How Many Shades of NIS? Understanding Organisational Cybersecurity Cultures and Sectoral Differences

Summary

The project will develop an empirically-grounded understanding of the role and impact of organizational cybersecurity culture and practice across essential infrastructure sectors on the UK’s implementation of the NIS directive. Through fieldwork and subsequent analysis of the data and modelling of cybersecurity controls in the extensive Bristol Cyber Security testbed, we will uncover organizational and sectoral differences, for instance, in the way which people work, what technologies (software/hardware) are relied upon, what additional compliance requirements exist. This will yield key insights about the NIS objectives that are already achieved, the ones difficult to effectively realize and potential blind spots arising from organizational cultures and sectoral practices. This will lead to an understanding of the drivers and potential obstructions to UK’s implementation of NIS across operators of essential infrastructures. To achieve this, the project brings together an inter-disciplinary team at the University of Bristol drawing upon expertise in socio-technical approaches to cybersecurity of critical national infrastructure (Rashid), human and organizational aspects of security (van der Linden) and Milyaeva (social and regulatory aspects).

Project members

Awais’ research spans cyber security and software engineering. He focuses on novel software modularity techniques that underpin software that is adaptable, evolvable and resilient in the face of changes and the volatile nature of user requirements and behaviours in the modern digital world. This naturally ties in with my cyber security research which focuses on developing tools and techniques that are adaptable to the constantly changing threat patterns utilised by criminals online. He is particularly interested in security of cyber-physical systems, such as, industrial control systems and Internet of Things. He is also a keen researcher of adversarial and non-adversarial behaviours pertaining to cyber security. He heads the Cyber Security Group at Bristol, lead projects as part of the UK Research Institute on Trustworthy Industrial Control Systems (RITICS) and UK Research Institute on Science of Cyber Security (RISCS), co-lead the Security and Safety theme within the UK Hub on Cyber Security of Internet of Things (PETRAS) and is a member of the UK Centre for Research and Evidence on Security Threats (CREST).

Dirk is studying human aspects of cybersecurity. Prior to this he was at Lancaster University studying empirical research on security attitudes of software developers. He has a PhD from Radboud University Nijmegen, and received his MSc in Information Science from the same university.

Sveta’s research interests are in the field of economic sociology where she has been studying digital personal data and financial derivatives markets. She focuses on the economic mode of digital society – where digital technologies come from, how they enable trade, exchange and resource allocation, and how they are governed. She completed a PhD in sociology, in particular in social studies of finance, where she focused on how financial products are shaped by digital and legal technologies of global trading.

Since 2013 she has been working on an ERC-funded project examining the issues related to digital personal data and its commercial use. She conducted research in the online personal data industry and start-ups in Europe and the US to expand on how privacy (or control of digital data) innovative products emerge in digital markets. She is also interested in the European General Data Protection Regulation (GDPR) and how specific legal techniques reconcile economic and civic concerns in public governance of the global online data market.