Mind the Security Gap : Evaluating the Effectiveness of the UK Cyber Essentials Scheme and its Suitability for Large Enterprises
Cooper, Andrew and Thomas, Daniel (2023) Mind the Security Gap : Evaluating the Effectiveness of the UK Cyber Essentials Scheme and its Suitability for Large Enterprises. Masters thesis, Computer And Information Sciences.
Preview |
Text.
Filename: Cooper-CIS-2023-Mind-the-security-gap-evaluating-the-effectiveness-of-the-UK.pdf
Final Published Version License: Strathprints license 1.0 Download (1MB)| Preview |
Abstract
The Cyber Essentials scheme was launched in 2014 to help businesses in the UK demonstrate they had effective basic security controls in place. Later that year it was made a mandatory requirement by Crown Commercial Service for certain central government contracts and it is used today as an independent measure of assurance by public bodies such as the Ministry of Defence and the Scottish Government. Despite this, there have been high-profile compromises at UK organisations that held Cyber Essentials at the time of their attack. The aim of this research is to discover what could allow a low-level internet threat to bypass the Cyber Essentials controls which, after all, are designed to prevent such an attack from occurring. Is it the controls themselves, the requirements, scoping issues or the audit? The aim of Cyber Essentials is to be a universal scheme, regardless of size. Despite this there have been criticisms of scaling issues which have been dismissed in blog posts by NCSC. The main theme of the research was therefore to look at whether there is something to this – does the scheme have fundamental issues when applied at scale which could allow a low-skill attack to occur? And since large public sector bodies are mandating this from suppliers and organisations they do business with, are there issues with using it as an independent measure of assurance? A survey of large organisations was carried out to gather views on the pros and cons of the scheme and to help identify any issues they have with scale or assurance. These findings were then used to inform a literature review of the scheme documentation. This featured a methodical examination of every question related to scope and the security controls in Cyber Essentials, and an examination of each test in Cyber Essentials Plus. To provide further context an interview with a former Cyber Essentials assessor was carried out which helped identify further issues in the assurance process. The research found that neither Cyber Essentials nor Cyber Essentials Plus could be used as an independent measure of assurance and that both had issues when applied at scale. 17 recommendations have been made which, if implemented, would dramatically improve the scalability of the scheme and the assurance it offers. Despite these recommendations future work should be carried out to consider whether the scheme actually addresses modern low-skill cyber threats.
-
-
Item type: Thesis(Masters) ID code: 88520 Dates: DateEvent21 June 2023PublishedSubjects: Science > Mathematics > Electronic computers. Computer science > Other topics, A-Z > Human-computer interaction Department: UNSPECIFIED Depositing user: Pure Administrator Date deposited: 21 Mar 2024 09:47 Last modified: 22 Dec 2024 01:39 URI: https://strathprints.strath.ac.uk/id/eprint/88520