Invitation for Oxford CTF
We would like to invite you to participate in a research study being run by the University of Oxford in conjunction with AXIS Insurance Company. The study is in the form of a capture-the-flag (CTF) event, and the aim is to evaluate the effect of deploying varying risk-control setups on the security of a network. During the study, you will be asked to capture flags representing a set of network-security compromises, and report your progress using a logging platform. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve. We aim to use this empirical evidence to draw conclusions about the “relative effectiveness” of these control setups in securing a network.
The CTF exercise may be accessed online at a time that suits you via a VPN connection and credentials that will be provided once registered. A more detailed description of the study and wider research project is attached to this email.
Thank you for your time and consideration.
[Please note: the deadline for participating is Friday, 6th November 2020.]
Invitation to Participate in Cyber Security Research Study
Research Project: Refining Cyber Value-at-Risk
Research Study: Exploring the Effectiveness of Risk Controls in a Capture-the-Flag Study Institution: Department of Computer Science, University of Oxford
Project Investigators: Professor Sadie Creese and Professor Michael Goldsmith
Project Researchers: Dr Arnau Erola, Dr Alastair Janse van Rensburg, Dr Ioannis Agrafiotis Background and aims of the project and study
Being able to demonstrate that actions are being taken by a business to reduce information- or cyber- risk is important. However, the security controls typically viewed as necessary by the professional / expert community are not always underpinned by a framework that facilitates the quantification of the benefits resulting. This means that the real value of compliance to such tools, or the variability of compliance to standards, is not truly known. The aim of this project is to further refine the CVaR model and test its utility for use by stakeholders in the insurance sector; namely in assessing the potential range of losses that organisations may be exposed to in relation to their digitally supported operations.
In this study, we aim to explore the effect of a set of risk-control setups on network security. The study is in the form of a capture-the-flag event focused on evaluating the security of a network protected by risk-control setups varying in terms of a) the types of control present and b) the configuration of these controls. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve.
Why have I been invited to take part in this study?
You have been invited to take part because of your experience in penetration testing. We hope that you will be interested in our findings and we would be happy to share these with you after the study is complete.
What will happen in the study?
At the beginning of the study, you will be asked to read and sign a consent form, which outlines the study in more detail. You will be presented with a description of the “flags” that are present on the network. Your task is to capture as many of these flags as possible during the timeframe, and report your actions and the flags you capture using a reporting platform. At the end of the study the researchers might ask you to participate in a short interview, which you can decline.
If you decide to participate, your responses will be kept confidential and only used in an anonymised format in any reports resulting from this study. Participants should also note that they if they do agree to participate, they can withdraw from the study at any time and have their data destroyed.
How to participate
We look forward to hearing from you, and thank you for participating in this research. [Please note: the deadline for participating is Friday, 6th November 2020.]