Section Menu

The Network Security Innovation Platform

Now that electronic networks are common place and increasingly critical to society, so network security is seen as being a major growth area, and one where the UK is well placed to create added value, through the provision of both products and services. The Network Security Innovation Platform (NSIP) was created to respond to and answer this “challenge”.

As a definition, network security is concerned with the resilience of a network communications infrastructure, and with the security of the information being transmitted across that network. This will inevitably include the people using the network, and it is therefore relevant to include the usability of such systems.

Existing Government requirements for network security include identity cards and e-borders, and many other Government Departments are major prospective users of secure networks.

Additionally, to highlight the importance of network security to both UK companies and to us as individuals the DTI’s information security breaches survey 2006 found that;

• in the last hour £50,000 of credit card fraud will have taken place in the UK (totalling £440m last year), and
• in 2006, 62% of UK companies had a network security incident and the average cost of a company’s worst incident was £12,000

However, the real “challenge” that faced the NSIP was in bringing together key Government Departments, academia and business to identify where innovation could be used to solve specific problems. If successful, the UK would have a unique opportunity to influence the global market, and for UK firms to exploit the opportunities on offer.

First things first

NSIP’s early work in this area identified that the weakest link in network security is not usually a technological vulnerability but the people that work within the system. To give a simple example, the most secure system can be easily penetrated if staff with legitimate access write down their password or let it be used by someone else. You may think this is an urban myth but a recent poll of over 1800 adults found that:

• just over one third recorded their password or security information by either writing it down or storing it somewhere on their computer;
• nearly two thirds never changed their password; and
• 1 in 5 people used the same password for non-banking websites as well as their online bank.

Furthermore, not only can security can be compromised accidentally, but it can be done deliberately for illegitimate purposes such as fraud; the NSIP is concerned with both these issues.

Having established that in order to strengthen network security there is a need to address human, as well as technological, vulnerabilities the NSIP looked to see which problems would encourage the development of innovative solutions.

Next Steps

Human vulnerabilities in network security may arise inadvertently, due to a lack of understanding of security by the network user, or deliberately, due to insider fraud. Additionally, organisations need to establish effective security cultures and need to be able to assess the potential risks, (both benign and malign) that are posed by their employees.

With this in mind the NSIP launched a call for proposals as part of the Technology Strategy’s Autumn 2006 competition. The Human Vulnerabilities in Network Security call called for proposals that addressed the following questions;

• What social structures, rules and attitudes should exist in an effective security culture?
• How is it possible to create and embed these cultural characteristics in an organisation?
• To what extent is it possible to assess the risk that an employee will abuse their access to an organisation’s assets for illegitimate purposes (e.g. abuse their computer network access)?

This was an is a new area of activity for the DTI, linking technological innovation with behavioural science, and the NSIP worked closely with the Economic and Social Research Council (ESRC), another DTI first, in designing this call.

Output

There were a total of four successful proposals, and the initial 6 month feasibility stage projects started in April 2007. The projects are investigating the following areas

• developing a novel organisational and human factors focused network security risk assessment package;
• developing a predictive modelling framework that assesses the effectiveness of the security policies that regulate the interaction between humans and information systems;
• developing a potential technology solution for the analysis of digital communications in order to identify and act on potential security threats introduced by humans to information and IT services; and
• improving attitudes towards risks both to and from information systems, specifically a software-based tool that provides a network security awareness programme that is tailored to the individual employee.

There is follow-up funding of up to £4m available for the successful projects. It is worth noting that the successful projects could generate a total of £125m of extra income from successful market penetration resulting from their research.

What Next?

The NSIP has identified a number of other areas where the size of global opportunity and the UK’s capacity to develop and exploit that opportunity is sufficient for it to focus on identifying other “challenges”.

It is envisioned that highly trusted digital identities will be a reality by 2010; and these high assurance identities will be based on establishing the existence of an identity in society, (which can initially be privacy intrusive) and linking this established identity to an individual.

Such an identity can form the key to enabling many entitlement services. To be acceptable, such an identity infrastructure must offer assured privacy and informed consent. Furthermore, each time a person uses an identity service or enrols in an access control system, they need to fully understand what information they are providing to whom, what it will be used for and how that information can be further disseminated.

The NSIP is working with the Identity and Passport Service, the ESRC and Engineering and Physical Sciences Research Council (EPSRC) to develop a work package that will sponsor research and development into how to balance the intrusive nature of identity services and network security with expectations of privacy and consent.

A joint event “Ensuring privacy and consent in identity management infrastructures” is being held on 9th July 2007 at the DTI Conference Centre, 1 Victoria Street, London. To register for this event please follow the link to Kable’s website, who are organising the event on our behalf. http://www.kablenet.com/ke.nsf

And last but not least

Active business engagement is essential to the Innovation Platform concept, and the Cyber Security Knowledge Transfer Network (KTN), was established by DTI to lead the community of business interest to support the work of the Platform. The KTN already has over 600 businesses engaged and has established a number of working groups to take forward business challenges.

More information is available on the DTI website and via the Cyber Security KTN http://www.ktn.qinetiq-tim.net/.