Celebrating Excellence in Human Centric Cybersecurity

The Airbus Centre of Excellence in Human Centric Cyber Security at Cardiff University is a multi-layered collaboration led by Airbus, with Cardiff University. Founded as a strategic alliance to solve human-focused threats to cyber security, the agreement draws the partners closer to work on joint projects, and builds on the existing Centre of Excellence in Cyber Security Analytics at Cardiff University. In the second of two blogs, we focus on extracts from the launch speeches, celebrating the growth and future of the partnership.

Matilda Rhode, Head of Cyber Innovation and Scouting, Airbus

“I Iead the innovation and scouting team at Airbus. My journey with Airbus began quite a while ago: it’s a product of the collaboration between Cardiff University and Airbus. I started out in 2015 with my PhD, supervised by Professor Pete Burnap, so I’ve been watching the story evolve.

We work across emerging trends: machine learning, data science and ‘Artificial Intelligence.’ Back in 2014, my predecessor, Dr Kevin Jones, anticipated this, and began working with academics leading in this space.

Pete Burnap’s secondment to Airbus led to the establishment of the Airbus Centre of Excellence in Cyber Security Analytics. Over six years, it has included four funded PhDs, one research associate project funded by Endeavr and now an extended Knowledge Transfer Partnership, which means we’ve got additional funding from InnovateUK and Welsh Government to enable international travel for the knowledge transfer partner.

The partnership started by looking at automated attack detection, which is the most popular application of machine learning in this space, and found that some of the tools heavy publicised in the market were reporting fantastic results.

We thought, okay, let’s test out what they’re saying, and then let’s try internally on our own data, which we were only able to do by harnessing the skills from academia and then combining that with what we had in-house. And we found that there was this quite big disconnect and we published that in case anybody else wanted to know, so beware what you buy!

That allowed us to have the skills to critically evaluate products that we might be thinking about buying, that claim to be using machine learning, artificial intelligence. They do require interrogation. In fact, people are quite worried that in tandem with rapid adoption of machine learning – from personal systems to recommending what you watch next on Netflix – are hidden vulnerabilities.

The extended Knowledge Transfer Partnership we have in place now is directly addressing this question: what vulnerabilities are being introduced by the adoption of machine learning? And we’re looking at how you can certify AI that is going on a safety critical system.

It’s a really huge challenge, not just because AI is difficult, but because certification doesn’t exist yet. So we will still have to do some prediction around what we can see coming next. But that’s the only way to stay ahead. We need to be predictive about what’s coming next.

The human centric side of security is another trend we’ve seen over the past few years, focusing a lot on, as Kevin said, ‘this user’s clicked on a link.’ How can we wrap some more technology around this user to contain what they’ve done?

Well, it keeps happening over and over again. Something like 80 to 90% of attacks start off by exploiting human vulnerability. And we’ve seen recent high-profile attacks, for example, in Uber, where they had great security infrastructure in place.“We approached Cardiff and selected the University based on their excellent track record in human factors research, led by Professor Phil Morgan. We sought funding from Endeavr over four years, including two PhDs, whilst concurrently running the Cyber Lab programme, which allowed us to expand our workforce in Newport.

Most of the work that was done by Phil and his team was looking at why people engage in cyber risk, why do these things happen? And you can imagine being put under time pressure means you don’t go through your entire checklist, and you might be more likely to take a risk. But we also looked at topics like inclusion and diversity, and the way security professionals interact with other employees in the business.

You might have experienced this in your daily life when you talk to the IT department, for example. Is there a disconnect there? Could that relationship be improved? There’s a lot more to be done. We’ve identified why a lot of risks happen, but the next stage is risk mitigation, looking towards a socio-technical approach to cyber security.

And we hope that through the establishment of the Centre of Excellence and Human Centric Cyber Security, we’re going to be part of bringing forth a new generation of researchers and students who are hybrid and expert in inclusive technical security.

We’ve learned a lot from our previous collaboration is that there’s a lot of valuable research to be done. We need to focus next on how we adopt research into the business, how we build systems to push it out of our lab, potentially into start-ups within the local ecosystem, and buy them back. It sounds ambitious, but we think it we think it will work, and we’re looking forward to where we’re going in future.”

Professor Pete Burnap, Data Science and Cybersecurity, Cardiff University

“My secondment to Airbus kicked the whole thing off, and put me in the Airbus building three days a week. Working next to the cyber security researchers was a very different way of doing things from the University. It gave me the opportunity to sit with the team, but also, as a leader, to develop roadmaps and plans.

So very early in that you pitch in for multiple million pounds of effectively internal funds to deliver something for the business where they’re going to want to know immediately, if I’m going to give you this, what’s the value? What am I getting back for the business?

This has been massively beneficial – to get to pitch to others to get additional funds to leverage that better value for the investment: so it gives the industry team access to my academic expertise in a way they wouldn’t do through a meeting.

We’ve developed PhDs, and secondments are Airbus. With the newly-founded Cyber Innovation Hub, we are looking to take expertise and spin that into products and grow that commercial sector from start-ups anchored in Wales and to upskill 1,500 people in line with industry needs.

Our skills agenda initially came from an advisory board that was chaired by Dr Kevin Jones. We tore apart our programme and put it back together to be able to form a new degree which has NCSC accreditation, thanks to work by Dr Yulia Cherdantseva.

The question for us now is where do we go next? We are doing work around AI and Cyber Defence. We’re building a digital infrastructure as a society now where everything is interconnected, arguably layering AI on top of that: we always fix the technology problems after the fact, and we are always trying to patch cybersecurity vulnerabilities: how do we make sure everything is adopted in a secure way? We need to change people’s minds to develop security into systems from the start – the human centric element.”

Phil Morgan, Professor of Human Factors and Cognitive Science, School of Psychology

“Optimising people is the key element in cybersecurity. We’ve got the best hardware, software and processes. We continue to develop them, but we need more work on a human centric front. Kevin Jones, Pete Burnap and I recognised five years ago that we needed to do something about human centric issues in cybersecurity, industry and workplaces. Following discussions with NCSC, we realised seamless cybersecurity was impossible unless we get the people factor right.

We put a proposal before the Airbus board to develop a human centric cybersecurity team within Airbus. I was chosen to lead the team. Stage one of my mission was clear: a roadmap to look at state of the art domain analysis to establish what we needed in this area. We soon established we needed loads! We needed a bigger team. Cardiff University and the ESRC Impact Acceleration Fund supported the funding of two people to scope out research activities.

We developed a very ambitious programme of research looking at things like developing best in class tools to try and detect human cyber vulnerabilities and strengths, and to try to mitigate risks. We were thinking about understandable and explainable cybersecurity communication; looking at human factors like the design of cockpits in aircraft, for instance, which can reduce errors and mistakes and make flying the safest way to travel in the world.

Endeavr Wales joined us on this mission and invested in a full-time research associate and supported two PhD students. We brought in areas including neuroscience, visual perception, attention, social robotics – areas not normally typically associated with cyber.

So we established the Airbus Cyber Psychology and Human Factors team in March 2019, and launched an accelerator in Human Centric Cyber Security to bring in like-minded people and organisations to work with us.

We developed completely new ways of looking at human centric cybersecurity – new methods, paradigms and tools – looking at cyber-risky behaviours. For instance, we developed a tool which can predict 65 per cent of the reasons why people in organisations engage in cyber-risky behaviours.

We also developed strong insights into other predictive factors including cognitive load, time pressures, multitasking and so on… we drop ourselves into a workplace but get bombarded by other things going on, and that’s when mistakes can be made.

It took us outside our comfort zones in some areas to work with Airbus, including looking at programme activities, pitching, delivery networking – no opportunities exist like this normally. Covid-19 didn’t slow us down: we adapted our research programme and we ran more than 12 large-scale experiments with over 4,000 participants. We are now back in the lab and conducting some of these experiments in person to validate our results.

We brought others into our team. UKRI, EPSRC and ESRC invested in research fellows, providing springboards for the careers of some of these team members.

Statistics suggest humans can be responsible for up to 90 per cent of cyber-attacks: that doesn’t sound great, does it? Over the last five years, we have really identified ‘why’ these things occur. So what’s next?  The Airbus Centre of Excellence in Human Centric Cybersecurity is another impressive investment by Airbus working with Cardiff University. The team will now focus on interventions with impact which will so alter the research: things like developing our human cyber vulnerabilities and strengths, working with Airbus teams on optimising training, developing decision support systems that are adaptive, thinking about ‘black box’ thinking – trying to predict when things will go wrong – so maybe we can reduce the incidences of these things, and improving diversity, equality and inclusion within cybersecurity, because we know there’s a problem there. We are facing this challenge head on and we are very excited about it.

I firmly believe, and Airbus does, that humans can be the strongest link in cybersecurity. We look forward to showing you how.”