Characterising Assurance: Scepticism and Mistrust in Cyber Security

Matt Spencer, University of Warwick

Journal of Cultural Economy 2022

Link to paper: https://www.tandfonline.com/doi/full/10.1080/17530350.2022.2098515

Gaining confidence in the security of technical products is a persistent challenge for cyber security practitioners, and a domain in which government assurance schemes have traditionally played a key role. But the idea that security can be treated as a kind of measurable quality, and assessed and certified, has attracted considerable scepticism in recent years. Driven by this scepticism, assurance thinking has shifted towards the anticipation of products in their contexts of deployment.

This paper examines cyber security assurance discourse in the UK. It develops an analysis of the stories told by practitioners about what is wrong with traditional assurance, and asks what these stories ‘do’, how they enact mistrust and create the conditions for change. The paper focuses on the characters that populate these stories, the deceivers and dopes, box tickers and enlightened critical thinkers, and argues that it is around the characterisation of assurance that future debates in the field are likely to coalesce.