DTI finds four million to fund security research
The UK Department of Trade and Industry has announced GB £4 million funding for research into the human factors that contribute to information security incidents. This long-due recognition of probably the biggest contributor to corporate security breaches will support four projects.
Three of the projects take a human-driven emphasis. A joint venture between BAE Systems and Loughborough University aims at mapping the human element of security risk. A spokesperson at Loughborough informed heise Security that they plan to develop metrics of organisational structures and employee types in order to identify potential emergent behaviours. On the Policy front, a consortium including Hewlett Packard, Merrill Lynch, the Universities of Bath and Newcastle and University College London will work on predictive modelling of the effectiveness of information security policies. The National Computing Centre (NCC) and the University of Manchester are developing a software-based tool to improve attitudes to information security risk in the corporate environment. Daniel Dresner of the NCC told heise Security they plan to measure and correlate corporate risk appetite and employee risk attitude in order to identify workable regimes. These could presumably be used as the groundwork for functional policy making.
Working from a more technical perspective, Chronicle Solutions and the University of Plymouth plan to create a technological solution for the analysis of communications data that will identify hazardous human interactions with IT. This kind of research is a welcome departure in a still-techno centric security culture where policies are often an afterthought and discussion of password strength frequently dominates user security issues.