Abstract
A key factor underpinning a state’s capacity to respond to cyber security policy challenges is the quality of evidence that supports decision making. As part of this process, policy advisers, essentially a diverse group that includes everyone from civil servants to elected policy makers, are required to assess evidence from a mix of sources. In time-critical scenarios where relevant expertise is limited or not available, assessing threats, risk and proportionate response based on official briefings, academic sources and industry threat reports can be very challenging. This chapter presents a model for assessing the quality of evidence used in policymaking. The utility of the model is illustrated using a sample of evidence sources and it is demonstrated how different attributes may be used for comparing evidence quality. The ultimate goal is to help resolve potential conflicts and weigh findings and opinions in a systematic manner.
Chapter PDF
Similar content being viewed by others
References
D. Bestuzhev, How to survive attacks that result in password leaks? Securelist, Kaspersky Lab, Moscow, Russia, July 13, 2012.
D. Chaikin, Network investigations of cyber attacks: The limits of digital evidence, Crime, Law and Social Change, vol. 46(4-5), pp. 239–256, 2006.
G. Corera, If 2017 could be described as “cyber-geddon,” what will 2018 bring? BBC News, December 30, 2017.
P. Davies, Is evidence-based government possible? presented at the Fourth Annual Campbell Collaboration Colloquium, 2004.
E. Gartzke, The myth of cyberwar: Bringing war in cyberspace back down to Earth, International Security, vol. 38(2), pp. 41–73, 2013.
A. Glees, Evidence-based policy or policy-based evidence? Hutton and the government’s use of secret intelligence, Parliamentary Affairs, vol. 58(1), pp. 138–155, 2005.
C. Guitton and E. Korzak, The sophistication criterion for attribution: Identifying the perpetrators of cyber attacks, The RUSI Journal, vol. 158(4), pp. 62–68, 2013.
O. Hathaway, R. Crootof, P. Levitz, H. Nix, A. Nowlan, W. Perdue and J. Spiegel, The law of cyber attack, California Law Review, vol. 100(4), pp. 817–886, 2012.
IBM Security, IBM X-Force Threat Intelligence Index 2017, The Year of the Mega Breach, Somers, New York, 2017.
E. Kaspersky, The man who found Stuxnet – Sergey Ulasen in the spotlight, Security Matters, Kaspersky Lab, Moscow, Russia (www.eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight), November 2, 2011.
Kaspersky Lab and Business Advantage, The State of Industrial Cybersecurity – Global Report, Woburn, Massachusetts and San Francisco, California, 2017.
R. Lee and T. Rid, OMG Cyber! The RUSI Journal, vol. 159(5), pp. 4–12, 2014.
G. Leicester, Viewpoint: The seven enemies of evidence-based policy, Public Money and Management, vol. 19(1), pp. 5–7, 1999.
I. Levy, Active Cyber Defense – One Year On, National Cyber Security Centre, London, United Kingdom (www.ncsc.gov.uk/information/active-cyber-defence-one-year), 2018.
Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, Alexandria, Virginia (www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), 2013.
M. Monaghan, Appreciating cannabis: The paradox of evidence in evidence-based policy making, Evidence and Policy: A Journal of Research, Debate and Practice, vol. 4(2), pp. 209–231, 2008.
Mulgan, G.: Government, knowledge and the business of policy-making: The potential and limits of evidence-based policy. Evidence and Policy: A Journal of Research, Debate and Practice 1(2), 215–226 (2005)
National Cyber Security Centre, Password Guidance: Simplifying Your Approach, Guidance, London, United Kingdom (ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach), 2016.
National Cyber Security Centre, Weekly Threat Report, 22nd December 2017, Report, London, United Kingdom (www.ncsc.gov.uk/report/weekly-threat-report-22nd-december-2017), 2017.
National Institute of Standards and Technology, CVE-2014-0160 Detail, National Vulnerability Database, Gaithersburg, Maryland (nvd.nist.gov/vuln/detail/CVE-2014-0160), 2014.
M. Naughton, “Evidence-based policy” and the government of the criminal justice system – Only if the evidence fits! Critical Social Policy, vol. 25(1), pp. 47–69, 2005.
S. Nutley, H. Davies and I. Walter, Evidence-Based Policy and Practice: Cross Sector Lessons from the UK, Working Paper 9, ESRC UK Centre for Evidence Based Policy and Practice, University of St. Andrews, St. Andrews, Scotland, United Kingdom, 2002.
S. Nutley and J. Webb, Evidence and the policy process, in What Works? Evidence-Based Policy and Practice in Public Services, H. Davies, S. Nutley and P. Smith (Eds.), Policy Press, Bristol, United Kingdom, pp. 13–41, 2000.
T. Rid and B. Buchanan, Attributing cyber attacks, The Journal of Strategic Studies, vol. 38(1-2), pp. 4–37, 2015.
S. Shaikh, Future of the Sea: Cyber Security, Foresight, Government Office for Science, London, United Kingdom, 2017.
L. Shaxson, Is your evidence robust enough? Questions for policy makers and practitioners, Evidence and Policy: A Journal of Research, Debate and Practice, vol. 1(1), pp. 101–112, 2005.
W. Solesbury, Evidence Based Policy: Whence it Came and Where it’s Going, Working Paper No. 1, ESRC UK Centre for Evidence Based Policy and Practice, Queen Mary, University of London, London, United Kingdom, 2001.
Strategic Policy Making Team, Professional Policy Making for the Twenty-First Century, Version 2.0, Cabinet Office, London, United Kingdom, 1999.
L. Tanczer, I. Brass, M. Carr, J. Blackstock and M. Elsden, The United Kingdom’s emerging Internet of Things (IoT) policy landscape, to appear in Rewired: Cybersecurity Governance, R. Ellis and V. Mohan (Eds.), Wiley, Hoboken, New Jersey.
A. Venables, S. Shaikh and J. Shuttleworth, The projection and measurement of cyberpower, Security Journal, vol. 30(3), pp. 1000–1011, 2017.
N. Villeneuve, J. Bennett, N. Moran, T. Haq, M. Scott and K. Geers, Operation “Ke3chang:” Targeted Attacks against Ministries of Foreign Affairs, FireEye, Milpitas, California (www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf), 2014.
C. Weiss, The many meanings of research utilization, Public Administration Review, vol. 39(5), pp. 426–431, 1979.
R. Whitt, Adaptive policy-making: Evolving and applying emergent solutions for U.S. communications policy, Federal Communications Law Journal, vol. 61(3), pp. 483–590, 2009.
K. Young, D. Ashby, A. Boaz and L. Grayson, Social science and the evidence-based policy movement, Social Policy and Society, vol. 1(3), pp. 215–224, 2002.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hussain, A., Shaikh, S., Chung, A., Dawda, S., Carr, M. (2018). An Evidence Quality Assessment Model for Cyber Security Policymaking. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XII. ICCIP 2018. IFIP Advances in Information and Communication Technology, vol 542. Springer, Cham. https://doi.org/10.1007/978-3-030-04537-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-04537-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04536-4
Online ISBN: 978-3-030-04537-1
eBook Packages: Computer ScienceComputer Science (R0)