Invitation for pentesters to participate in University of Oxford study
The Department of Computer Science, University of Oxford would like to invite pentesters to take part in their study:
"We would like to invite you to participate in a research study being run by the University of Oxford in conjunction with AXIS Insurance Company. The study is in the form of a capture-the-flag event, and the aim is to evaluate the effect of deploying varying risk-control setups on the security of a network. During the study, you will be asked to capture flags representing a set of network-security compromises, and report your progress using a logging platform. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve. We aim to use this empirical evidence to draw conclusions about the "relative effectiveness" of these control setups in securing a network.
The event will run from 9:30 to 15:30 on Friday 26th July at IBM Hursley. A more detailed description of the study and wider research project is attached to this email. If you would like to participate in this study, or have any questions, please email Dr Louise Axon ([email protected]).
Thank you for your time and consideration."
Invitation to Participate in Cybersecurity Research Study
Research Project: Analysing Cyber Value-at-Risk
Research Study: Exploring the Effectiveness of Risk Controls in a Capture-the-Flag Study
Institution: Department of Computer Science, University of Oxford
Project Investigators: Professor Sadie Creese and Professor Michael Goldsmith
Project Researchers: Dr Louise Axon, Richard Baker, Dr Arnau Erola, Alastair Janse van Rensburg
Background and aims of the project and study
Being able to demonstrate that actions are being taken by a business to reduce information- or cyber- risk is important. However, the security controls typically viewed as necessary by the professional / expert community are not always underpinned by a framework that facilitates the quantification of the benefits resulting. This means that the real value of compliance to such tools, or the variability of compliance to standards, is not truly known. The aim of this project is to explore a model, approach and prototype tool that is able to relate security controls to assets, harms and cyber value-at-risk; this can also be used to consider the benefit of standards compliance.
In this study, we aim to explore the effect of a set of risk-control setups on network security. The study is in the form of a capture-the-flag event focused on evaluating the security of a network protected by risk-control setups varying in terms of a) the types of control present and b) the configuration of these controls. The results will be used to perform a comparative analysis of the effect of various risk-control setups on the actions of network attackers and the network-compromise aims they are able to achieve.
Why have I been invited to take part in this study?
You have been invited to take part because of your experience in penetration testing. We hope that you will be interested in our findings and would be happy to share these with you after the study is complete.
What will happen in the study?
The study will take place on Friday 26th July 2019 at IBM Hursley. At the beginning of the study, you will be asked to read and sign a consent form, which outlines the study in more detail. You will be presented with a description of the “flags” that are present on the network. Your task is to capture as many of these flags as possible during the timeframe, and report your actions and the flags you capture using a reporting platform. At the end of the study, you will be asked to participate in a short interview.
Participation in this study is voluntary, and participants are free to withdraw at any time without giving a reason and without being penalised or disadvantaged. You are welcome to ask questions before deciding to participate.
This study has been reviewed by, and received ethics clearance through, the Computer Science Departmental Research Ethics Committee (CS-DREC) at the University of Oxford (reference: CS_C1A_19_033). If you decide to participate, your responses will be kept securely, kept confidential and only used in an anonymised format in any reports resulting from this study. Participants should also note that they if they do agree to participate, they can withdraw from the study at any time up until a specified cut-off date, and have their data destroyed.
How to participate?
If you would like to participate in the study, please email Dr Louise Axon ([email protected]).
We look forward to hearing from you, and thank you for your time and consideration.