Sociotechnical Security Researcher
Accessibility as a security priority. Why it’s important and how to achieve it.
When security is inaccessible, it becomes hard or impossible to use.
Lee (he/him) is a researcher in the Sociotechnical Security Group (StSG) at the National Cyber Security Centre (NCSC). In his role, Lee works with colleagues in the NCSC and partners in academia, industry and government to develop and advocate for sociotechnical approaches to cyber security which consider cyber security in the context of people, processes, technology, culture, organisational goals, and the wider environment.
Lee specialises in both cyber risk and usable security with experience in communicating cyber security and cyber metrics, data driven approaches, usable and accessible cyber security and understanding risk and risk management.
He worked with the Digital Responsibility and Cyber Risk Quantification fellowships at the Research institute for Sociotechnical Cyber Security (RISCS) and sits on the advisory boards of a number of research projects focussing on accessible and inclusive cyber security.
Lee is a passionate advocate for the need for systems to be usable and accessible to truly be secure and in the need to develop approaches to understand and address the risks posed by inaccessible systems to both individuals and organisations.
Cyber security as a discipline is increasingly moving beyond people as the weakest link towards embracing usable security that supports people in carrying out their objectives. Recognition of the importance of usability in security is to be welcomed. However, there has been less attention on the need to ensure the accessibility of security controls. Accessibility is important for ethical, economic, and legal reasons but there is also a security need for more accessible systems. When the security we implement is inaccessible, it becomes hard or impossible to use and negatively impacts upon security culture and cyber risk. This is true for all users and leads to the adoption of unsanctioned workarounds and increased rates of human error.
This applies not only to the technologies and tools that users interact with, but also to the way in which security information and requirements are communicated to them. In this talk, Lee will describe how accessibility failures in systems lead to increased levels of cyber security risk to users and organisations. He will describe how accessibility considerations for cyber security go beyond user interfaces alone and argue that accessibility issues in security should be treated as vulnerabilities in systems.
He will then describe lessons learned from the National Cyber Security Centre’s (NCSC’s) cross domain assurance pilot, the first NCSC assurance initiative to explicitly raise usability and accessibility as a security requirement. Finally, he will outline current and future work on accessibility within usable security and share practical ways practitioners can mitigate accessibility related cyber security risk in their own organisations.