Research Reports & Position Papers

How to Deliver Quantitative Analysis – The Quantitative Assessment of cyber risk is an increasingly common and important discipline in cyber security. More and more people need to assess the cyber risk associated with companies accurately, quickly and at scale. This guide sets out a new methodology and explains what best practice looks like.

Cyber Security Awareness Best Practice Guide: Engaging Communities through Digital-First Sustainable Campaigns – This guide provides practical advice to on how to effectively engage all communities through digital-first sustainable campaigns.

Fostering Financial Sector Cyber Resilience in Developing Countries Good Practice Guide – This new Good Practice Guide from CREST, written by Wiebe Ruttenberg, Director of Strategy at SecAlliance, describes the need for different kinds of testing, dependent on the cyber maturity of the nation, authority or organisation. This guide is part of the CMAGE project.

GATES Inclusion and Diversity Guide – CREST has launched its latest best practice guide, describing how to foster greater equity, inclusion and diversity (EID) as part of national cyber security strategy. This good practice guide delivers practical information for government departments charged with developing not only a National Cyber Security Strategy (NCSS), but a more diverse, inclusive NCSS.

SOC Critical Function Guide – There is a clear and urgent need for organisations to step up and take control of the ever-evolving threat landscape, but a Security Operations Centre is still a relatively new term. This guide will help you understand what a SOC is, what it does, and the different types of security operations centres.

Women in Cyber – Stories Uncut – After moderating a gender workshop at CREST’s ‘Access to Cyber’ day in autumn 2021, Eleanor Dallaway shares a whitepaper about gender diversity.

Establishing an Effective Law Enforcement Cybercrime Unit – Technology is transforming the world, but in many countries, the most common crime is now a cybercrime of some description. This good practice guide is designed to help countries develop capabilities to combat the threat from cybercrime and help citizens build more prosperous and secure lives for themselves, their families, and their communities.

Developing and Implementing Cybercrime Prevention into the CREST Cyber Security Ecosystem for Asia and Africa – The Cybercrime Prevention fire has been lit. The capacity for developing an international Prevent network is now in place and being progressed through Europol initiatives being led by the Netherlands. This good practice outlines how to design, develop and deliver a Cybercrime Prevention programme. It aims to be an off-the-shelf manual for establishing cybercrime prevention as part of a National Cyber Security Strategy or equivalent policy.

Global Intelligence Led Penetration Test Frameworks – The global proliferation of Intelligence Led Penetration Testing (ILPT) frameworks across all industry verticals since 2014 has seen massive increases in regulatory understanding of common vulnerabilities in organisational cyber resilience. This paper identifies common themes for Tier 1 firms and provides suggestions on how ILPT frameworks might be improved, along with indicators as to how they are perceived by customers and delivery consultants.

Cyber Threat Intelligence in a business context – The CREST Threat Intelligence Professionals (CTIPs) group has released a guide to finding the right Cyber Threat Intelligence (CTI) partner for different businesses. The free guide helps organisations to get the most out of CTI to better meet their security challenges, minimise the impact of cyber-attacks and maximise the return on investment.

Neurodiversity in the Technical Security Workplace – CREST’s most recent research has indicated that more needs to be done to attract and develop neurodiverse people in the technical security industry. We must have workplace environments and culture that enable their fundamental needs to be met. The report looks at recommendations and actions to support this effort.

Exploring the Gender Gap in cyber security – CREST’s latest report on this topic looks at any progress that has been made and more importantly, questions what still needs to be done to improve the diversity balance in the cyber security industry.

Physical Disability: Addressing the accessibiliy challenges faced in a technical security career – This report published by CREST highlights the issues faced by physically disabled people wanting to work in cyber security. It also highlights what the industry needs to do to attract more physically disabled people in order to help fill the acute shortage of skills.

Stress and Burnout in the cyber security industry – This report published by CREST looks for solutions to the increasing problems of stress and burnout among many cyber security professionals, often working remotely in high-pressure and under-resourced environments.

Bug Bounties – Working Towards a Fairer and Safer Marketplace With rapid growth in the bug bounty marketplace, the CREST Bug Bounties Report explores good and bad practice to establish how to better understand bug bounty programmes and how they fit into the wider technical assurance framework. It also highlights the need to provide advice to buyers of bug bounty services and protect the interests.

CREST and NCA Cyber Crime Report – CREST member companies met the National Crime Agency’s National Cyber Crime Unit (NCA NCCU) to assist in their efforts to prevent young people being tempted to participate in illegal online activities. The discussion paper is now available.

Industrial Control Systems Technical Security Assurance – This Position Paper presents the findings from a CREST project on the Technical Security Assurance of Industrial Control Systems (ICS). It is based on detailed research and includes insights, commentary and analysis garnered from subject matter experts through: Requirements and validation workshops held at CREST member facilities; Desktop review of published literature on ICS security; and ICS security testing.

Closing the Gender Gap in Cyber Security – CREST releases report exploring the reasons behind the lack of gender diversity in cyber security and looking at ways to drive change.

The post Research and Reports appeared first on CREST.

Stress and Burnout

CREST has developed its top tips for tackling stress and burnout in cyber security.  As the industry has long been associated with excessively high levels of stress, CREST has identified a number of tips that will help to prevent and mitigate stress and burnout when working in cyber security.

You can download CREST’s top tips for tackling stress and burnout in cyber security here:
CREST Top Tips for Stress and Burnout

Women in Cyber Security
CREST has developed its top tips for recruiting more women into cyber security.  With industry initiatives so far showing limited impact, it is clear that there is no fast fix for encouraging more women to enter the cyber security industry.  CREST has identified a number of ongoing processes that could go a long way to improving the situation, if implemented by members and the wider industry.

You can download CREST’s top tips for recruiting more women into cyber security here:
CREST Top Tips for recruiting more women in cyber

To view a video explanation of the tips go to: https://youtu.be/7DetZlbQgxA

These tips were identified as a result of CREST’s Access to Cyber Security workshops held in July 2020. For more information on these workshops and how you can get involved in 2021, please contact marketing@crest-approved.org.

The post Top Tips for Diversity & Inclusion appeared first on CREST.

July 2019:  Disruptive Delivery Methods In Penetration Testing

For some time, CREST has been looking into the impact of disruptive delivery methods on penetration testing services.  In particular, CREST has been trying to understand the implications that these methods have on the buying communities, existing suppliers of services, individuals delivering services and legal and regulatory requirements in a balanced, considered and collaborative way.

You can download a paper that describes this in more detail here:  Disruptive Delivery Methods In Penetration Testing

We would welcome your comments;  please send them to marketing@crest-approved.org.

February 2019:  Cybercriminals get better at marketing
CREST discusses what Chief Information Officers (CIOs) can learn from cybercriminals when it comes to mitigating risk and how Chief Marketing Officers (CMOs) can pick up some marketing tips.  

July 2018: Connected and Autonomous Vehicles Report

The autonomous vehicle industry has shown interest in understanding how vehicles can be resilient to cyber­ attack, but this interest has not been translated into practical advice, agreed standards, or funding for research. This paper aims to highlight the broad issues and offer

solutions to the industry. Discussions around security in the industry have been primarily concerned with access control to the vehicle, authentication and data management as manufacturers are waiting for the technology to become more prevalent before addressing cyber security. However, this will ultimately cost more and result in more vulnerabilities than building resilient systems from the beginning.

Download the report here: Connected and Autonomous Vehicles Report

The post Articles and White Papers appeared first on CREST.