‘Various studies over the past decade have demonstrated that many people could easily be manipulated to reveal their password in exchange for something as simple as a bar of chocolate.’
Turning our attention this month to cyber security we interviewed Michelle Govan on what we can expect from this sector.
Michelle is your background in Cyber security?
Not entirely. My undergraduate degree was in mechanical design engineering, followed by a PhD in control theory at Glasgow University. From there I joined Glasgow Caledonian University researching biometrics, which led to my interest in security, digital forensics and ultimate digital resilience. In my academic roles I’ve directed the development of study programmes focused on security that meet the demands of the industry. In my present role at the University of the West of Scotland, my priority is developing innovative work-based learning programmes to address the skills.
What are you passionate about when it comes to academia and security?
I believe that positive societal impact cannot happen in isolation, it requires collective action. We will only be able to address evolving challenges and establish a vision of a safer, securer and resilient society through the collective achievements of creative, committed and passionate individuals. I am very passionate about engaging, educating and connecting academia, industry and the public and private sectors. We engage through active platforms and activities that foster collaborative and action based approaches, and thought leadership. Sharing aspirations and accomplishments, is the catalyst that inspires and empowers people to realise ideas and capabilities, and create positive impact with respect to education, knowledge transfer and research.
One fundamental aspect of this is the education of the next generation of cyber professionals. My engagement with industry has establish that universities are failing to equip students with the skill sets required. This conclusion is supported by a recent Macafee report on the international shortage in cyber security skills. It found that only 23% of respondents said education programs were preparing students to enter the industry. This is why I am focused towards developing new and innovative programmes of study in partnership with industry. It is crucial that we listen and engage with industry to develop degrees and initiatives that will create the skills desired now and in the future. We can then in a small way address the skills gap that exists globally. I have been a strong advocate for work-based learning. I believe that the development of graduate level apprentices in Scotland will be of vital importance to developing graduates and future impact makers able to meet the challenges ahead. This is why my interest at the moment is focused on engaging with industry to establish these degrees, and why I am actively reaching out to industry.
Are people in general aware of the issues of IT security?
I think through different educational awareness initiatives people are becoming more aware of the issues surrounding digital security, but how they observe and implement security is dependent on the impact that this would have on them at a personal level. Various studies over the past decade have demonstrated that many people could easily be manipulated to reveal their password in exchange for something as simple as a bar of chocolate. While they may not exchange their personal banking details for a bar of chocolate (although this will be dependent on the level of funds!), they may not feel the same level of responsibility for other systems where they believe that the impact personally to them will not have the same negative consequences. Clearly this creates challenges in the workplace. Human qualities and characteristics (such as trust, fear, helpfulness) will always make the human element of security the weakest link, and the easiest to target.
So are people getting better at responding to things like phishing attacks?
The recent IBM Threat Intelligence report for 2016 estimated that almost 3% of attacks it sampled in 2015 security incidents were due to phishing. We have witnessed the prevalence of phishing attacks vary over the years, almost coming as waves with peaks and troughs. As educational awareness programmes are implemented the number of security incidents decrease which means we tend to have less focus towards education thus allowing the attack to increase again as people become more relaxed. Education is of vital importance to security, not only in creating the expertise at the cutting edge of technology, but for the basic user, highlighting the different aspects and presenting the challenges we all face in ways which can be understood and related to.
How else does your work touch upon legal matters?
My technical research focus is on the threats and malicious ways in which technology can be exploited, and the extent to which technology acts as a silent witness to interactions and activities; specifically, establishing the theoretical and practical implications and potential opportunities that exist around the natural movement of data on multiple devices via cloud formations. While understanding the cached data and artefacts on digital devices can be highly significant and probative, yielding an insightful behavioural archive and source of evidentiary material, it can also have a very personal human element. Being able to piece together and understand the sequence of events by utilising the data on digital devices during tragedies and catastrophes like terrorist attacks can provide families with closure that they often require.
How do we improve security?
I think there are many fundamental and innovative ways in which security can be improved, however I believe we have to accept that we will never achieve completely secure and useable systems, therefore the focus should be towards digital resilience and coming together as a community to address the challenges we all face. The focus should be on the ability to prepare for, adapt to, withstand and rapidly recover and learn from disruptions from cyber attacks. We need to ask the questions: how can we identify attacks, how can we limit the impact, and how can we gather the information to understand and learn. To do this, we need to develop the skills, knowledge and understanding of the risk, and then take the necessary steps to prepare for and respond to such events.
Michelle Govan LinkedIn: https://uk.linkedin.com/in/michelle-govan-825bb665