Moving From Research to Practice

Moving research in the area of cybersecurity into practice often is difficult for many reasons.

I decided to look at another field which has similar issues, medicine, and read a few papers on the topic. These papers include:

  • Glasgow, Russell E., et al. “The future of health behavior change research: what is needed to improve translation of research into health promotion practice?.” Annals of Behavioral Medicine 27.1 (2004): 3-12.
  • Berwick, Donald M. “Disseminating innovations in health care.” Jama 289.15 (2003): 1969-1975.
  • Glasgow, Russell E., and Karen M. Emmons. “How can we increase translation of research into practice? Types of evidence needed.” Annu. Rev. Public Health 28 (2007): 413-433.

These papers considered the barriers medical research faces before it can become clinical practice. Each paper considered various barriers, but I was interested in one result that all three had.

The complexity of the result from research was a key indicator of whether doctors would easily integrate the result into practice. The more complex the result, the harder it is for doctors to move the result from a research environment into a clinical practice. Since doctors and nurses are under pressure to provide more and more support to patients with fewer resources, the addition of a complex procedure is often resisted.

Can we consider the same thing in Cybersecurity?

Yes and no, it depends on how we define complexity, which is very tricky to define. Do you add complexity when you buy an entire new defensive system, or is that just a question of expenditures? Or if we define new procedures for users to avoid certain attacks, is that complexity? The details of what makes something complex will not transfer to cybersecurity from medicine.

We can, however, take lessons from medicine and apply them to cybersecurity. For example, the perceived benefit of a change has a lot to do with its adoption. That seems intuitively to apply to cybersecurity as well. If a change is complex, but promises to defend your organization from all phishing attacks, then the complex change may be worth the mental cost of understanding it. But we have very few such broad assurances in cybersecurity. Perhaps safest to search for simple, explainable improvements.

This is a topic that we need to study further so we can understand what difficulties are present and how we can do better. DTRAP wants to bridge the gap between researchers and practitioners and I believe this is an important part of that.

Share
May 14, 2019 by DTRAP Journal 0

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives

About This Blog

A place to publish your thoughts about prevention, identification, mitigation, and elimination of digital threats. We especially encourage practitioners who aren’t used to journal publication to submit your work here–if there’s a good response from the community, we can guide you to publication in the journal as well.