The Research Institute for Sociotechnical Cyber Security is the UK’s first academic Research Institute to focus on understanding the overall security of organisations, including their constituent technology, people and processes. Central to the RISCS agenda is the application of bodies of knowledge to stimulate a transition from ‘common practice’ to ‘evidence-based best practice’ in cyber security.
Already in March 2020, it was evident the rapid transition into working remotely would impact on the security of organisations, as well as on the wellbeing of employees. How exactly it would do so was impossible to predict, given the complexity of such changes, as well as their unprecedented nature. As part of my fellowship, I have worked together with Amy Ertan and Georgia Crossland to investigate the impacts of the COVID-19 pandemic on security of organisations. I chose this research theme to capture any significant changes happening in the employee-employer relationship due to the sudden increase in remote working. CyberFish research suggested that stress impacts decision-making, particularly during a cyber-incident response. Any increases in background stress, caused maybe by family or caring commitments, or transactional stress, maybe caused by having to use new remote-working tools, seemed likely to increase the risk of bad decision-making.
Our research team interviewed 18 cyber security leaders from a wide range of industries to understand not only the effects the transition had itself, but also to gain an insight into various consequences that came about only as we have worked remotely for an unexpectedly prolonged period. The common themes from the interviews are organised into 9 findings, and the authors also provide actionable recommendations for senior leadership colleagues.
I am proud that, together with the Amy and Georgia, and with the support of NCSC and the RISCS team, we have achieved an important piece of work. It is one of the first papers looking at this subject, and the contemporaneous evidence base should provide a valuable future resource for others following on.
The publication is, to the best of our knowledge, the first comprehensive analysis covering these highly current and extremely important issues through rigorous, qualitative research. It is directed at all audiences, including academic researchers, the policy community, and industry stakeholders. We recommend familiarising yourself with the results, and for your convenience an Executive Summary is provided at the beginning of the document.