Policy@Manchester Articles

Expert insight, analysis and comment on key public policy issues

Policy@Manchester Articles: All posts
You are here: Home / All posts / Engineering security for the UK’s cyber ecosystem
Photo of hands tapping at a computer keyboard, with multiple computer screens on the desk in front.

Engineering security for the UK’s cyber ecosystem

By Filed Under: All posts, On Critical Technologies Posted:

The government’s Cyber Security and Resilience Bill aims to strengthen national security and boost cyber protections for the services that people rely on every day. In this article, Professor Daniel Dresner outlines how a sociotechnical approach to cyber security can be used to target vulnerabilities in the cyber ecosystem.

  • 7.7 million cybercrimes have been experienced by businesses alone over the past year – that’s around a half of all businesses in the UK.
  • These crimes cost billions of pounds a year and cause emotional and psychological distress to their victims.
  • According to the National Audit Office, the government has not improved its cyber resilience fast enough to meet this aim and the cyber threat to the UK is advancing quickly.

Why is the UK vulnerable?

Frameworks for good cyber practice already exist in the UK through, for example, guidance set out by the International Standards Organisation (ISO) and the National Institute of Standards and Technology (NIST). Good practice is also helped by those adhering to the principles of Cyber Essentials – a UK Government-backed certification scheme designed to keep businesses and their customers safe from cyber-attacks, and recommended by the National Cyber Security Centre as the minimum standard of cyber security for all organisations.

Successive governments have been working for at least a decade to build the UK’s cyber resilience, including publishing a strategy for improving government organisations’ cyber security in January 2022. This strategy included a target for key government organisations to be “significantly hardened to cyber-attack by 2025”. However, according to the National Audit Office, the government has not improved its cyber resilience fast enough to meet this aim and the cyber threat to the government – and the UK – is severe and advancing quickly.

Lessons to learn?

The WannaCry ransomware incident of 2017 – the largest cyber-attack to affect the NHS in England to date, leading to disruption of at least 34% of trusts in England – remains a clear case study in the attribution, not of responsibility or accountability, but of blame. Linguistic analysis of the ransom note first apportioned blame to other nations, with blame also falling towards the US National Security Agency (NSA) and the software vendors themselves, Microsoft.

Key messaging in the aftermath blamed the attack on a lack of investment to upgrade systems to remove vulnerabilities in the software. This messaging was precariously balanced against the expectation that cyber security lies wholly with the ‘IT departments’ and their responsibility to patch systems.

More recently, the large-scale cyberattacks on Marks & Spencer, Co-op, and Harrods in Spring 2025 sent wide-spread shockwaves throughout the UK and represented part of a broader wave of targeted threats aimed at large, digitally – integrated retail and logistics networks. These attacks succeed through a cunning combination of social engineering and credential exploitation. These incidents are a stark reminder of the UK’s cyber vulnerabilities and the growing need to secure all organisations against the economic, personal, and societal risks that follow cyber attacks.

The standard cyber ecosystem

Within the standard cyber ecosystem, ‘non-functional’ aspects of technology which require attention often go unnoticed until a significant issue arises. Even then, essential elements such as safety, reliability, availability, resilience, and security – fundamental for system trustworthiness – may be neglected by those who do not prioritise or recognise their importance. This shifts the responsibility and accountability solely onto cyber security professionals, who are often perceived as indistinguishable from general IT personnel. The perception that cyber security is about data protection should shift towards a perception of protecting people, while also recognising that bad actors counterbalance the laudable community of companies offering cyber security products and services (emphasised also in the last iteration of the National Cyber Strategy in 2022).

Technical debt, and its impact

Technical debt refers to the accumulation of unresolved vulnerabilities and risks in an organisation’s information systems, due to choices made to prioritise speed, convenience or money, over good security practices. Technical debt represents the further cost of addressing these issues, which can manifest as increased security risks, higher maintenance costs, and potential breaches. This includes, but is not limited to, the real or implied cost of:

  • engineering security and other ‘non-functional’ requirements into systems where security threats were paid little heed, and
  • ‘patching’ systems that require fixes to functional issues (to avoid the use of compromising workarounds by people who – with no malice – just want to ‘get the job done’) and non-functional issues (including usability and security)

Paying off this technical debt can move vulnerable systems out of a period of inevitable cyber security risk, and the bill for this will only be settled when systems are considered as a ‘sociotechnical whole’, and the costs are considered over their respective lifetimes rather than just for immediate deployment, and a token period of support.

How to pay off the technical debt

A sociotechnical approach to cyber security considers how people and technology interact to shape cyber security risks and outcomes. This approach ensures that the technological components of a system are not considered without the sociological context in which the system is deployed, which can then be targeted to remove vulnerabilities across its ecosystem.

With the expertise and co-creativity that exists between government, agencies such as the National Cyber Security Centre, industry, and academia, it should be possible to design and roll out a sociotechnical ‘levy’ to settle much of the technical debt which exists in the UK’s cyber ecosystem. There needs to be a redistribution of attitude, knowledge, capability, and capacity for good cyber security practice.

In monetary terms, this could lead to selective incentives being set for some modest tax credits. In practice, this levy could include a mix of actions involving government, businesses, and universities, all working together with the wider community. Time, money, tax breaks, grants, and other funding would be deployed to fix old technical problems – whilst being tracked and measured, in line with the National Cyber Security Centre’s goal of making the UK the safest place to live and work online. This levy is about nurturing capability, and the upcoming Cyber Security and Resilience Bill provides an excellent opportunity for this to be focused and embedded.

As emphasised in my contribution to the development of the first cyber security strategy in 2009, it still remains imperative that devaluing data is one of the pathways to make cybercrime less rewarding. Data is by its nature devalued if it can’t be used alone, weaponised, and monetised (as evidenced through the uselessness of a password by itself when a second factor authentication process is needed). We might find ways of making the theft of certain data less alarming and therefore reduce its value as a basis for extortion.

Managing risks in the supply chain is becoming harder. Because everything is so connected – and often less known – we need smart rules. These are familiar concepts in engineering which are complemented by the actionable feedback described by cybernetics. Identifying and better managing these risks should first be done by closer collaboration between major companies and their suppliers. Government has a role as facilitator to get collaboration coursing through its supply chains and spilling out into other sectors and communities until cyber security collaboration becomes national ‘business as usual’.

Research at The University of Manchester is informing the development of holistic, sociotechnical cyber environments using techniques from cognitive psychology, an individual’s level of trust in digital systems, as well as providing evidence, through new verification techniques, of the trusted nature of digital systems. Working in partnership with like-minded institutions across the north-west, our research is changing the cyber security paradigm to one of safety and growth rather than fear. There are opportunities for lessons to be learned from the work happening at the local level that can be encouraged by central government. Greater Manchester had an established cyber ecosystem well before it became an indicator of success according to national strategy.

There is an urgent need to move systems vulnerable to undesirable cyber activity out of the period of inevitable risk in which the UK is sorely embedded. However, in a world where we must trade with our adversaries on the one hand and defend against them on the other, security is the reality of the age and a guarantor for our future.

Our adversaries do not hesitate to take advantage of each other’s complementary skills and resources. The law of requisite variety demands that we do likewise or lose the challenge of cyber security forever.

Become a contributor

Would you like to write for us on a public policy issue? Get in touch with a member of the team, ask for our editorial guidelines, or access our online training toolkit (UoM login required).

Disclaimer

Articles give the views of the author, and are not necessarily those of The University of Manchester.

Policy@Manchester

Manchester Policy Articles is an initiative from Policy@Manchester. Visit our web site to find out more

Contact Us

policy@manchester.ac.uk
t: +44 (0) 161 275 3038
The University of Manchester, Oxford Road, Manchester M13 9PL, UK