Invitation to Participate in Cyber Security Research Study
by Department of Computer Science, University of Oxford
“We would like to invite you to participate in a research study being run by the University of Oxford in conjunction with AXIS Insurance Company. The study is in the form of a capture-the-flag (CTF) event, and the aim is to evaluate the effect of deploying varying risk-control setups on the security of a network. During the study, you will be asked to capture flags representing a set of network-security compromises, and report your progress using a logging platform. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve. We aim to use this empirical evidence to draw conclusions about the "relative effectiveness" of these control setups in securing a network.
The CTF exercise will run from 09:00 to 13:00 on Friday, 27th March at the IBM X-Force Command Cyber Tactical Operations Centre (C-TOC) in Southbank, London, followed by lunch at the IBM Southbank offices where you will have an opportunity to participate in a focus group afterwards. Please see the attached detailed descriptions of the study and wider research project.
If you would like to participate in this study, or have any questions, please email Dr Arnau Erola ([email protected]) or Dr Alastair Janse van Rensburg ([email protected]). Please note, numbers are limited so early notification of your interest is recommended.
Thank you for your time and consideration.”
Research Project: Refining Cyber Value-at-Risk
Research Study: Exploring the Effectiveness of Risk Controls in a Capture-the-Flag Study
Institution: Department of Computer Science, University of Oxford
Project Investigators: Professor Sadie Creese and Professor Michael Goldsmith
Project Researchers: Dr Arnau Erola, Dr Alastair Janse van Rensburg
Background and aims of the project and study
Being able to demonstrate that actions are being taken by a business to reduce information- or cyber- risk is important. However, the security controls typically viewed as necessary by the professional/expert community are not always underpinned by a framework that facilitates the quantification of the benefits resulting. This means that the real value of compliance to such tools, or the variability of compliance to standards, is not truly known. The aim of this project is to further refine the CVaR model and test its utility for use by stakeholders in the insurance sector; namely in assessing the potential range of losses that organisations may be exposed to in relation to their digitally supported operations.
In this study, we aim to explore the effect of a set of risk-control setups on network security. The study is in the form of a capture-the-flag event focused on evaluating the security of a network protected by risk-control setups varying in terms of a) the types of control present and b) the configuration of these controls. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve.
Why have I been invited to take part in this study?
You have been invited to take part because of your experience in penetration testing. We hope that you will be interested in our findings and would be happy to share these with you after the study is complete.
What will happen in the study?
The study will take place between 09:00 and 13:00 on Friday, 27th March 2020. At the beginning of the study, you will be asked to read and sign a consent form, which outlines the study in more detail. You will be presented with a description of the “flags” that are present on the network. Your task is to capture as many of these flags as possible during the timeframe, and report your actions and the flags you capture using a reporting platform. At the end of the study, you will be asked to participate in a short interview and be given the opportunity to participate in a focus group afterwards.
If you decide to participate, your responses will be kept confidential and only used in an anonymised format in any reports resulting from this study. Participants should also note that they if they do agree to participate, they can withdraw from the study at any time and have their data destroyed.
How to participate
We look forward to hearing from you, and thank you for participating in this research.