Funded by the ESRC InterAct network, City academics begin a £50,000 research project to investigate how employee behaviour can be changed to reduce cyber threats within the manufacturing industry.

By Mr Shamim Quadir(Senior Communications Officer), Published

Started this month, a new research project at City, University of London is investigating how employee behaviours can be changed to reduce cyber threats within the manufacturing industry.

Funded by a £50,000 award from the Economic and Social Research Council (ESRC) InterAct network through its open call, including for ‘Resilience, productivity, and sustainability’ projects, it was awarded to an academic team from the Department of Engineering, School of Science & Technology, and Department of Psychology, School of Health & Psychological Sciences.

Targeting the Manufacturing Industry

According to the annual X-force IBM Threat Intelligence Index Report, manufacturing has climbed the ladder of most cyber-attacked industries in the world in recent years, and at a worrying pace.

In 2019, the X-force IBM report ranked manufacturing as the eighth most cyber-attacked industry in the world. In 2021, manufacturing was ranked second, and this year it took the top spot.  Most of the current cyber threats in the manufacturing industry tend to come from ransomware, supply chain attacks, and Intellectual Property (IP) theft.

Car production line with robots operating upon car chassis

A prime example of a successful cyber-attack affecting the industry was in 2017, when Renault Nissan fell victim to the global, WannaCry ransomware attack which stopped the production in five plants in France, Romania, Slovenia, India and England.

In recent years, manufacturers have been massively connecting their operational technology (OT) including industrial control systems and supervisory control and data acquisition systems with ‘internet of things’ sensors and devices using the internet or an internal network.

While these innovations can open new, digital doors for malicious cyber-attackers, a key factor in cyber security remains human behaviour and error.

A recent cyber security report by UK Government’s Department of Culture, Media and Sport suggests that only 11% of businesses in the UK provide cyber security training to non cyber security employees. Furthermore, a recent report from the UK Information Commissioner’s Office (ICO) suggests that human error was behind 90 per cent of cyber data breaches in the UK in 2019.

However, despite much work being done to understand the health and safety culture of organisations to date, there had been little research aimed at understanding cyber security culture, especially of manufacturing organisations.

Photo of an automative mechanic using a laptop under the hood of an open car bonnet, near the motor area.

The RESTRAIN project

Professor Rajarajan provides cyber-security expertise on the project, while Dr Katy Tapper, Reader in Psychology at the Department of Psychology and expert in behavioural change, leads on aspects of the project that relate to psychological theory and research methods. Professor Rajkumar Roy, Executive Dean of the School of Science & Technology, brings his expertise on digital manufacturing to all aspects of the project, including his links with industry collaborators.

The project involves four key phases:

  1. Defining target employee behaviours and their relative importance using a Delphi approach with relevant industry experts to identify employee behaviours that represent a security risk and to weight these according to the level of risk they represent.
  2. Identifying potential barriers to behaviour change through focus groups with employees to explore reasons for engaging in / refraining from the behaviours identified in Phase 1.
  3. Developing and testing an employee security readiness index, by developing a questionnaire aimed at providing organisations with an overall score of their cyber-attack readiness and identifying key areas of weakness.
  4. Identifying relevant solutions through a literature and ‘best practice’ review to identify evidence-based interventions that have been shown to influence cyber-security behaviours. For example, where lack of motivation has been identified as a barrier, interventions that target motivation will be highlighted as possible solutions.

The final project outcome should be a tool that can be used by organisations to evaluate their cyber-security weaknesses and direct them toward appropriate solutions, and be suitable for use in all UK digital manufacturing industries.

With further development, it is hoped the tool could also be scalable for use across all organisations where a potential cyber-attack is of concern.

Head and shoulders photo of Professor Muttukrishnan RajarajanMuttukrishnan Rajarajan, RESTRAIN Principal Investigator and Professor of Security Engineering & Director Institute for Cyber Security at the Department of Engineering, City, University of London 

Principal Investigator on the project, Professor Muttukrishnan Rajarajan, said:

Manufacturing is a sector that has not kept up to speed with the cyber security challenges due to digital transformation. This project is a first of its kind to address the employee behaviour change to influence the cyber hygiene within manufacturing industries.

Co-investigator, Dr Katy Tapper said:

“This is an exciting opportunity to apply psychological principles of behaviour change to a cyber security context.”

Co-investigator, Professor Rajkumar Roy said:

“UK Manufacturing companies are increasingly experiencing cyber-attacks for their process knowledge and parameters or to interrupt their production processes. It is known that lack of awareness among employees often allow the cyber-attacks to happen. This timely research will establish an initial evidence base on how employee behaviour could influence the cyber resilience of a manufacturing company."