MSc Assignment 4 - Open Professional Practise - Cyber Security
I'm doing an apprenticeship MSc in Digital Technology. In the spirit of openness, I'm blogging my research and my assignments.
This is my paper from the OPP module - where I can choose any subject. I picked Cybersecurity. You can read my Digital Leadership paper, my Data Analytics Paper, and my Business and Technology essay.
I've previously written about the Art of Hacking course. The middle two parts of this paper are about that - why I chose it and how I put it into practice. The first and fourth parts are, as far as I can tell, unrelated. We have to write about reflection in the workplace. I am not very introspective, and I don't really enjoy it. So it was somewhat tedious to churn out.
Nevertheless, I was happy with a mark of 64%. (In the English system 50% is a pass, 60% is a commendation, 70% is distinction.)
The main feedback was that I needed to do more reflection (ugh!) and write in more flowing paragraphs rather than staccato points. This is a consequence of my Assignment Writing Algorithm - which reverse engineers the marking scheme. But I'm only aiming for a pass, so I'm content to stick with that strategy.
Oh, and the other feedback was that my Personal Development Plan was a little "unorthodox"! Again, I've no real plans to change something which is working for me.
A few disclaimers:
- I don't claim it to be brilliant. I am not very good at academic-style writing.
- It is fairly inaccurate. Many of the concepts on reflection were not relevant to my workplace, so there is a lot of fudging.
- This isn't how I'd write a normal document for work - and the facts have not been independently verified.
- This isn't the policy of my employer, nor does it represent their opinions. It has only been assessed from an academic point of view.
- It has not been peer reviewed, nor are the data guaranteed to be an accurate reflection of reality. Cite at your own peril.
- I've quickly converted this from Google Docs + Zotero into MarkDown. Who knows what weird formatting that'll introduce!
- All references are clickable - going straight to the source. Reference list is at the end, most links converted using DOI2HT.ML.
And, once more, this is not official policy. It was not commissioned by anyone. It is an academic exercise. Adjust your expectations accordingly.
Abstract
This paper describes the author's experience with reflection in the workplace and how modern forms of reflection can be applied in their current workplace. It considers different models of reflection, and their comparative strengths and weaknesses.
It also discusses the selection and application of a cyber-security focussed piece of Continuing Professional Development. The author reflects on their experience and discusses how they will adjust their nascent Personal Development Plan based on what they have learned.
Finally, the author considers the topic of mentoring as a way to bring reflective practice into their workplace. What advantages does mentoring bring to employees and organisations? Are reverse mentors a suitable way to upskill senior leaders? Is the organisation ready to support a culture of mentoring and reflection?
1. A critical review of reflective activities as typically practised in your profession compared to two well-known reflective models used in academia
Reflective Activity At Work
In the author's 20 years of industry experience they have never experienced any form of formal reflective activity within an organisation. In their experience, reflection rarely occurs in delivery-led organisations and, when it does, it is sporadic and informal. Although annual appraisals have long been a feature of the UK Civil Service (Fletcher, 2008), they can be treated as a "tick box" exercise rather than formal periods of reflection.
Although the author believes that this could be an area for improvement, there has been very little study of whether reflective practises in digital organisations are effective (Dors et al., 2020). The author cannot tell if this is either a cause or a symptom of the unpopularity of reflective activity.
The author's current organisation uses a modified form of Agile product management modelled on a SCRUM (Schwaber, 2004). Teams produce estimates of what can be delivered in a "sprint" (Popli and Chauhan, 2019), i.e. a time-bound period of work. At the end of a sprint, a retrospective takes place. This is an opportunity for colleagues to reflect on what went well during the sprint and what could have been improved (Andriyani, Hoda and Amor, 2017). A retrospective is a lightweight tool to enable teams to refine their estimates for the future and it may also help the team discover "blockers" (Guckenbiehl and Theobald, 2020) - i.e. people, processes, and events which disrupted or delayed the planned work.
In the author's organisation, what is being delivered is neither computer code nor technological features. Rather it is guidance, presentations, publications, and stakeholder engagement. The measurement of success is not as well defined as it is in the engineering profession. This makes more structured reflection difficult.
Well-known Reflective Models
The author will consider Johns' model for structured reflection (Johns, 1995). Although designed for the nursing profession, it is occasionally used in other industries. It focuses on internal and external views of the self. It helps the user describe the situation, how they reacted to it, and what influenced them. There is a strong focus on emotions - which some users may find challenging (Croom and Svetina, 2021).
A different perspective is provided by Moon's "Levels of Learning" (Moon, 2013) - focusing on an weakly-defined concept of "common sense". It is designed for individuals undertaking a learning journey rather than teams engaged in delivery. Much like John's model, it also focuses on understanding emotions.
The author has considered these three models and made a brief assessment of them:
Table 1 - Evaluation of three reflective models | |||
Retrospective | Johns' model for structured reflection | Moon's levels of learning | |
Strengths |
Lightweight.
Fits in with common software development patterns. Well understood across Government. |
Structured and reflexive.
Includes ethical considerations. Focus on improvement and support. |
Five step structured process.
Useful for assessing learning. |
Weaknesses |
Rarely used across more than one sprint.
Can dissolve into "blamestorming" (Dingwall and Hillier, 2015). |
Focus on the individual - not the team.
Might be too emotionally intense for the workplace. |
Generic. No specific focus on unique issues encountered.
Unsuited to software development or technical writing. |
While the retrospective has limitations, it enjoys strong support in the author's current organisation. It may be possible to improve the quality of a retrospective sprint assessment by applying rigorous statistical techniques (Erdoğan, Pekkaya and Gök, 2018). By comprehensively analysing the team's estimates and how well they match up with delivery, more reliable estimates could be obtained.
John's model might be useful for individuals who decide to engage in reflective practice. But the author considers it unsuitable for team-based reflection. The author's organisation strongly believes that "The unit of delivery is the team" (Barabas, 2020). This means that any form of reflective practice needs to be focused on the team rather than any particular individual.
Similarly, Moon's model may work well for individuals engaged in learning, but it is unsuited to facilitating teams to reflect on how well they have met their delivery goals due to its focus on individuals.
2. A reflective discussion of the selection of CPD in relation to the wider technical area, the context within your organisation, and your specific role
I am a Senior Technology Policy Advisor with a background in technology. Although I have extensive experience in cybersecurity, I did not have any formal training or qualifications. An assessment was made of my team's skills and weaknesses. An opportunity was identified to improve the credibility of the team's guidance by gaining demonstrable qualifications - for example, in cybersecurity.
With my extensive knowledge of cybersecurity - and my team's need of qualified personnel - I concluded that this course would be a suitable way for me to upskill while also meeting organisational needs. Given my ability to put this learning into practice, I thought it would enhance my retention of the knowledge. In Continuing Professional Development (CPD), the learner learns through an experiential process, then interrogates their experience, recognises what has occurred, and then puts their learning into practice.
This is often a cyclic process (Osterman and Kottkamp, 1993) which allows the learner to experiment, experience, analyse, and abstract.
Figure 1 - Experiential Learning Cycle |
(Osterman and Kottkamp, 1993) |
As noted in my Personal Development Plan (See "Appendix: Professional Development Plan"), I am looking for interesting new career opportunities which may arise. Cybersecurity is currently an in-demand profession (Maurer et al., 2021) and I hope this certification will enable me to explore a wide range of roles in the future. I also hoped that this course would improve my knowledge of legal and ethical matters in the field.
Reflective Activities
In order to better reflect on the experience, I have written a series of blog posts. Some of these have been published on my personal blog (Eden, 2021). The resultant discussion from readers has highlighted that there were a number of outdated concepts and that some of the information taught was factually incorrect.
In order to improve my personal brand within the organisation, I have written a blog post for the Cabinet Office Intranet. Writing this has enabled me to reflect on how I want to be perceived in a formal and professional setting.
I was unsure if I wanted to be identified as an apprentice. I recognised there can be a negative perception around the academic rigour of apprenticeship degrees. I was concerned whether I could write honestly about my experience while still demonstrating value for money for taxpayers.
I was also nervous that discussion of "hacking" on a Government website could be seen as inappropriate. I sometimes struggle to write in the Government "House Style" and I was concerned that the technical discussion could be misinterpreted.
3. An overview of how the CPD has been applied within your own professional practice
3.1 An overview of the CPD
The CPD undertaken was "Certified in The Art of Hacking" (QA.com, 2021). For a full overview, see Appendix: CPD Course Description.
I will reflect on the experience using the DIEP model (Rogers, 2001):
Describe
A basic cybersecurity course. It covered an older version of the Open Web Application Security Project's "Top 10" issues (OWASP Foundation, 2017) - which is a list of common computer security vulnerabilities.
Interpret
While my background gives me confidence in cybersecurity, I wished to further develop my skills and gain formal recognition.
Evaluate effectiveness
I found the "rote learning" style of the class challenging. My preferred learning style is based around understanding concepts rather than memorising commands.
Through this experience, I gained confidence in my existing skills. I was also reminded that my expertise didn't expand beyond the Linux operating system. It was useful to see how other operating systems work.
Plan for the future
In future, I hope to encourage more cybersecurity awareness among my peers. However, early feedback from the wider cybersecurity community suggests that this CPD may not be relevant to the modern workplace.
Evaluation
I was delighted to pass the exam with a score of 80%. I was able to consolidate my learning by writing blog posts about what I learned, tutoring other students on the course, and building my own Kali Linux lab to experiment in.
The course did not cover the UK legislation relevant to the exploitation of computer vulnerability. The UK has strict laws which regulate how interactions with computers are governed (Computer Misuse Act, 1990). As such, I have made recommendations to the training provider, and have added a legal refresher to my CPD plan.
Similarly, there was no discussion of ethics. As a Member of the British Computer society - I am expected to follow a professional code of conduct (British Computer Society, 2021). This is also a requirement of my other professional memberships (The Institution of Engineering and Technology, 2019). The ethics of cybersecurity is not a new field (Denning, 1999) - and I consider it crucial that practitioners understand the ethical issues which may occur if they practice these skills outside of a tightly controlled laboratory environment.
3.2 Identification of specific projects for which this CPD has had or could have (had) an impact.
I am working with the National Cyber Security Centre (NCSC) to implement "security.txt" (Shafranovich, 2021). This is a new cybersecurity standard which provides easily-accessible metadata to cybersecurity researchers. This promotes "responsible disclosure" of security issues to the website owner (Mori and Goto, 2018) by providing metadata relating to encryption keys, disclosure programmes, and expiration dates of security policies.
Figure 2 - Example security.txt file |
(Shafranovich and Foudil, 2021) |
This CPD will allow me to better provide a security assessment of standards and how they are implemented. With an increased knowledge of common flaws and how they can be exploited, I will be able to help my team create guidance for the above standard which is more security focussed. This will lead to an increased awareness of cybersecurity issues throughout the organisation.
My team regularly provides input to international treaties and Memoranda of Understanding (MOU) as they relate to international open standards. Having a heightened security perspective will allow me to engage in higher level discussions about vulnerabilities and their potential for exploitation.
As our team creates the first comprehensive API Catalogue for Government, I am now able to discuss security issues with our developers, and to comprehensively identify misconfigurations which might lead to security issues on a sensitive government web server.
3.3 A discussion of how you have applied or will apply the new skills or knowledge gained
I have applied these new skills by obtaining consent from a number of administrators to run automated scanning tools against their servers. I made several discoveries which I responsibly disclosed. This has led to an increase of the security posture of our IT estate. While I am not at liberty to disclose the vulnerabilities found, these tools typically discover misconfigured servers, outdated software, and weak default passwords.
I will apply this new knowledge in several ways. As part of my work conducting Service Assessments, I will be able to query teams on their ability to defend against common threats and the steps they will take to secure new systems.
As I consult with developers on a regular basis, I will be able to make suggestions on how to properly sanitise user generated content and ensure that it does not pose a threat to our internal infrastructure. While these flaws can be detected using machine learning (Melicher et al., 2021) there are often simpler, framework-based methods of protection (Weinberger et al., 2011) - i.e. HTML escaping of supplied content.
I will discuss with stakeholders how we can assist the IETF ratification process for the proposed "security.txt" - and how we can use it to promote a culture of cybersecurity throughout the organisation. This should reduce the number of cybersecurity incidents and drive down the cost to the organisation of reacting to attacks.
3.4 A summary of next steps in your professional development based on your experience.
Having completed this short course, I can now evidence that I am familiar with modern cybersecurity issues and how they impact both the workplace and the government.
There is a concerted effort within the British Government to encourage people into cybersecurity related jobs (Dowden, 2020). With an increase in cybercrime during the COVID19 pandemic (Lallie et al., 2021) it is clear that there is high demand for people with professional cybersecurity qualifications and experience.
I am already recognised as a cybersecurity expert in the media (Seals, 2018) (O’Donnell, 2018) (Hayward, 2015). I've won bug bounties against Twitter (Vaas, 2018), Samsung (Whittaker, 2013), and most recently, Google (Eden, 2021).This certification gives me further credibility in the professional world.
I need to ensure a synergy between my organisation's goals and my personal development goals. I will achieve this by amending my CPD plan (see Appendix: Professional Development Plan to include:
- Completing the MSc and, by consulting with my manager and peers, ensuring my next module aligns with their goals.
- Undertaking further courses recommended by my peers
- Teaching others about cybersecurity. I find that explaining a subject is an excellent way to crystalise my understanding.
- Blogging about the experience for work. I think it is important to publicise the educational opportunities which exist in our organisation.
Reflective Activity
I approached the task of reflection by assessing several models of Retrospective Reflection (Gonçalves and Linders, 2014). Because of the nature of the event (CPD based training) I decided to reflect using the key questions identified for discrete events (Kerth, 2001).
Table 2 - Kerth's Reflective Questions | |
What did we do well, that if we don’t discuss we might forget? |
Learning by doing is an excellent way to retain information. I learn best when I have real-life examples to practice on.
I should ensure that any training I give in the future allows participants to engage in practical learning rather than simply discussing theoretical concepts. By teaching others in the class who were stuck on exercises, I was able to demonstrate to myself that I had successfully mastered the information. I was able to retain focus for a whole week of intense study. This was my first week-long course and I was proud to have completed it without distraction. |
What did we learn? |
I learned that a lot of security knowledge can be distilled into basic principles. Relating vulnerabilities back to a set of core "commandments" makes it simpler to identify issues and learn how they occur.
Much of what was taught was syntax and trivia. That is, learning the precise command-line switches to use, and the exact terminology for types of issues. I found little value in memorising complex commands. While it is useful to learn the capabilities of the tools, their interfaces change regularly. Similarly, I found it frustrating to be tested on knowledge which can easily be discovered by consulting in-built documentation. |
What should we do differently next time? |
I need to be more forthcoming when I do not understand a subject. At times, I was confused by unfamiliar terminology and I felt embarrassed for asking for explanations. I should realise that my ignorance isn't a cause of shame and that the educator is paid to provide clarity.
I should be prepared to work harder on problems I don't understand. Even if I feel that the information won't be useful to me, it's important to get a rounded understanding of a wide variety of security information. Next time I attend a workshop, I should make sure that my accessibility equipment won't cause any issues. I can get frustrated when I am unable to fully participate in a workshop. |
What still puzzles us? |
I don't understand why the workshop material wasn't updated for 2021. I should be more assertive in challenging outdated training information.
I wasn't sure how I would relate this CPD training to a reflective based assessment. How I can legally and ethically put these new skills into practice. |
4. A discussion on whether and how reflective practice could be integrated or further developed as a standard activity in an organisation like your own
The author considers that the most practical form of reflective practice in their workplace is likely to be reflective mentoring. Mentoring would allow more junior staff to learn - and receive support - from more senior staff.
Interdisciplinary mentoring in digital industries has a long history (Hamburg, 2021). There is a concerted effort within the author's organisation to encourage mentoring relationships between staff (Stevens, 2019).
In a typical mentoring situation, the mentee (the person being mentored) is usually a new starter to the organisation, or someone new to their job role. The mentor is usually someone who has been practising their craft for several years.
By pairing employees in this way, the organisation can facilitate knowledge sharing in both directions. That is, both mentoring and "reverse mentoring".
Reflective Mentoring
This allows mentees to reflect on their own experiences in the workplace, and encourages them to address any issues that they might be facing (Khamis, 2000).
It is important that the mentor / mentee relationship is that as of equals - rather than the outmoded master / apprentice relationship. Having a mentor who steps in to "fix" all the mentee's problems deprives the mentee of the experience of fixing their own problems in their own way. Without a mentee being able to develop their own way of working, there is a risk that they will imitate their mentor and thus perpetuate outdated practises (Hargreaves and Fullan, 2000).
Reverse Mentoring
Reverse mentoring is part of the two-way dialectic process which encourages the mentor to learn from the mentee.
This is how the modern workforce expects to learn and socialise. Millennials in the workplace place a great emphasis on being able to reflect their culture back to the organisation (Hershatter and Epstein, 2010).
This typically takes place in two distinct spheres - technical and cultural.
Technical
In the technical sphere, reverse mentors may choose to help their mentees to understand and use modern technical practice. Although our leaders have enough technical literacy to understand that printing out email is an "archaic strategy" (Robinson, 2012) - the pace of digital change in our sector means it is easy for an individual or team to overlook new ways of working.
This also extends to new productivity tools, and new ways of promoting work on social media.
Finally, the reverse mentor may bring valuable experiences from different employment sectors. Not only does this help "cross-pollinate" technologies - but it also brings in cultural changes.
Cultural
In the author's lifetime, there have been enormous changes in society and social norms. Where once any suggestion of homosexuality was enough to be banned from the Civil Service (Southern, 2017), nowadays the organisation openly welcomes people from across the LGBTQIA+ spectrum. With younger people increasingly likely to have a more tolerant attitude to the Trans community (Faye, 2021), it could be extremely useful for senior leaders to understand how a more diverse workforce could benefit the organisation.
Finding Mentors
It is common in the technology industry to find mentors who are experts in their field, but who lack any formal training in mentoring (Stelter, Kupersmidt and Stump, 2021). The author considers there to be a need to establish best practises around mentoring.
Creating a centre of excellence within the organisation would allow for a formal mentoring programme to model itself on best practice. It should be used to encourage traditionally excluded groups into participating at all levels of the programme.
Better diversity means the organisation is better able to reflect the population it serves.
Reflections on Reflection
The author is unsure whether there is an appetite for adopting a culture of reflection within their workplace. In conversations with teammates, they found that there was little understanding of why reflection was important to their day-to-day practice.
While some individual reflection undoubtedly occurs, wholesale cultural transformation is likely to be difficult to achieve - especially given the paucity of evidence that it would be useful.
Appendix
Professional Development Plan
History
In my 20+ year career I have never had, nor needed a PDP. My career thus far has consisted of waiting for interesting opportunities to arrive and then deciding whether I want to take them. In a world where the only constant is change, it strikes me as unnecessary and a little foolhardy to try and work out what the future looks like and how to fit in with it.
Current
I have reached a level of professional success which means that my material needs are more than satisfied, my intellectual curiosity is sated, and my reputation in the industry is well regarded.
Future
When considering my career so far, I think I have progressed as far as I want to. While a higher salary is always nice, I don't think it offsets the downsides of added work stress, more responsibilities, and management chores. I have no desire to pursue a management pathway - having previously managed people, I quickly realised that it was neither a good fit for my skills nor my interests.
Overarching Goals
Pursue interesting opportunities when they arise within a wide variety of industries, as bounded by my interests.
Previous Steps
- Started an MSc - with a view to engaging with the academic mindset to see if it would be a good fit for me in the future.
- Identified a qualification gap with regard to Cyber Security skills - attended CPD to rectify.
- Attended "Policy School" - to better understand policy making decisions.
Next Steps
- Continue this MSc - with a view to exposing myself to a variety of new concepts.
- Improve my understanding of legal and ethical issues - with a view to instilling more ethical behaviour in those I work with.
- Become more involved with Trade Union training - with a view to improving the lives of those I work with.
- Attend mentoring workshops - with a view to increasing the diversity of the organisation.
Career
- Look for interesting opportunities in my current department which keep me roughly at the same level of work and responsibilities.
- Once my MSc is completed, consider opportunities outside my current department.
References
Andriyani, Yanti & Hoda, Rashina & Amor, Robert Reflection in Agile Retrospectives
() Springer International Publishing. doi:10.1007/978-3-319-57633-6_1
Barabas, E. (2020) 10 years since Genesys | Computer Science | The University of Sheffield. Available at: https://www.sheffield.ac.uk/dcs/blog/10-years-genesys (Accessed: 21 October 2021).
British Computer Society (2021) BCS Code of Conduct | BCS. Available at: https://www.bcs.org/membership/become-a-member/bcs-code-of-conduct/ (Accessed: 14 November 2021).
Computer Misuse Act (1990). Statute Law Database. Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents (Accessed: 9 November 2021).
Croom, Simon & Svetina, MarkoPsychometric properties of the psychopathic personality inventory: Application to high-functioning business population() Springer Science and Business Media LLC. doi:10.1007/s12144-021-01413-3
Denning, D. E. R. (1999) Information warfare and security. New York : Reading, Ma: ACM Press ; Addison-Wesley.
Dingwall, Gavin & Hillier, Tim Blamestorming, Blamemongers and Scapegoats
() Bristol University Press. doi:10.2307/j.ctt1sq5vnt
Dors, Tania Mara & Van Amstel, Frederick M. C. & Binder, Fabio & Reinehr, Sheila & Malucelli, Andreia Reflective Practice in Software Development Studios: Findings from an Ethnographic Study
() IEEE. doi:10.1109/cseet49119.2020.9206217
Dowden, O. (2020) ‘To those tweeting re #Fatima This is not something from @DCMS & I agree it was crass This was a partner campaign encouraging people from all walks of life to think about a career in cyber security I want to save jobs in the arts which is why we are investing £1.57bn’, @OliverDowden, 12 October. Available at: https://twitter.com/OliverDowden/status/1315586209415073793 (Accessed: 17 October 2021).
Eden, T. (2021) 1242315 - Security: Manifest.json can display overlay on non-origin tabs - chromium, Chromium Bugs. Available at: https://bugs.chromium.org/p/chromium/issues/detail?id=1242315 (Accessed: 8 December 2021).
Eden, T. (2021) Certified in The Art of Hacking, Terence Eden’s Blog. Available at: https://shkspr.mobi/blog/tag/certified-in-the-art-of-hacking/ (Accessed: 28 November 2021).
Erdoğan, Onur & Pekkaya, Muhammed Emre & Gök, HalimeMore effective sprint retrospective with statistical analysis() Wiley. doi:10.1002/smr.1933
Faye, S. (2021) The transgender issue: an argument for justice.
Fletcher, C. (2008) Appraisal, feedback and development: making performance review work. 4th ed. London ; New York: Routledge.
Gonçalves, L. and Linders, B. (2014) Getting value out of agile retrospectives: a toolbox of retrospective exercises.
Guckenbiehl, Pascal & Theobald, Sven Impediment Management of Agile Software Development Teams
() Springer International Publishing. doi:10.1007/978-3-030-64148-1_4
Hamburg, Ileana Interdisciplinary Training and Mentoring for Cyber Security in Companies
() IGI Global. doi:10.4018/978-1-7998-5728-0.ch018
Hargreaves, A. and Fullan, M. (2000) ‘Mentoring in the New Millennium’, Theory Into Practice, 39(1), pp. 50–56. Available at: https://www.jstor.org/stable/1477441 (Accessed: 10 October 2021).
Hayward, S. (2015) Criminals are selling Viagra and diet pills from hacked NHS websites, mirror. Available at: http://www.mirror.co.uk/news/technology-science/technology/hacked-nhs-websites-used-criminals-5935415 (Accessed: 17 October 2021).
Hershatter, A. and Epstein, M. (2010) ‘Millennials and the World of Work: An Organization and Management Perspective’, Journal of Business and Psychology, 25(2), pp. 211–223. Available at: https://www.jstor.org/stable/40605780 (Accessed: 10 October 2021).
Johns, Christopher Framing learning through reflection within Carper's fundamental ways of knowing in nursing
() Wiley. doi:10.1046/j.1365-2648.1995.22020226.x
Kerth, N. L. (2001) Project retrospectives: a handbook for team reviews. New York: Dorset House. Available at: https://dl.acm.org/doi/book/10.5555/367065.
Khamis, M. (2000) ‘The beginning teacher’, Teaching in context.
Lallie, Harjinder Singh & Shepherd, Lynsay A. &
Nurse, Jason R.C. & Erola, Arnau & Epiphaniou, Gregory & Maple, Carsten & Bellekens, XavierCyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic() Elsevier BV. doi:10.1016/j.cose.2021.102248
Maurer, Chris & Sumner, Mary & Mazzola, Dan & Pearlson, Keri & Jacks, Tim The Cybersecurity Skills Survey: Response to the 2020 SIM IT Trends Study
() ACM. doi:10.1145/3458026.3462153
Melicher, William & Fung, Clement & Bauer, Lujo & Jia, Limin Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning
() ACM. doi:10.1145/3442381.3450062
Moon, Jennifer A. Reflection in Learning and Professional Development
() Routledge. doi:10.4324/9780203822296
Mori, S. and Goto, A. (2018) ‘Review of National Cybersecurity Policies’, p. 9.
O’Donnell, L. (2018) Twitter Fixes Bugs That Expose Data. Available at: https://threatpost.com/twitter-data-privacy-bugs/140007/ (Accessed: 17 October 2021).
Osterman, K. F. and Kottkamp, R. B. (1993) Reflective practice for educators: improving schooling through professional development. Newbury Park, Calif: Corwin Press.
OWASP Foundation (2017) 2017 Top 10 | OWASP. Available at: https://owasp.org/www-project-top-ten/2017/Top_10.html (Accessed: 14 November 2021).
Popli, Rashmi & Chauhan, Naresh A Sprint Point Based Tool for Agile Estimation
() Springer Singapore. doi:10.1007/978-981-10-8848-3_6
QA.com (2021) qa.com | Certified in The Art of Hacking (QATAOH). Available at: https://www.qa.com/course-catalogue/courses/certified-in-the-art-of-hacking-qataoh/ (Accessed: 17 October 2021).
Robinson, H. M. (2012) Emergent computer literacy: a developmental perspective. London: Routledge.
Rogers, Russell R.() Springer Science and Business Media LLC. doi:10.1023/a:1010986404527
Schwaber, K. (2004) Agile project management with Scrum. Redmond, Wash: Microsoft Press.
Seals, T. (2018) MailChimp Found Leaking Email Addresses, Infosecurity Magazine. Available at: https://www.infosecurity-magazine.com/news/mailchimp-found-leaking-email/ (Accessed: 17 October 2021).
Shafranovich, Y. (2021) security.txt, security.txt. Available at: https://securitytxt.org/ (Accessed: 17 October 2021).
Shafranovich, Y. and Foudil, E. (2021) ‘A File Format to Aid in Security Vulnerability Disclosure’. IETF. Available at: https://www.ietf.org/id/draft-foudil-securitytxt-12.txt (Accessed: 8 December 2021).
Southern, J. (2017) Homosexuality at the FCO, 1967-1991. Available at: https://issuu.com/fcohistorians/docs/homosexuality_and_the_fco (Accessed: 14 November 2021).
Stelter, Rebecca L. & Kupersmidt, Janis B. & Stump, Kathryn N.Establishing effective STEM mentoring relationships through mentor training() Wiley. doi:10.1111/nyas.14470
Stevens, K. (2019) Learn more about the new mentoring scheme from the GDS Women’s Network - Government Digital Service. Available at: https://gds.blog.gov.uk/2019/03/08/learn-more-about-the-new-mentoring-scheme-from-the-gds-womens-network/ (Accessed: 14 November 2021).
The Institution of Engineering and Technology (2019) Rules of Conduct. Available at: https://www.theiet.org/about/governance/rules-of-conduct/ (Accessed: 14 November 2021).
Vaas, L. (2018) ‘Twitter fixes bug that lets unauthorized apps get access to DMs’, Naked Security, 18 December. Available at: https://nakedsecurity.sophos.com/2018/12/18/twitter-fixes-bug-that-lets-unauthorized-apps-get-access-to-dms/ (Accessed: 8 December 2021).
Weinberger, Joel & Saxena, Prateek & Akhawe, Devdatta & Finifter, Matthew & Shin, Richard & Song, Dawn A Systematic Analysis of XSS Sanitization in Web Application Frameworks
() Springer Berlin Heidelberg. doi:10.1007/978-3-642-23822-2_9
Whittaker, Z. (2013) Samsung flaw allows attackers to bypass Android lock screen, ZDNet. Available at: https://www.zdnet.com/article/samsung-flaw-allows-attackers-to-bypass-android-lock-screen/ (Accessed: 8 December 2021).
Copyright and Copyleft
This document is 🄯 Terence Eden CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/
It may not be used or retained in electronic systems for the detection of plagiarism. No part of it may be used for commercial purposes without prior permission.
Any source code is under the MIT Licence
This document contains public sector information licensed under the Open Government Licence v3.0. https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/