Invitation for Oxford CTF  

Invitation for Oxford CTF  

October 2020

We would like to invite you to participate in a research study being run by the University of Oxford in  conjunction with AXIS Insurance Company. The study is in the form of a capture-the-flag (CTF) event,  and the aim is to evaluate the effect of deploying varying risk-control setups on the security of a  network. During the study, you will be asked to capture flags representing a set of network-security  compromises, and report your progress using a logging platform. The results will be used to perform  a comparative analysis of the effect of various risk-control setups on the actions of network  attackers and the network-compromise aims they are able to achieve. We aim to use this empirical  evidence to draw conclusions about the “relative effectiveness” of these control setups in securing a  network. 

The CTF exercise may be accessed online at a time that suits you via a VPN connection and  credentials that will be provided once registered. A more detailed description of the study and  wider research project is attached to this email. 

If you would like to participate in this study, or have any questions, please email Dr Arnau Erola  ([email protected]) or Dr Ioannis Agrafiotis ([email protected]). 

Thank you for your time and consideration. 

[Please note: the deadline for participating is Friday, 6th November 2020.]

Invitation to Participate in Cyber Security Research Study 

Research Project: Refining Cyber Value-at-Risk 

Research Study: Exploring the Effectiveness of Risk Controls in a Capture-the-Flag Study Institution: Department of Computer Science, University of Oxford 

Project Investigators: Professor Sadie Creese and Professor Michael Goldsmith 

Project Researchers: Dr Arnau Erola, Dr Alastair Janse van Rensburg, Dr Ioannis Agrafiotis Background and aims of the project and study 

Being able to demonstrate that actions are being taken by a business to reduce information- or cyber- risk is  important. However, the security controls typically viewed as necessary by the professional / expert community  are not always underpinned by a framework that facilitates the quantification of the benefits resulting. This  means that the real value of compliance to such tools, or the variability of compliance to standards, is not truly  known. The aim of this project is to further refine the CVaR model and test its utility for use by stakeholders in  the insurance sector; namely in assessing the potential range of losses that organisations may be exposed to in  relation to their digitally supported operations. 

In this study, we aim to explore the effect of a set of risk-control setups on network security. The study is in the  form of a capture-the-flag event focused on evaluating the security of a network protected by risk-control setups  varying in terms of a) the types of control present and b) the configuration of these controls. The results will be  used to perform a comparative analysis of the effect of various risk-control setups on the actions of network  attackers and the network-compromise aims they are able to achieve.  

Why have I been invited to take part in this study? 

You have been invited to take part because of your experience in penetration testing. We hope that you will be  interested in our findings and we would be happy to share these with you after the study is complete.  

What will happen in the study? 

At the beginning of the study, you will be asked to read and sign a consent form, which outlines the study in  more detail. You will be presented with a description of the “flags” that are present on the network. Your task  is to capture as many of these flags as possible during the timeframe, and report your actions and the flags you  capture using a reporting platform. At the end of the study the researchers might ask you to participate in a  short interview, which you can decline. 

If you decide to participate, your responses will be kept confidential and only used in an anonymised format in  any reports resulting from this study. Participants should also note that they if they do agree to participate, they  can withdraw from the study at any time and have their data destroyed. 

How to participate 

If you would like to participate in the study, please email Dr Arnau Erola ([email protected]) or Dr  Ioannis Agrafiotis ([email protected]).  

We look forward to hearing from you, and thank you for participating in this research.  [Please note: the deadline for participating is Friday, 6th November 2020.] 

October 14, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013