When people speak of research security, they often mean the screening of partnerships and personnel for risks of foreign interference, undue influence or illegitimate transfer of knowledge. That is one important strand. But beneath it lies a distinct and equally vital discipline that deserves to be considered in its own right: the cybersecurity of research — protecting research data, systems and infrastructure from compromise, theft, tampering and disruption. A laboratory can pass every partnership review and still lose its most valuable data to an intrusion, a ransomware attack or a misconfigured server. Foreign-interference screening asks who you work with; research cybersecurity asks how well you protect what you hold. This article treats the second question as a discipline in its own right, drawing on the research-security domain of the CASRAI Dictionary.
Why research is a target
Research environments are attractive targets and, historically, soft ones. They hold things of real value: unpublished findings, novel methods, valuable datasets, intellectual property with commercial or strategic worth, and sensitive data about people. At the same time, the culture of research — open, collaborative, internationally connected, organised around sharing rather than locking down — can sit uneasily with rigorous security practice, and academic systems are often diverse, decentralised and unevenly maintained. The consequences of compromise are serious: data can be stolen, results can be quietly altered (undermining their integrity in ways that may not be detected), systems can be held to ransom, and the trust of participants whose data was promised protection can be betrayed. Recognising research as a genuine target is the first step towards protecting it, and it reframes cybersecurity not as an IT inconvenience but as a condition of doing trustworthy research at all.
Classifying data by sensitivity
Effective protection begins with knowing what you have and how sensitive it is. Data classification is the practice of sorting data into categories according to how damaging its exposure or loss would be — from open data that can be freely shared, through internal data, to controlled or sensitive data requiring strict protection. Classification matters because not all data warrants the same controls, and trying to protect everything to the highest standard is neither practical nor wise. By identifying which data is genuinely sensitive — personal data, controlled information, commercially or strategically valuable material — an organisation can apply proportionate safeguards: the strongest controls where the stakes are highest, lighter touch where data is open. Classification is the foundation on which every other control rests, because you cannot protect appropriately what you have not first understood.
The NIST frameworks
Among the most influential tools for organising cybersecurity are those from the United States National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework provides a widely adopted structure for managing cybersecurity risk, organised around core functions — broadly, identifying assets and risks, protecting them, detecting incidents, responding to them and recovering. Its value is that it gives an organisation a coherent way to think about its whole security posture rather than a scattered set of technical fixes. For research handling certain categories of controlled information, NIST SP 800-171 is especially relevant: it sets out requirements for protecting controlled unclassified information (CUI) in non-federal systems, and compliance with it is often a condition of holding certain sensitive or government-related research data. Where a project handles such data, meeting these requirements is not optional good practice but a contractual and sometimes legal obligation.
ISO/IEC 27001 and information security management
Internationally, the dominant standard is ISO/IEC 27001, which specifies requirements for an information security management system — a systematic, organisation-wide approach to managing information security risks through policies, controls and continual improvement. Rather than prescribing a fixed checklist, ISO/IEC 27001 requires an organisation to assess its risks and implement appropriate controls, and to manage security as an ongoing process subject to review and improvement. Certification against it provides external assurance that an organisation manages information security to a recognised standard, which can matter when research partners, funders or data providers need confidence that data they share will be properly protected. Whereas the NIST framework offers a structure for thinking about risk and SP 800-171 a set of requirements for a specific data category, ISO/IEC 27001 provides a management system for security as a whole — and the three are frequently used together.
Where cybersecurity meets trusted research
Research cybersecurity does not sit apart from the broader research-security agenda; it underpins it. The Trusted Research approach, which helps researchers collaborate internationally while managing risk, depends on sound information security as one of its foundations — there is little point screening a partnership for risk if the data at stake is left poorly protected. Protecting sensitive data also intersects with the governance of controlled-access data: secure infrastructure, classification and access control are what make it possible to hold and reuse sensitive data responsibly rather than either exposing it or refusing to use it at all. Cybersecurity is thus the practical backbone that lets research be both open where it can be and protected where it must be.
A consistent vocabulary for protection
For data sensitivity and protection requirements to be respected as data moves between institutions, collaborators and systems, the terms involved — classification levels, access conditions, sensitivity categories, control requirements — must mean the same thing everywhere. A dataset marked “controlled” in one system must be understood the same way in the next, or its protection breaks down at the boundary. That consistency is what the CASRAI Dictionary works towards: a shared vocabulary so that the metadata describing how data must be protected travels intact. And because securing and stewarding research data is genuine, skilled work, it can be described in the same shared framework as any other contribution — the CRediT taxonomy and the wider apparatus of research administration. Screening who you work with is necessary; protecting what you hold is just as necessary — and cybersecurity is the discipline that makes the second possible.