UCL Department of Science, Technology, Engineering and Public Policy


Dr Mark Sallos - Research Fellow, Cyber Readiness for Boards (CR4B)

Can you briefly describe what your research project is about?

In a sentence, Cyber Readiness for Boards (CR4B) is about supporting boardroom decision-making on issues of cyber risk. It aims to systematically engage directors and senior managers with cybersecurity oversight across several key sectors, understand their evolving needs, and generate a series of outputs based on the resulting knowledge. To achieve this aim, the research strategy employs a variety of tools which range from interviews and observations to simulation exercises. This is all supported by the blend of expertise brought forward by the project team, which includes both academic institutions, private sector partners, and entities like the UK’s National Cyber Security Centre and Lloyd’s Register Foundation. Given the ever-increasing role of private-sector cybersecurity as a societal concern, the outputs of the project have the potential to generate a significant positive impact and set the foundation for a new generation of boardroom support initiatives.

How is it different from other research projects in the topic?

The project is quite unique in a variety of ways. Firstly, it operates in an understudied space, with sensitive themes and participants which have historically been largely inaccessible for researchers. We are fortunate to benefit from the support of the project’s funders, and from the substantial experience of key team members in working with boards on sensitive topics. Secondly, the project’s methodology is geared towards depth and flexibility. There are very few starting assumptions, given our priority to reflect the voices, contexts, and actions of our participants as the foundation of our outputs. Thirdly, the project is informed by a rich understanding of context, as it encompasses multiple levels of analysis that converge to generate the outputs (i.e. individual context, tensions and interactions; organisational phenomena and considerations; and macro drivers and dynamics). As the research space is largely occupied by commercial actors, CR4B is well-positioned to engage with and contribute to its target communities without compromising on academic rigour and methodological transparency. 

What do you find exciting about this project?

I find CR4B to be of broad importance for a variety of stakeholders, who currently operate with a limited systematic/cross-field understanding of boardroom-level cyber risk decision making. On a more personal level, I also find it to be a stimulating and rewarding project to work on. This dynamic is a valuable mix between broadly impactful and personally engaging work. Having researched cybersecurity decision-making, risk and strategy for a number of years now, I have had to deal with a plethora of domain obstacles that restrict data access, inhibit possible transparency, and limit the potential scope of the work. It is a difficult space to study. Most incidents are disclosed to the public through involuntary means, which generates an incomplete perspective of the phenomena at play, creating a dangerous dynamic between complacency and ‘hype’. Without rigorous, systematic research, the knowledge gaps associated with cybersecurity and organisational decision making are, at best, filled with anecdotal accounts and informed assumptions; at worst, they enable speculations and disinformation. There are also a number of myths, or over-simplistic explanations for incidents that commonly frame the subsequent discourse. Needless to say, there is no reasonable substitute for thorough research as the basis for better diagnosing and tackling these issues. In this sense, the project provides a great platform to overcome the domain’s research barriers, leading to rich data collection opportunities — something that is both scarce and valuable for researchers within the field. Lastly, I find the challenges it raises to be incredibly formative. To summarise the answer to the previous question: we are engaging people that are very hard to reach, on topics that are hard to discuss, in a variety of different-yet-complementary ways, to tackle an important problem. As a result, each stage of the process involves measures of complexity, nuance and uncertainty. This makes for a very interesting, stimulating and challenging research experience. 

What are you working on now to prepare for the next stage of the project?

I am currently working on finalising a series of preliminary outputs and analyses which are a starting point for the previously mentioned emphasis on context. More broadly, the team is hard at work, making the necessary efforts to coordinate the project’s multiple dimensions and their respective data collection streams. We are also very actively engaged with our key stakeholders as we are setting up for the first round of interviews. Fun times ahead...