Celebrating Experts in Human Aspects of Cyber Security: Professor Debi Ashenden

On the International Women's Day many websites suddenly remember that women as well as representatives of other underrepresented groups are doing cool work in different fields, posting lists and summaries. In contract to the convention, at CyberBitsEtc, we decided to provide an in-depth view on the life and achievement of 5 inspirational women throughout this week, not only giving you links to follow, but explaining why these women are awesome and why they do groundbreaking work (with references to their talks, books, and articles!).

I have not seen these women on any power lists, which, in my own personal view is really unfair. They are unsung heroes, who help us get one step closer to understanding behavioural aspects of cyber security. This is not a ranking of any kind and it is heavily skewed towards my personal interests in cyber security. However, these are scholars and practitioners, whose work I can recommend to read, follow and admire. Because these women are worth it! And they are worth it not because they are women, they are worth it because they are really best at what they do.

Today's spotlight is on Professor Debi Ashenden!

Debi is currently based in Australia and is DST Group-University of Adelaide Joint Professor in Cyber Security. You probably never heard Debi's name, but I can assure you that you have almost definitely in some form or other used the output of her research or are familiar with Debi's students (some of them work in the UK's Cabinet Office as well as in many important international organisations defining the field of cyber security as we speak). Debi has been working in cyber security since 1998. She is one of the experts, who laid the foundations of cyber security as a behavioural science. Her research seeks to understand and challenge assumptions about how we do security as humans and how humans collaborate with machines and algorithms on cyber security. Using organisation psychology, criminology and research on security, she has looked at why employees may (intentionally or unintentionally) breach security rules, what determines cyber security risk, and how cyber security threats could be mitigated in organisations. She has previously carried out research funded by many organisations and agencies in the UK such as EPSRC, ESRC, Technology Strategy Board, Home Office, Fujitsu, Police IT Organisation, MoD, DTI, Cabinet Office, Dstl, GCHQ, and currently works on several important projects in Australia.

Debi coined the term "patching with people", which, in contrast "patching with technology" means understanding cyber security from the human perspective and training people to better recognise and anticipate cyber security risks. Read, for example, Debi's article "The Human Shield" on how modern cyber attacks, due to their uncertain nature as well as the extensive use of social engineering, require "empowered" people, capable of "defend[ing] [the] front line". The article was written in 2016, yet, it is still very relevant and topical today. Debi also co-wrote one of the most important books in cyber security risk management, titled "Risk Management for Computer Security: Protecting Your Network and Information Assets", where together with her co-author Andy Jones she beautifully explained the challenges of applying standard risk assessment and risk management tools in the world of cyber threats, where businesses as well as public sector organisations have to deal with "unknown unknowns".

Debi's research is very practice-oriented and, often, co-designed and co-created with practitioners. Her findings have also made significant impact in many industries ranging from defence and security to finance and media. The secret to Dabi's successful engagement with practice is perhaps that she started her career in the private sector. Before becoming an academic, she was a Managing Consultant at QinetiQ (formerly DERA). Academically, Debi initially studied literature and has a BA (Hons) in English Literature as well as MA in Victorian Literature, but then switched to STEM, successfully completing an MSc in Computer Science, an MBA and receiving a PhD in Computer Science from University College London (UCL). She was previously Head of the Centre for Cyber Security at Cranfield University at the Defence Academy of the UK. She was also Professor of Cyber Security in the School of Computing at the University of Portsmouth, where she led the Centre for Research and Evidence on Security Threats (CREST) protective security and risk programme. Here is a rare video of Debi speaking about her work at CREST:

Before joining the University of Adelaide, Debi held a position of Professor of Cyber Security and Human Behaviour at Deakin University. Here is a sample of her work from her time at Deakin published by The Conversation and titled "Digging your own digital grave: how should you manage the data you leave behind?", where she discusses the importance for individuals to keep track of their self-generated data and to manage their digital footprints.

Debi has a broad range of commercial and public sector consultancy experience and a research interest in the psychological and sociological issues of cyber security. She has worked extensively across the public and private sector for many organisations in the UK such as the MoD, Cabinet Office, Home Office, Euroclear, Prudential, Barclaycard, Reuters, and Close Bros, to name a few. She has a number of cool articles on cyber security published, which I really encourage you to read. The best way to do that is to go to her Google Scholar page, where you will find many brilliant pieces of her work as well as links to many full texts. Debi is also a frequent speaker at many important cyber security conferences. If you happen to be in Adelaide at the end of March 2021, you might be lucky to hear a less formal talk by Debi titled: "Cyber security and power relationships; how states disadvantage themselves by focusing on the security of technology at the expense of the security of the citizen". The sign-up page for this talk is here.