Infosecurity Europe
4-6 June 2024
ExCeL London

Why is Academia Important to Cybersecurity? 

Professor Steven Furnell tells Infosecurity Europe about his research interests and the growing role of academia in developing the field of cybersecurity

As the cybersecurity sector has expanded, so too has the role of academia in this field. This is both in terms of developing the skillsets and knowledge of prospective workers and providing vital research into areas such as the application of new technologies and understanding the societal impact of cybercrime.

Professor Steven Furnell is a prominent figure in the UK’s cybersecurity academic community, holding the post of Professor of Cyber Security in the School of Computer Science at the University of Nottingham, where he is helping to build up a new research group.

Having first touched upon cybersecurity issues during his PhD at the University of Plymouth, Furnell undertook postdoctoral work at the same institution before becoming a lecturer there. He stayed for over 20 years prior to his move to Nottingham, progressively building up the coverage of security within both teaching and research, and supervising numerous PhDs in the area.

Infosecurity Europe recently spoke to Furnell about the evolving role of academia in cybersecurity and future developments, and some exciting research projects he is currently involved with. 

Infosecurity Europe: How has the role of academia in cybersecurity evolved during your career?

Steven Furnell: Fundamentally we have seen greater recognition of the topic, in both teaching and research. To use the former as an illustration, when I started out, there was little on offer in terms of dedicated degree programmes (the MSc in Information Security at Royal Holloway being an obvious a landmark from the UK and indeed international perspective). Now we have many universities offering specific, named programmes in cybersecurity, at both Bachelors and Masters levels.

We also have national recognition of many degrees through the certification programme run by the National Cyber Security Centre (NCSC), which I’m proud to say I had some role in supporting in the initial years of the programme. We also have a reference point against which academic programmes can map their coverage, via the Cyber Security Body of Knowledge (CyBOK), where again I had some early involvement and now sit on the Steering Group.   

The academic coverage of cybersecurity is still very much aligned to computer science as a parent discipline.

IE: In what areas of cybersecurity do you think academia can have the biggest impact in the coming years?

SF: I think one of the fundamentals for what might be seen as mainstream cybersecurity is helping to increase interest in the topic, and the pipeline of related graduates into the profession. This doesn’t mean that they all have to come from dedicated/named cybersecurity programmes, and there are plenty of relevant skills that can come from more general computer science degrees that still include some tangible cyber coverage within them. 

However, there is perhaps a broader contribution to be made, that will help to promote cybersecurity more generally. The academic coverage of cybersecurity is still very much aligned to computer science as a parent discipline. While this is understandable in terms of how the provision is likely to have evolved, it’s still a limited view, with the knock-on that students studying in other disciplines where cybersecurity is likely to be relevant (e.g. accounting and business, criminology, engineering) are certain to encounter significant coverage of it.

Indeed, a colleague and I have recently done a study of this, looking at a sample of undergraduate degrees from a range of universities, and it is very rare to find cybersecurity (or related issues such as cybercrime, data privacy etc.) being significantly covered as core topics within the non-computing programmes that we looked at. It sometimes pops up in the guise of optional modules, or a one-off lecture within a wider series, but in general the picture feels rather limited.

There is also a role to play for academia to support graduates in all disciplines to achieve basic cybersecurity literacy so that they are ‘workforce ready’ when they leave university and do not depend upon their employers to cover the fundamentals. 

At present, we appear to face an ongoing challenge of organisations being underserved in terms of cybersecurity awareness and education for staff, which in turn leads to an ongoing problem of people-centric incidents and breaches. If academia were to have an increased role in specifically boosting cybersecurity literacy within or alongside wider digital literacy, then there would be a chance to prevent successive generations of new staff adding to the problem.

IE: During Infosecurity Europe 2023, you spoke on the keynote stage about cybersecurity risks and companies’ readiness. What were the key learnings from this session in your view?

SF: Yes, this was a fun session and there were quite a few thoughts arising from it that we then wrote up in a Q&A piece for Infosecurity Magazine. I think a key point is that more can be done to prepare and protect ourselves than many organisations currently seem to be doing. My reference point for much of the panel discussion was what we can observe from sources such as the current Cyber Security Breaches Survey, and the fact that there are notable shortfalls in various areas of protection that we ought to be seeing as baseline.

Moreover, even where a greater level of attention is given to security, cyber readiness means more than simply achieving compliance to a standard or conducting a risk assessment. There needs to be a level of agility and adaptability, while ensuring that the need for security is properly understood (and appropriately prioritised) in the context of the business.

There is also a role to play for academia to support graduates in all disciplines to achieve basic cybersecurity literacy.

IE: You are leading a research project that is designed to help businesses understand and improve their cybersecurity and streamline access to targeted support. Could you tell us about the inspiration for this project and how it will work?

SF: Yes, we have a new EPSRC-funded project starting between the University of Nottingham, Queen Mary University of London, and the University of Kent, with partners including the Home Office, ISC2, IASME, three Cyber Resilience Centres, and the Centre for the New Midlands. 

The idea for it actually came from some prior small-scale work that I’d done with some previous MSc students over the years, where we’d looked at the nature of security advice available to consumers (e.g. via high street stores). This prompted me to think about what things looked like from the SME perspective, where there is often a lack of in-house expertise in IT, let alone in cybersecurity.

Therefore, my co-investigators and I have framed a project around initially investigating the SME experience, and the nature of the various sources of advice and guidance available to them, and then leading to the design and evaluation of a new approach that we have termed ‘Cyber Security Communities of Support’ (the core idea being the establishment of locally-focused communities of SMEs, through which they can receive guidance from qualified advisors and peer support from other SMEs). At the time of writing the project is right at the initial stages, but we expect to have interesting findings to share over the next two and a half years.


Enjoyed this article? Make sure to share it!

Looking for something else?