You are here: Home Contents V19 N1 V19N1_Furnell.html
Personal tools

Assessing Organizational Awareness and Acceptance of Digital Security by Design



Full text

Journal of Information Systems Security
Volume 19, Number 1 (2023)
Pages 318
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Steven Furnell — University of Nottingham, UK
Maria Bada — Queen Mary University of London, UK
Joseph Kaberuka — University of Nottingham, UK
Information Institute Publishing, Washington DC, USA




A significant proportion of attacks on current systems are facilitated by the exploitation of vulnerabilities inherent in the underlying design of the technology concerned or components within it. As such, there is now significant focus on the issue of enabling Security by Design; building in the protection from the outset and avoiding vulnerabilities at source. Related initiatives are now in progress to deliver hardware technologies that would form the foundation for future devices, but questions remain over the understanding and readiness of potential adopters to recognize and implement the resulting approaches. This paper reports upon a survey that was undertaken as part of a funded project to investigate organizational awareness and acceptance of the Digital Security by Design (DSbD) concept. Detailed responses were received from over 70 UK-based organizations, with the respondents themselves largely coming from a security background and in strong general support of the principle of maintaining cyber security. As such, the findings provide a relevant insight into whether an already pro-security group would be willing to go further in terms of their security commitment. The findings reveal that while the generally positive perspective prevails, there is currently relatively limited awareness of DSbD itself, and a variety of challenges that may be faced in promoting the adoption in practice. At the same time, there is general support for more effort to be made to incentivize and to some extent require the use of DSbD-technology once it becomes more widely available.




Digital Security by Design, Cyber Security, Security Features.




Benson, V., Furnell, S., Masi, D. and Muller, T. (2021). Regulation, Policy and Cybersecurity: Hardware Security. Final Project Report. Discribe Hub+, September 2021.

DCMS. (2018). Code of Practice for Consumer IoT Security. Department for Digital, Culture, Media and Sport, October 2018.

DSbD. (2022). “More companies across the UK join Digital Security by Design to test and learn from prototype cybersecurity technology”, Press Release, Digital Security by Design, 5 December 2022.

DSbD. (2023). “About Digital Security by Design”, Digital Security by Design. (accessed 27 February 2023).

Ipsos. (2022). Cyber security in enterprise connected devices. Department for Digital, Culture, Media and Sport, 9 May 2022.

Levine, E.V. (2021). “The Die Is Cast”, Communications of the ACM, 64(1), pp56-60.

NCSC. (2018). “Secure by Default”, National Cyber Security Centre, 7 March 2018.

Srinidhi, B., Yan, J., and Tayi, G.K. (2015). “Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors”, Decision Support Systems, 75, pp49- 62.

Straub, D.W. and Welke. R.J. (1998). “Coping with systems risk: Security planning models for management decision making”, MIS Quarterly, 22, pp441-469.

Tomlinson, A., Parkin, S. and Shaikh, S.A. (2022). Drivers and barriers for secure hardware adoption across ecosystem stakeholders, Journal of Cybersecurity, Volume 8, Issue 1,

Tversky, A. and Kahneman, D. (1974). Judgment under Uncertainty: Heuristics and Biases, Science, 185, pp1124- 1131.

UK Parliament. (2022). The Product Security and Telecommunications Infrastructure Act 2022. 6 December 2022.

Woodruff, J., Watson, R.N.M., Chisnall, D., Moore, S.W., Anderson, J., Davis, B., Laurie, B., Neumann, P.G., Norton, R., Roe, M. (2014). “The CHERI capability model: Revisiting RISC in an age of risk”.