • Establishing clear policies, procedures, and structures to manage cyber risks.
  • Defining the organisation's risk appetite and tolerance for information risks.
  • Ensuring compliance with relevant regulations, such as the Data Protection Act and GDPR.
  • Defining roles and responsibilities, often utilising tools like the RACI matrix.
• Examples:
  • Corporate Information Governance Group: Utilising the LACES framework for strategic planning, developing work programs, and offering templates for implementing new systems and services.
  • Data Protection Policies: Setting clear policies for data handling and protection.
  • Risk Appetite Statements: Articulating and agreeing upon a shared understanding of acceptable information risks among senior management.
  • Minimum Cyber Security Standard: Adhering to the standard published in 2018 to ensure a baseline level of security.
  • Training Regimes: Implementing education and training programs to prepare stakeholders for cyber incidents.

Assurance

• Purpose: Focuses on evaluating and mitigating cybersecurity risks through a continuous cycle of assessment and improvement.
• Key Aspects:
  • Conducting risk assessments, vulnerability management, and security audits to identify weaknesses.
  • Assessing the effectiveness of security controls and processes.
  • Reviewing and validating the security of operational processes.
  • Evaluating the organisation's resilience capabilities and identifying areas for enhancement.
• Examples:
  • Stocktake Surveys: Evaluating cybersecurity posture in local authorities.
  • Cyber Essentials Plus Certification: Obtaining certification to demonstrate compliance with cybersecurity controls.
  • Penetration Testing: Simulating cyberattacks to uncover vulnerabilities in systems and networks.
  • Physical Penetration Testing: Assessing physical security controls.

Processes

• Purpose: Encompasses the operational workflows, systems, and procedures employed to manage and safeguard information assets.
• Key Aspects:
  • Defining workflows for handling data, managing access, and responding to incidents.
  • Implementing security controls within systems and services.
  • Maintaining detailed documentation of processes and procedures.
  • Integrating resilience measures to ensure operational continuity in the event of disruptions.
• Examples:
  • Cyber Incident Response Plans and Playbooks: Outlining clear steps for detecting, containing, and recovering from cyber incidents, encompassing roles, responsibilities, and communication protocols.
  • Information Asset Registers: Creating and maintaining records of hardware, software, data, infrastructure, and outsourced services, supporting a detailed understanding of the digital environment.
  • Data Backup and Recovery Procedures: Implementing processes for data backup and restoration to mitigate data loss risks.
  • Emergency Procedures: Establishing procedures for responding to physical security incidents.

Data

• Purpose: Represents the information that needs to be protected, focusing on its confidentiality, integrity, and availability.
• Key Aspects:
  • Classifying data based on its sensitivity and implementing appropriate security controls.
  • Adhering to data protection regulations and policies, such as the Data Protection Act and GDPR.
  • Conducting data protection impact assessments (DPIAs) to identify and mitigate privacy risks.
  • Implementing data security measures, including encryption and access control systems.
• Examples:
  • Data Encryption: Using techniques to protect data at rest and in transit.
  • Access Control Systems: Implementing systems to manage user access.
  • Data Handling Guidelines: Regularly revising guidelines for information management, assurance, and governance.
  • Physical Storage of Sensitive Data: Implementing secure storage for physical documents.

Resilience

• Purpose: Ensures the organisation's ability to withstand and recover from cyber incidents and disruptions, maintaining business continuity.
• Key Aspects:
  • Developing cyber resilience plans to address potential cyber threats and vulnerabilities.
  • Conducting cyber resilience exercises to test and improve response capabilities.
  • Establishing disaster recovery plans to restore IT systems and data after major incidents.
  • Learning from past incidents and exercises to continuously enhance resilience measures.
• Examples:
  • Cyber Resilience Exercises: Simulating cyberattacks to test the organisation's response capabilities.
  • Disaster Recovery Plans: Outlining steps to restore IT systems and data.
  • Business Continuity Planning: Developing plans to ensure the continuation of critical operations during physical disruptions.

Knowledge Sharing

• Purpose: Emphasises the importance of disseminating cybersecurity knowledge and best practices, both internally and externally.
• Key Aspects:
  • Fostering a culture of knowledge sharing and collaboration within the organisation.
  • Establishing communication channels to share cybersecurity information.
  • Providing training and awareness programs to educate staff and stakeholders.
  • Collaborating with external partners to exchange threat intelligence and best practices.
• Examples:
  • Warning, Advice and Reporting Points (WARPs): Peer support groups in the public sector for sharing cyber threat information.
  • CyberShare Fusion Cell: A collaborative approach to cyber incident response and coordination, involving information sharing and joint analysis.
  • Cyber Technical Advisory Group (C-TAG): Providing technical expertise and guidance to support cyber resilience in local government.

Key Concepts and Tools

• Cyber Unique Organisation Reference Number (CUON): Randomly assigned to organisations for pseudo-anonymisation in information sharing and incident reporting.
• Consequence Relevance Acceleration Severity and Harm (CRASH) Gate: A matrix model for assessing cyber incident escalation and defining trigger points for response actions.
• Fast-Time Communications: Enabling rapid information sharing and collaboration during cyber incidents.
• Information Asset Ecosystem: A visual representation of the interconnectedness of information assets and their relationships within an organisation.

The LACES framework provides a comprehensive and adaptable approach to managing cybersecurity risks, fostering a strong security culture, and building robust resilience against evolving cyber threats. It underscores the importance of collaboration, knowledge sharing, and continuous improvement in the face of an increasingly complex digital landscape.

 

Threats and Opportunities of AI for UK Local Government