Q&A: Nigel Jones, director of the Cyber Security Knowledge Transfer Network

Jones: We have to focus on something achievable

Nigel Jones is director of the Cyber Security Knowledge Transfer Network (KTN), one of the 24 KTNs set up by the government to encourage the flow of knowledge within communities and between Whitehall and those communities.

Jones talked to Computing about the challenges of encouraging better security.

As director of the cyber security KTN, what are the aims of the organisation?

We are run by the new Technology Strategy Board – an arms-length government board – in fact it's very important that we're arms length and business–focused. We're intended to be the eyes and ears of business, academia and government to advise the Technology and Strategy Board where to invest. We also have a particular mandate to create innovation in the security sector, and to improve security generally.

So what is the value of the KTN's special interest groups (SIGs)?

These are the places where a lot of the thinking gets done. We've just launched one looking at the economics of information security, and previous SIGs included privacy engineering, which resulted in a report launched at the Infosec event. There was also a SIG on secure software development which was set up with the idea that it would produce something people can actually use, like guidelines on the software development lifecycle.

Tell us more about the latest SIG on the economics of IT security?

It will have to focus on something achievable – what are the economic models; is return on investment (ROI) the best way to look at security; what's the relationship between confidentiality, availability and integrity; and can we put values on these to make investment cases?

Unless it's going to be meaningful to business it will be just another useless discussion. And how do we make this thinking on economics available to small businesses who aren't thinking about these things? Another area we could look at is that there is not enough data in this security domain so people are making claims about products which are hard to validate. We also don't know the extent of the attacks on organisations, so we don't know the threat profile of one organisation versus another.

So what is the difference between the way a large organisation approaches security and a smaller firm?

The threat, and people's responsibility about the information assets they hold, is not well understood among small- and medium-sized businesses, and why would it be? So we need to make it meaningful to thes businesses. There are big differences between the way a large financial organisation looks at the problem and how a small business looks at the problem. One sits in a regulatory framework and understands risk and puts a value on its assets and the other may have a responsibility to be PCI compliant but doesn't necessarily value the information it holds.

But giving a monetary value to the information they hold, if not to your business then to the criminal, may work. People also make assumptions about ROI being the only way to talk about security and we need to challenge that.

But how easy is it to affect cultural change?

When people talk about this what they mean is people's behaviour. There's a big focus on information awareness and training but it's much deeper than that – the behavioural aspect must come back into the design element.

This is not a problem that can be solved with some training – more thought needs to go into writing security requirements. I'm not sure you can blame the people for a cultural malaise, if you're not designing systems with them in mind. Education can mitigate poor design or shortcomings but the real work should start much earlier. Our Privacy Engineering Special Interest Group, for example, produced guidance on how to design privacy into all stages of a project, from inception right up to the secure disposal of a product.