UCL Department of Science, Technology, Engineering and Public Policy


Digital Policy Lab - Featured Researchers

Lise Andersen

Lise H. Andersen
Second year PhD Candidate working under the supervision of
Professor Madeline Carr, Professor of Global Politics and Cybersecurity

Can you briefly describe what your research project is about?

An increasing number of issues with complex scientific or technological basis are entering the international sphere requiring diplomatic solutions. Diplomatic processing of these types of problems requires a comprehensive grasp of the best and most up-to-date knowledge available. For this reason, it is important to understand the flow, exchange and management of knowledge within the setting of diplomatic multilateral negotiations. By studying several international multilateral negotiations, this project aims to identify and describe approaches to knowledge management throughout such diplomatic processes and if possible, identify best practices. 

How is it different from other research projects in the topic and what do you find exciting about this project?

This project is unique in that it sits at the intersection of two strands of literature that have had relatively little interaction in the past. That of the business literature and work on diplomatic practice. 
My interest in pursuing research in this area was gradually built up as I completed my previous university degrees. As I undertook my Bachelor of Arts in Global Studies at the University of California Santa Barbara, I gained a strong interest in climate change diplomacy. This interest further manifested itself in my dissertation Climate Change Negotiations 2015: Potential for an Effective Agreement? which I completed whilst studying for my Master of Science in Global Governance and Diplomacy at the University of Oxford. In my analysis of the positions of the five key parties in the 2015 climate negotiation, I duly noted that several major political parties around the world were ignoring, ignorant of or questioning the objectivity of important research in the natural sciences. Without a commonly accepted basis of facts diplomacy tends to struggle. I believe that knowledge management as a technical discipline will gain increased importance in years to come within the multilateral diplomatic context due to accelerating knowledge growth. I hope to uncover concepts from business literature applicable to diplomatic scholarship. The phenomenal knowledge growth, especially in the last 50 years, is constantly accentuating the need for interdisciplinary cooperation in many issues of a transnational nature.

What are you working on now to prepare for the next stage of the project?

I am currently working towards the completion of the PhD pilot study. This involves testing proposed methodologies and theories, investigating initial case study choices and presenting preliminary results in the form of a report and presentation to members of the department.

Our previous featured researchers:

Dr Mark Sallos - Research Fellow, Cyber Readiness for Boards (CR4B)

Mark Sallos
Can you briefly describe what your research project is about?

In a sentence, Cyber Readiness for Boards (CR4B) is about supporting boardroom decision-making on issues of cyber risk. It aims to systematically engage directors and senior managers with cybersecurity oversight across several key sectors, understand their evolving needs, and generate a series of outputs based on the resulting knowledge. To achieve this aim, the research strategy employs a variety of tools which range from interviews and observations, to simulation exercises. This is all supported by the blend of expertise brought forward by the project team, which includes both academic institutions, private sector partners, and entities like the UK’s National Cyber Security Centre and Lloyd’s Register Foundation. Given the ever-increasing role of private sector cybersecurity as a societal concern, the outputs of the project have the potential to generate a significant positive impact and set the foundation for a new generation of boardroom support initiatives.

How is it different from other research projects in the topic?

The project is quite unique in a variety of ways. Firstly, it operates in an understudied space, with sensitive themes and participants which have historically been largely inaccessible for researchers. We are fortunate to benefit from the support of the project’s funders, and from the substantial experience of key team members in working with boards on sensitive topics. Secondly, the project’s methodology is geared towards depth and flexibility. There are very few starting assumptions, given our priority to reflect the voices, contexts, and actions of our participants as the foundation of our outputs. Thirdly, the project is informed by a rich understanding of context, as it encompasses multiple levels of analysis which converge to generate the outputs (i.e. individual context, tensions and interactions; organisational phenomena and considerations; and macro drivers and dynamics). As the research space is largely occupied by commercial actors, CR4B is well positioned to engage with and contribute to its target communities without compromising on academic rigour and methodological transparency. 

What do you find exciting about this project?

I find CR4B to be of broad importance for a variety of stakeholders, who currently operate with a limited systematic/cross-field understanding of boardroom-level cyber risk decision making. On a more personal level, I also find it to be a stimulating and rewarding project to work on. This dynamic is a valuable mix between broadly impactful and personally engaging work. Having researched cybersecurity decision-making, risk and strategy for a number of years now, I have had to deal with a plethora of domain obstacles which restrict data access, inhibit possible transparency, and limit the potential scope of the work. It is a difficult space to study. Most incidents are disclosed to the public through involuntary means, which generates an incomplete perspective of the phenomena at play, creating a dangerous dynamic between complacency and ‘hype’. Without rigorous, systematic research, the knowledge gaps associated with cybersecurity and organisational decision making are, at best, filled with anecdotal accounts and informed assumptions; at worst, they enable speculations and disinformation. There are also a number of myths, or over simplistic explanations for incidents which commonly frame the subsequent discourse. Needless to say, there is no reasonable substitute for thorough research as the basis for better diagnosing and tackling these issues. In this sense, the project provides a great platform to overcome the domain’s research barriers, leading to rich data collection opportunities — something that is both scarce and valuable for researchers within the field. Lastly, I find the challenges it raises to be incredibly formative. To summarise the answer to the previous question: we are engaging people that are very hard to reach, on topics that are hard to discuss, in a variety of different-yet-complementary ways, to tackle an important problem. As a result, each stage of the process involves measures of complexity, nuance and uncertainty. This makes for a very interesting, stimulating and challenging research experience. 

What are you working on now to prepare for the next stage of the project?

I am currently working on finalising a series of preliminary outputs and analyses which are a starting point for the previously mentioned emphasis on context. More broadly, the team is hard at work, making the necessary efforts to coordinate the project’s multiple dimensions and their respective data collection streams. We are also very actively engaged with our key stakeholders as we are setting-up for the first round of interviews. Fun times ahead...

Dr Feja Lesniewska - Post-doctoral research associate working on the EPSRC funded PETRAS project
Image of Feja Lesniewska

Feja is a post-doctoral research associate working on the EPSRC funded PETRAS project located at STEaPP, UCL.

Can you briefly describe what your research project is about?

My research focuses on issues relating to the Internet of Things (IoT), security and governance. The world is becoming increasingly dependent on the IoT for the functioning and delivery of critical services like health, banking, transport and energy. This is a situation that is only going to increase and in doing so become more complex to manage effectively without undermining security and established privacy rights.

In my research I initially focused on how established international governance mechanisms, both multilateral and multistakeholder, have approached the novel security issues that the IoT raises. I am now taking the research forward to focus  on the introduction of the IoT into the maritime sector, focusing primarily on ‘smart’ ports.

The maritime sector is experiencing a radical transformation with new digital technologies being incorporated into ships, logistics and ports. Drivers behind this change include the sector trying to reduce greenhouse gas emissions to not only mitigate climate change but also to improve air quality in port cities. Understanding the security challenges this radical technological transformation will pose for the maritime sector is necessary so that appropriate legal and governance responses can be developed.

The difficulty is that this is all happening very quickly. It is becoming apparent that some of the regulatory tools we have traditionally relied on to deliver governance objectives may no longer actually be reliable. The IoT is not only the object of governance but is rapidly becoming integral to the design of new governance models. Lawyers and policy makers need to understand the challenges so they can effectively create a regulatory approach that ensures the security and well-being of people and the environment.

How is your research different from other research on the Internet of Things?

A great deal of the research on IoT governance issues focuses on the consumer aspects including standards, labelling, behavioural psychology, ethics, data protection and privacy rights. My research is specifically on critical infrastructure systems: transport, energy, ecosystems and communication. These are often not just domestic problems as many have a public goods dimension to them that transcends the usual regulatory boundaries. I am exploring how concepts used to tackle other global public goods issues, such as climate change, chemical and nuclear waste management for example, could be applied to IoT governance contexts. I am researching how the concept of polycentric governance could be used to mobilise and build trust and cooperation across multiple agents who shape the IoT ecosystem. In the research I have focused on the UN Paris Agreement on climate change as an example of an evolving polycentric governance system at the start of the 21st century.

What are you working on at the moment to prepare you for the next stage of the project?

I am developing a research plan to take our work on the IoT, security and ports forward. I will be comparing the strategies to develop smart ports in the UK, Netherlands and Singapore. In January 2019 the UK government launched the Maritime 2050: Navigating the Future. Digitalisation is a key component in the government’s strategy.  This is a particularly historic moment in the UK with the country leaving the European Union. The government is keen to learn lessons from the innovators in incorporating IoT into the maritime sector so it can become a leader itself in the new phase in its history in the world. The IoT, port and security research will contribute to a greater understanding of what the challenges are for the UK and how it can best learn from others.

Given the pace of change in this sector, research that contributes to understanding the challenges will be valuable to all those involved. Getting the future of the maritime sector right will be important for addressing the challenges of climate change, sustainable development and improving the vitality of the ocean ecosystem as a whole.

Dr Jose Tomas Llanos - Research Fellow in Privacy Aware Cloud Ecosystems (PACE)

Jose Llanos
Can you briefly describe what your research project is about?

Broadly speaking, the Privacy-Aware Cloud Ecosystems (PACE) project aims to develop a computational infrastructure capable of both enabling users to better understand which entities have access to and process their personal data, and enabling cloud-hosted services to elicit meaningful user consent for personal data processing. Both positive developments, in turn, have the potential to improve compliance with the General Data Protection Regulation (GDPR) in a way that is dynamic and more consistent with the expectations of cloud ecosystems’ stakeholders (i.e. cloud service providers, cloud service customers and data subjects). 

How is it different from other research projects in the topic?

Legal research on data protection in general and consent in particular almost invariably follows a silo approach, with an excessive focus on the current regulatory framework and its pitfalls, paying lip service to other disciplines that can dramatically contribute to improving data protection law compliance and thereby protect individuals’ fundamental rights. PACE, conversely, is a multi-disciplinary project, featuring the involvement of data scientists from Cardiff University and Newcastle University, as well as public policy scholars from UCL STEaPP. The computer science team is developing a permission-based ledger built upon blockchain technology that will ensure that all personal data access instances by diverse players in cloud ecosystems can be securely recorded and verified by users of cloud-hosted services. This solution will improve transparency by enabling the possibility to audit users’ data trail, thereby eliciting greater trust. The public policy team, in turn, is developing a set of policy requirements which will align with the GDPR and will be embedded in the technological solution. All recorded events on the blockchain will comply with said requirements, thereby promoting data protection law compliance. Accordingly, PACE is a unique and ambitious multi-facetted project, not so much aimed at exposing the rather apparent pitfalls of the data protection regulatory framework in the context of cloud ecosystems, but instead seeking to take advantage of technology to produce a solution capable of adapting such framework to the actual operation of cloud-based services.

What do you find exciting about this project?

The fact that user consent as a legal basis legitimising the processing of personal data has been rendered unfit for purpose in the digital economy is undisputed. With the increasing adoption of online services, users are bombarded with consent requests, leading to a scenario where we just ‘tick the box’ and agree to highly intrusive data processing practices, without understanding the potential consequences of these actions. Worst still, data protection concerns are compounded in cloud ecosystems, where a common infrastructure scattered across different parts of the world is shared amongst an array of entities, and personal data is transferred in ways that data subjects and even data controllers cannot possibly anticipate. This state of affairs depicts a bleak data protection scenario, which fuels user distrust and prevents the full realisation of the benefits that cloud technology can offer. As a competition and data protection law scholar focused on online platform markets, I was increasingly concerned by such dreary scenario, overwhelmed by a growing sense of hopelessness arising from the observation that the emergence of privacy-enhancing market solutions was highly unlikely. However, PACE does in fact have a remarkable potential to endow again user consent with meaning, restore its role in the protection of users’ autonomy and informational self-determination, and enable the launching of new privacy-driven services. Being able to participate in a project having such a potential for positive impact is tremendously exciting, as I was not even dreaming about such possibility only a few moths ago.

What are you working on now to prepare for the next stage of the project?

We are at the very early stages of PACE, so great challenges lie ahead! Currently I am conducting a literature review of consent in the cloud, as well as identifying data protection concerns posed by blockchain technology. These activities have provided the basis for two data protection law articles, hopefully to be published in the first half of the next year. Importantly, I am making multiple efforts to achieve the necessary coordination with the other teams involved in PACE, with a view to kickstarting the project on the right track. 

Sneha Dawda - Research Assistant



Sneha Dawda
Research Assistant

I recently started working at STEaPP as a Research Assistant on a project led by Dr Madeline Carr, working alongside Dr Alex Chung on delivering a map of the UK cybersecurity policy community. The focus of the ECSEPA project is really understanding why policy makers formulate cybersecurity policy in the way they do. When we think about what the project is unearthing, it quickly becomes apparent we have to define what the cybersecurity policy landscape actually looks like in the first place. The mapping project, the focus of my research, is doing exactly this.

Sneha Dawda and the Cybersecurity Governance Map

By using innovative software and visual graphics I've been creating the map of the UK cybersecurity policy community, consulting policymakers and academics on the accuracy, utility, and core concept. Two months into the map, it's definitely as complex and mind-boggling as you can imagine! However, the genuinely exciting aspect of this project is the potential to facilitate more efficient collaboration across Government and bring cybersecurity policymaking to an audience as an invaluable visual tool.

My background in research and education made this project a perfect fit for my interests, and it helps that I get to talk to some incredible people working in and outside of government. I have a BScEcon(Hons) in International Politics from Aberystwyth University and an MA in Global Security from the University of Sheffield. Whilst both my degrees sound broad, my desire to shape my research towards cyber politics is reflected in both of my theses.

For my Bachelor's thesis, I wrote on the Foucauldian construction of the US Surveillance State using the Edward Snowden's revelations as the catalyst for the privacy versus security debate. At Master's level, I wrote a genealogy of the internet to highlight the militaristic undertones it was created in that are currently shaping our concepts of warfare and espionage today. My areas of cyber politics research are embedded in securitisation, militarisation, warfare, and espionage. In the future I hope to continue my research in cybersecurity and pursue the constant challenges that cyberspace is presenting to Government and society.

Dr Alex Chung - Research Associate
Alex Chung
Dr Alex Chung
Research Associate





Dr Alex Chung is a Research Associate working on the EPSRC-funded project, 'Evaluating Cyber Security Evidence for Policy Advice' (ECSEPA), led by Dr Madeline Carr, Associate Professor of International Relations and Cyber Security and Programme Leader of Digital Technologies and Public Policy (MPA) at STEaPP.

Can you briefly describe what ECSEPA is about?

ECSEPA seeks to understand the challenges faced by UK policymakers working in cybersecurity and how we can support them in the policy process. We do this by looking at how they engage with evidence used for policymaking in cybersecurity through interviews and an online survey. Later this year, we will explore how policymakers make operational and strategic decisions during a table-top policy game using simulated cybersecurity crisis scenarios.

How is ECSEPA different to other research projects in cybersecurity?

Studies in cybersecurity research investigating the human factor often focus on end users. Our project, however, examines issues surrounding the policy process, an aspect of human dimension that's rarely addressed.

Our project is also unique as it embodies STEaPP's 'mode of research' - interdisciplinary research that tackles real-world challenges through co-design, co-production, and action research by engaging with policy actors.


What do you find exciting about this project?

Being a part of a cutting-edge research project that will lead to real-world impact on governance policy, education, skills training and more is a huge privilege and goal of mine. Creating impactful research that is used and appreciated is a central aim in my career and having the opportunity to fulfil this through ECSEPA is brilliant. We are already seeing how our project is well-received across the UK Government and how it's generating positive influence.

For instance, several Government Departments have expressed interest in working with us to further extend the ECSEPA Mapping Exercise (undertaken by dedicated STEaPP Research Assistant Ms Sneha Dawda) by building capabilities that would allow it to be sustained and implemented as an internal tool for staff training and briefing within departments, and externally showcased to the public as an interactive educational resource.

We are confident that upon its completion, the research impact produced by ECSEPA in terms of its reach and significance will go well beyond academia.

What are you working on now to prepare for the next stage of the project?

We are now gearing up for the online survey to be sent out to policymakers and we will soon be working on building the policy crisis game. We are carrying out these tasks with our project partners in Coventry University where our project technical expertise is based. Professor Siraj Shaikh (project Co-Investigator) and Mr Atif Hussain (Research Assistant) have been developing an quantitative assessment model to evaluate the perceptions of cybersecurity evidence quality using qualitative metrics. This model will play a central role in the game design, including how we go about selecting evidence sources and fabricating evidence content for our fictitious cybersecurity crisis scenarios. Watch this space as our project is about to get very exciting!