Research-security policy can sound, to a working researcher, like a demand to treat every collaborator with suspicion and every international partnership as a threat. Understood properly, it is nearly the opposite. The aim of a research-security risk assessment is not to close doors but to open them with eyes open — to ask sensible, proportionate questions before entering a partnership, accepting funding or recruiting a colleague, so that genuine risks are identified and managed while the overwhelming majority of legitimate collaboration proceeds unimpeded. The skill lies in proportion: too little scrutiny leaves real risks unexamined, too much strangles the openness on which research thrives. This article looks at how institutions can build that proportionate assessment into their practice, through the research security domain of the CASRAI Dictionary.
What a risk assessment is for
A research-security risk assessment is a structured way of asking, before a commitment is made, whether a proposed partnership, funding source or appointment carries risks that need to be understood and managed. Those risks might include sensitive knowledge or technology being diverted to harmful ends, undisclosed conflicts of interest or commitment, or partnerships with entities whose affiliations warrant closer examination. The purpose is not to reach a verdict of “safe” or “dangerous” but to make an informed decision and proceed with confidence. Most assessments conclude that there is no significant concern, and that is a feature, not a failure — the process exists to distinguish the rare case that needs attention from the many that do not.
Proportionality is the governing principle
The single most important principle is proportionality. The depth of due diligence should match the level of risk, and most research carries little. A fundamental, openly published study with a long-standing academic partner needs nothing like the scrutiny appropriate to research in a sensitive area, involving technology with security implications, with a new and unfamiliar partner. Building proportionality into the process — through triage that applies light-touch checks to low-risk activity and reserves deeper examination for the genuinely sensitive — is what keeps research security workable. Without it, either everything receives burdensome scrutiny that researchers come to resent and evade, or nothing does. Proportionate assessment respects both the need for security and the value of open collaboration.
UK Trusted Research guidance
Institutions do not have to design this from nothing. In the United Kingdom, the Trusted Research guidance, developed by national security bodies including the agency now responsible for protective security advice and the National Cyber Security Centre, gives researchers and institutions practical help in identifying and managing the risks of international collaboration. Its framing is deliberately constructive: it is about helping researchers collaborate safely and protect their work, not about discouraging international partnership, which it explicitly recognises as essential to research. Trusted Research offers a model of how security guidance can support rather than obstruct, equipping researchers to ask the right questions and make sound judgements while keeping the door to collaboration open. It is a useful touchstone for what proportionate, supportive research security looks like in practice.
Specific tools: ATAS and disclosure
Within the wider landscape sit specific mechanisms that an assessment may engage. The Academic Technology Approval Scheme (ATAS) is a UK scheme requiring certain international students and researchers working in specified sensitive subject areas to obtain clearance before commencing their studies or work — a targeted control focused on areas where there is genuine proliferation concern, rather than a blanket restriction. Equally central is the disclosure of conflicts of interest and conflicts of commitment: requiring researchers to declare outside affiliations, funding, appointments and obligations, so that potential conflicts are visible and can be managed. Transparency through disclosure is one of the most effective and least intrusive security tools available, because it surfaces the information needed to assess risk without presuming bad faith. These mechanisms are pieces of a proportionate system, applied where relevant rather than universally.
The wider policy context
Research-security risk assessment also responds to expectations set by funders and governments. In the United States, the policy framework known as NSPM-33 set out requirements for research-security programmes at institutions receiving federal funding, including expectations around disclosure and the protection of research. The detail of that framework, and of related concerns such as dual-use research and the cybersecurity of sensitive work, are addressed in our existing coverage of those topics; the point here is that institutional risk assessment is the practical mechanism through which such expectations are met. A research-security programme is, in large part, the capacity to conduct proportionate due diligence consistently and well.
Embedding assessment in research administration
For risk assessment to work, it has to be part of the ordinary machinery of research administration rather than a special process invoked in alarm. Integrated into the points where commitments are made — partnership agreements, grant acceptance, recruitment — it becomes a routine, proportionate check rather than a disruptive intervention, and it draws on information institutions already gather. This integration is the concern of our research administration resources: building security-mindedness into normal processes so that it supports good decisions rather than obstructing them. Done well, assessment is largely invisible to the researcher whose work poses no concern, and genuinely helpful to the one whose work does.
A consistent vocabulary for risk and disclosure
For risk assessment to function across institutions, funders and partners, the information involved — disclosure categories, risk levels, affiliation and conflict information — must be described consistently, or an assessment in one context will be misread in another. That consistency is what the CASRAI Dictionary provides: a shared vocabulary so that the information underpinning research-security decisions is understood the same way wherever it is recorded. And because the people and contributions involved are part of the research record, they can be described in the same shared framework — the CRediT taxonomy and its full set of contribution roles. Research security, done proportionately, is not a barrier to collaboration but a way of protecting the collaboration that matters — asking the right questions so the lab door can stay open.
Leave a Reply