Scaling Trust: An Anthropology of Cyber Security (Renewal)

扩展信任：网络安全人类学（续订）

• 批准号: MR/X023338/1
• 负责人: Matthew Spencer
• 金额: $ 75.85万
• 依托单位: University of Warwick
• 依托单位国家: 英国
• 项目类别: Fellowship
• 财政年份: 2024
• 资助国家: 英国
• 起止时间: 2024 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=MR%2FX023338%2F1
• 关键词: Scaling; Trust; Anthropology; Cyber; Security

Scaling Trust is an interdisciplinary research project drawing on resources from anthropology, sociology, communication studies, literary theory, philosophy of science and computing. Using interviews, textual analysis, workshops and ethnography, Scaling Trust examines recent transformations in Cyber Security across four distinct domains, and asks: how are novel models and methods reshaping trust and securing in contemporary society? How do new forms of narrativizing threats, problems of technology and scale, and security solutions define what a secure future may be?A) In the initial period of the fellowship, we investigated current transformations in technology assurance. Security in this domain has been treated as a quality of technical products, a quality that can be tested and measured in an evaluation lab. In recent years, we can observe increasing awareness of unintended side effects of reliance on trusted products and the rise of new approaches focused on risk and the quality of communication.B) We also, in the initial fellowship period, examined the emergence of 'de-perimeterised' security models, today most prominently associated with 'Zero Trust' IT architectures. We examine the nature of security models in general, and how this one in particular has challenged intuitions of information security as the protection of an 'inside' of a private network, and focussed attention instead on asset value. This formulation of the object of securing has profound implications for what counts as a security technology, and for how users/people are positioned and treated. C) In the renewal period, we will conduct an empirical study of the 'DevSecOps' movement, a movement that aims to reconfigure organisations, so that security, here understood as an organisational function, is no longer in a 'silo', but becomes integrated in collaborative multi-function delivery teams. The focus on social architecture here draws on classic organisational thinking in software development, such as Conway's law (that technology tends to inherit a pattern of organisation from the structure of teams who made it), on 'Secure by Design' concepts, and is driven by the demands of continuous delivery methodologies. Securing is here understood as what a part of an organisation does, alongside developing, maintaining and operating.D) During the renewal period, we also build out a study of the recent emergence of hardware-based vulnerabilities, such as Rowhammer, SPECTRE and Meltdown, which have fundamentally challenged some of the certainties upon which security reasoning was built. These vulnerabilities drew attention to the level of hardware as a source of uncertainty, challenging the notion that security can be understood via analysis of logics implemented in software. In addition to preventing attacks, securing thus becomes a matter of being responsive to novel vulnerabilities as they emerge. In Scaling Trust, we examine the narrativization of security, how securing is constituted as a meaningful activity in distinct, but intersecting ways, as these expert domains undergo transformation: how security is variously posed as a problem of A) evaluation, B) architecture, C) organisation and D) function. If, as we argue, the nature of cyber security is not fixed, but rather refracts through a number of expert practices, it is important to examine and make sense of how it is changing and the implications for society, for organisations and for policymakers.Scaling Trust includes a portfolio of engagement activities with policymakers and with organisations. It involves the use of a palette of qualitative research methodologies, but also the development of a new participatory workshop format, called 'Trust Mapping' for organisations and researchers. It is a fellowship project, and thus also involves investment in the PI, Dr Matt Spencer, supporting his career trajectory and development of a position of research leadership in cyber security.

“扩展信任”是一个跨学科研究项目，利用了人类学、社会学、传播研究、文学理论、科学哲学和计算资源。通过访谈、文本分析、研讨会和民族志，《扩展信任》研究了四个不同领域的网络安全最近的转变，并提出问题：新颖的模型和方法如何重塑当代社会的信任和安全？新形式的叙事威胁、技术和规模问题以及安全解决方案如何定义安全的未来？A) 在奖学金的初始阶段，我们研究了当前技术保障方面的转变。该领域的安全性已被视为技术产品的质量，可以在评估实验室中进行测试和测量的质量。近年来，我们可以观察到人们越来越意识到依赖可信产品带来的意外副作用，以及关注风险和沟通质量的新方法的兴起。B) 我们还在最初的研究金期间研究了“德”的出现。 - 外围化的安全模型，如今最显着地与“零信任”IT 架构相关。我们研究了安全模型的一般性质，以及这一模型如何挑战信息安全作为私有网络“内部”保护的直觉，并将注意力集中在资产价值上。这种安全目标的表述对于什么是安全技术以及如何定位和对待用户/人员具有深远的影响。 C) 在更新期，我们将对‘DevSecOps’运动进行实证研究，这是一场旨在重新配置组织的运动，让这里理解为组织职能的安全不再处于‘孤岛’，而是成为集成到协作式多功能交付团队中。这里对社会架构的关注借鉴了软件开发中的经典组织思维，例如康威定律（技术倾向于从制造它的团队结构中继承组织模式）、“设计安全”概念，并受到驱动满足持续交付方法的要求。在这里，安全被理解为组织的一部分所做的事情，以及开发、维护和运营。D) 在更新期间，我们还对最近出现的基于硬件的漏洞进行了研究，例如 Rowhammer、SPECTRE 和 Meltdown ，这从根本上挑战了安全推理所依据的一些确定性。这些漏洞引起了人们对硬件水平作为不确定性来源的关注，挑战了可以通过分析软件中实现的逻辑来理解安全性的观念。因此，除了防止攻击之外，安全还需要对出现的新漏洞做出响应。在《扩展信任》中，我们研究了安全的叙述性，随着这些专家领域的转型，如何以不同但交叉的方式将安全构建为一项有意义的活动：安全如何以不同的方式呈现为 A) 评估、B) 架构、 C) 组织和 D) 职能。如果像我们所说的那样，网络安全的本质不是固定的，而是通过许多专家实践折射出来的，那么检查并理解它是如何变化的以及对社会、组织和政策制定者的影响就很重要。扩大信任包括与政策制定者和组织的一系列参与活动。它涉及使用一系列定性研究方法，还涉及开发一种新的参与式研讨会形式，称为组织和研究人员的“信任映射”。这是一个奖学金项目，因此还涉及对 PI Matt Spencer 博士的投资，支持他的职业轨迹和网络安全研究领导地位的发展。