CASRAI Dictionary

Tag: Trusted Research

  • Cybersecurity for sensitive research: protecting data and infrastructure

    When people speak of research security, they often mean the screening of partnerships and personnel for risks of foreign interference, undue influence or illegitimate transfer of knowledge. That is one important strand. But beneath it lies a distinct and equally vital discipline that deserves to be considered in its own right: the cybersecurity of research — protecting research data, systems and infrastructure from compromise, theft, tampering and disruption. A laboratory can pass every partnership review and still lose its most valuable data to an intrusion, a ransomware attack or a misconfigured server. Foreign-interference screening asks who you work with; research cybersecurity asks how well you protect what you hold. This article treats the second question as a discipline in its own right, drawing on the research-security domain of the CASRAI Dictionary.

    Why research is a target

    Research environments are attractive targets and, historically, soft ones. They hold things of real value: unpublished findings, novel methods, valuable datasets, intellectual property with commercial or strategic worth, and sensitive data about people. At the same time, the culture of research — open, collaborative, internationally connected, organised around sharing rather than locking down — can sit uneasily with rigorous security practice, and academic systems are often diverse, decentralised and unevenly maintained. The consequences of compromise are serious: data can be stolen, results can be quietly altered (undermining their integrity in ways that may not be detected), systems can be held to ransom, and the trust of participants whose data was promised protection can be betrayed. Recognising research as a genuine target is the first step towards protecting it, and it reframes cybersecurity not as an IT inconvenience but as a condition of doing trustworthy research at all.

    Classifying data by sensitivity

    Effective protection begins with knowing what you have and how sensitive it is. Data classification is the practice of sorting data into categories according to how damaging its exposure or loss would be — from open data that can be freely shared, through internal data, to controlled or sensitive data requiring strict protection. Classification matters because not all data warrants the same controls, and trying to protect everything to the highest standard is neither practical nor wise. By identifying which data is genuinely sensitive — personal data, controlled information, commercially or strategically valuable material — an organisation can apply proportionate safeguards: the strongest controls where the stakes are highest, lighter touch where data is open. Classification is the foundation on which every other control rests, because you cannot protect appropriately what you have not first understood.

    The NIST frameworks

    Among the most influential tools for organising cybersecurity are those from the United States National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework provides a widely adopted structure for managing cybersecurity risk, organised around core functions — broadly, identifying assets and risks, protecting them, detecting incidents, responding to them and recovering. Its value is that it gives an organisation a coherent way to think about its whole security posture rather than a scattered set of technical fixes. For research handling certain categories of controlled information, NIST SP 800-171 is especially relevant: it sets out requirements for protecting controlled unclassified information (CUI) in non-federal systems, and compliance with it is often a condition of holding certain sensitive or government-related research data. Where a project handles such data, meeting these requirements is not optional good practice but a contractual and sometimes legal obligation.

    ISO/IEC 27001 and information security management

    Internationally, the dominant standard is ISO/IEC 27001, which specifies requirements for an information security management system — a systematic, organisation-wide approach to managing information security risks through policies, controls and continual improvement. Rather than prescribing a fixed checklist, ISO/IEC 27001 requires an organisation to assess its risks and implement appropriate controls, and to manage security as an ongoing process subject to review and improvement. Certification against it provides external assurance that an organisation manages information security to a recognised standard, which can matter when research partners, funders or data providers need confidence that data they share will be properly protected. Whereas the NIST framework offers a structure for thinking about risk and SP 800-171 a set of requirements for a specific data category, ISO/IEC 27001 provides a management system for security as a whole — and the three are frequently used together.

    Where cybersecurity meets trusted research

    Research cybersecurity does not sit apart from the broader research-security agenda; it underpins it. The Trusted Research approach, which helps researchers collaborate internationally while managing risk, depends on sound information security as one of its foundations — there is little point screening a partnership for risk if the data at stake is left poorly protected. Protecting sensitive data also intersects with the governance of controlled-access data: secure infrastructure, classification and access control are what make it possible to hold and reuse sensitive data responsibly rather than either exposing it or refusing to use it at all. Cybersecurity is thus the practical backbone that lets research be both open where it can be and protected where it must be.

    A consistent vocabulary for protection

    For data sensitivity and protection requirements to be respected as data moves between institutions, collaborators and systems, the terms involved — classification levels, access conditions, sensitivity categories, control requirements — must mean the same thing everywhere. A dataset marked “controlled” in one system must be understood the same way in the next, or its protection breaks down at the boundary. That consistency is what the CASRAI Dictionary works towards: a shared vocabulary so that the metadata describing how data must be protected travels intact. And because securing and stewarding research data is genuine, skilled work, it can be described in the same shared framework as any other contribution — the CRediT taxonomy and the wider apparatus of research administration. Screening who you work with is necessary; protecting what you hold is just as necessary — and cybersecurity is the discipline that makes the second possible.

  • Conducting research-security risk assessments: proportionate due diligence

    Research-security policy can sound, to a working researcher, like a demand to treat every collaborator with suspicion and every international partnership as a threat. Understood properly, it is nearly the opposite. The aim of a research-security risk assessment is not to close doors but to open them with eyes open — to ask sensible, proportionate questions before entering a partnership, accepting funding or recruiting a colleague, so that genuine risks are identified and managed while the overwhelming majority of legitimate collaboration proceeds unimpeded. The skill lies in proportion: too little scrutiny leaves real risks unexamined, too much strangles the openness on which research thrives. This article looks at how institutions can build that proportionate assessment into their practice, through the research security domain of the CASRAI Dictionary.

    What a risk assessment is for

    A research-security risk assessment is a structured way of asking, before a commitment is made, whether a proposed partnership, funding source or appointment carries risks that need to be understood and managed. Those risks might include sensitive knowledge or technology being diverted to harmful ends, undisclosed conflicts of interest or commitment, or partnerships with entities whose affiliations warrant closer examination. The purpose is not to reach a verdict of “safe” or “dangerous” but to make an informed decision and proceed with confidence. Most assessments conclude that there is no significant concern, and that is a feature, not a failure — the process exists to distinguish the rare case that needs attention from the many that do not.

    Proportionality is the governing principle

    The single most important principle is proportionality. The depth of due diligence should match the level of risk, and most research carries little. A fundamental, openly published study with a long-standing academic partner needs nothing like the scrutiny appropriate to research in a sensitive area, involving technology with security implications, with a new and unfamiliar partner. Building proportionality into the process — through triage that applies light-touch checks to low-risk activity and reserves deeper examination for the genuinely sensitive — is what keeps research security workable. Without it, either everything receives burdensome scrutiny that researchers come to resent and evade, or nothing does. Proportionate assessment respects both the need for security and the value of open collaboration.

    UK Trusted Research guidance

    Institutions do not have to design this from nothing. In the United Kingdom, the Trusted Research guidance, developed by national security bodies including the agency now responsible for protective security advice and the National Cyber Security Centre, gives researchers and institutions practical help in identifying and managing the risks of international collaboration. Its framing is deliberately constructive: it is about helping researchers collaborate safely and protect their work, not about discouraging international partnership, which it explicitly recognises as essential to research. Trusted Research offers a model of how security guidance can support rather than obstruct, equipping researchers to ask the right questions and make sound judgements while keeping the door to collaboration open. It is a useful touchstone for what proportionate, supportive research security looks like in practice.

    Specific tools: ATAS and disclosure

    Within the wider landscape sit specific mechanisms that an assessment may engage. The Academic Technology Approval Scheme (ATAS) is a UK scheme requiring certain international students and researchers working in specified sensitive subject areas to obtain clearance before commencing their studies or work — a targeted control focused on areas where there is genuine proliferation concern, rather than a blanket restriction. Equally central is the disclosure of conflicts of interest and conflicts of commitment: requiring researchers to declare outside affiliations, funding, appointments and obligations, so that potential conflicts are visible and can be managed. Transparency through disclosure is one of the most effective and least intrusive security tools available, because it surfaces the information needed to assess risk without presuming bad faith. These mechanisms are pieces of a proportionate system, applied where relevant rather than universally.

    The wider policy context

    Research-security risk assessment also responds to expectations set by funders and governments. In the United States, the policy framework known as NSPM-33 set out requirements for research-security programmes at institutions receiving federal funding, including expectations around disclosure and the protection of research. The detail of that framework, and of related concerns such as dual-use research and the cybersecurity of sensitive work, are addressed in our existing coverage of those topics; the point here is that institutional risk assessment is the practical mechanism through which such expectations are met. A research-security programme is, in large part, the capacity to conduct proportionate due diligence consistently and well.

    Embedding assessment in research administration

    For risk assessment to work, it has to be part of the ordinary machinery of research administration rather than a special process invoked in alarm. Integrated into the points where commitments are made — partnership agreements, grant acceptance, recruitment — it becomes a routine, proportionate check rather than a disruptive intervention, and it draws on information institutions already gather. This integration is the concern of our research administration resources: building security-mindedness into normal processes so that it supports good decisions rather than obstructing them. Done well, assessment is largely invisible to the researcher whose work poses no concern, and genuinely helpful to the one whose work does.

    A consistent vocabulary for risk and disclosure

    For risk assessment to function across institutions, funders and partners, the information involved — disclosure categories, risk levels, affiliation and conflict information — must be described consistently, or an assessment in one context will be misread in another. That consistency is what the CASRAI Dictionary provides: a shared vocabulary so that the information underpinning research-security decisions is understood the same way wherever it is recorded. And because the people and contributions involved are part of the research record, they can be described in the same shared framework — the CRediT taxonomy and its full set of contribution roles. Research security, done proportionately, is not a barrier to collaboration but a way of protecting the collaboration that matters — asking the right questions so the lab door can stay open.

  • Trusted research and international collaboration: managing risk without barriers

    International collaboration is not a luxury of modern research; it is largely how the best of it gets done. The hardest problems — in health, climate, energy, fundamental science — are addressed by teams that cross borders, pool data and combine expertise that no single country holds. At the same time, a minority of partnerships carry real risks: the loss of sensitive technology, undisclosed competing obligations, the misuse of dual-use research, or arrangements that conflict with a researcher’s legal duties. The challenge that ‘research security’ tries to meet is to manage those genuine risks without throwing up barriers that would damage the open, collaborative culture on which research depends. This article sets out a proportionate approach, drawing on the framework defined in the research security domain of the CASRAI Dictionary.

    Two policy reference points

    Two reference points dominate the conversation. In the United States, NSPM-33 — the National Security Presidential Memorandum on protecting the integrity of government-supported research — directs funding agencies to strengthen disclosure requirements and asks institutions receiving substantial federal funding to maintain research-security programmes. Its emphasis is on transparency: knowing who is funding what, and what other obligations a researcher carries, so that conflicts of interest and conflicts of commitment can be seen and managed rather than hidden.

    In the United Kingdom, the Trusted Research guidance, developed with the national protective-security and cyber-security bodies, takes a similar but distinctly proportionate line. Its framing is that the overwhelming majority of international collaboration is benign and beneficial, and that the goal is to help researchers and institutions identify the small number of cases where caution is warranted — and to do so without discouraging legitimate partnership. Both frameworks share a premise worth stating plainly: the aim is risk management, not risk elimination, because eliminating risk would mean eliminating collaboration.

    Where the risks actually sit

    It helps to name the categories of risk concretely, because vague anxiety is the enemy of proportionate action. Conflicts of interest and commitment arise when a researcher has financial interests or outside appointments — including foreign talent-programme affiliations — that are not disclosed and could bias their work or divide their loyalties. Export controls and sanctions govern the transfer of certain technologies, data and know-how across borders, and can apply even to a conversation or a shared dataset, not only to physical goods. Dual-use research of concern covers work that, though conducted for legitimate purposes, could be repurposed to cause harm. And there are data-protection and confidentiality obligations that follow data across jurisdictions with different legal regimes.

    Naming these categories matters because the appropriate response differs for each. An export-control question is a legal compliance matter; a conflict-of-commitment question is a disclosure matter; a dual-use question is an ethical-review matter. Treating them as one undifferentiated ‘security’ problem leads either to overreaction or to missing the specific control that actually applies.

    Due diligence that is proportionate

    The practical heart of trusted research is proportionate due diligence: doing more checking where the stakes are higher, and not burdening low-risk collaboration with high-risk procedures. A sensible due-diligence process asks a graded set of questions. What is the nature of the work — is it fundamental and openly publishable, or does it touch sensitive technology? Who is the partner, who ultimately funds and controls them, and are there links that raise concern? What will be shared — data, materials, know-how — and does any of it fall under export controls? What are the terms — who owns the results, who can publish, are there clauses that would compromise academic freedom or open dissemination?

    The point of grading is that a routine collaboration on openly published basic science should pass through quickly, while a project involving controlled technology and an opaque funding structure warrants real scrutiny and, often, expert advice. A process that treats every partnership as a threat will be ignored or resented; a process that treats none as a risk fails its purpose.

    Disclosure as the connective tissue

    Across both frameworks, disclosure is the mechanism that makes everything else work. Most research-security failures are not espionage; they are undisclosed relationships and obligations that, once visible, could have been managed straightforwardly. Accurate, complete and current-and-pending disclosures — of funding, appointments, in-kind support and outside activities — let an institution and a funder see the whole picture. The move toward machine-readable disclosure formats is making this less of a paperwork burden and more of a maintainable record, and recording these obligations in structured form complements the recognition of legitimate contributions through the CRediT taxonomy: the same record can show both what someone did and what other commitments they hold.

    Keeping the lab door open

    The risk that gets least attention is the risk of overreaction — of institutions retreating from international partnership, or of researchers from particular backgrounds being treated with suspicion on the basis of nationality rather than conduct. Both the UK and US frameworks are explicit that security measures must not become a pretext for discrimination, and that openness is itself a value worth protecting. A trusted-research programme that makes researchers feel surveilled or unwelcome will cost more in lost collaboration and damaged trust than it saves in averted risk.

    The balance, then, is genuinely a balance: assess risk honestly and proportionately, manage it with the specific control that fits, insist on transparent disclosure, and keep the default disposition open. The shared vocabulary for describing these obligations consistently across systems and partners is maintained in the CASRAI Dictionary, which is part of what makes a risk-management conversation possible across institutional and national lines.

  • Research security without closing the lab door: NSPM-33, disclosure and trusted research

    Research security is one of the few areas of research policy where the stated goal contains an explicit tension. The aim is to protect research from theft, undue foreign influence, and misuse, while preserving the openness and international collaboration that make research productive in the first place. Get the balance wrong in one direction and you leak; get it wrong in the other and you close the lab door on the very partnerships that drive discovery. This article sets out how the main frameworks try to hold that balance, drawing on the research-security domain.

    NSPM-33: the US framework in plain terms

    NSPM-33 — National Security Presidential Memorandum 33 — is the US policy that directs federal research-funding agencies to strengthen protections for federally funded research. Its implementation guidance came from JCORE, the Joint Committee on the Research Environment, and it is deliberately built around disclosure and management rather than prohibition. Most fundamental research is intended to stay open.

    Two defined terms do a lot of work. A covered institution is one receiving more than $50 million per year in federal science funding; such institutions must stand up a research security programme covering four pillars — cybersecurity, foreign-travel security, research-security training, and export-control training. A covered individual is a person whose role on a federal award brings them within the disclosure requirements. The policy’s centre of gravity is making sure that what investigators are funded and supported to do is visible, not stopping them from collaborating.

    What disclosure actually targets

    The disclosures NSPM-33 sharpens are aimed at specific, definable risks rather than at foreign collaboration in general. The vocabulary matters here because imprecision in this area does real harm.

    • A foreign component — in NIH usage, research activity conducted outside the United States or by foreign researchers — must be disclosed. It is a fact to be recorded, not a prohibited act.
    • An in-kind contribution from a foreign source — non-monetary support such as access to facilities, personnel, or data — is disclosable precisely because earlier disclosure regimes let it slip through.
    • A malign foreign talent recruitment programme is the narrow category that participation rules actually prohibit for federally funded researchers; it is a defined subset of talent programmes deemed to pose national-security concerns, and it must not be conflated with the ordinary, legitimate practice of international recruitment.

    Keeping these distinct is the difference between proportionate security and a chilling effect. Most foreign collaboration is disclosable and entirely permitted; only a defined sliver is prohibited.

    The export-control boundary

    Running alongside disclosure is export-control law, which predates NSPM-33 but is now part of the same conversation. The EAR (Export Administration Regulations) and ITAR (International Traffic in Arms Regulations) restrict the transfer of controlled items and information, including a deemed export — the release of controlled information to a foreign national inside the home country, treated in law as an export.

    The release valve that keeps basic science open is the fundamental research exemption: research ordinarily published and shared broadly is generally excluded from export-control restrictions. The exemption is what allows an international research group to work openly on publishable science. It is also conditional, and an institution’s research-security programme exists in part to identify the cases — controlled technologies, certain dual-use work — where the exemption does not apply and tighter handling, including for Controlled Unclassified Information (CUI) under the NIST SP 800-171 baseline, is required.

    The UK and other regimes: a different idiom, similar aim

    The US is not alone, and the comparison is instructive. The UK pursues the same balance under the banner of Trusted Research, guidance developed for the academic sector and coordinated through the National Protective Security Authority. Its tone is advisory and risk-based rather than threshold-and-programme: it asks institutions and researchers to understand their collaborations, protect their work, and make informed decisions, without a statutory $50 million trigger. Australia operates a Foreign Influence Transparency Scheme, and Horizon Europe grant agreements carry their own security provisions. The frameworks differ in legal force and idiom, but they converge on the same proposition: manage risk through transparency and proportionate controls, not through blanket closure.

    Why this is, at bottom, a metadata problem

    Here is the connection to CASRAI’s mission. Almost everything research security asks for is a structured fact that already exists somewhere in the institution: the awards an investigator holds, the organisations supporting them, their appointments, their foreign components, their in-kind support. The disclosure burden that researchers experience as oppressive is largely the burden of reassembling those facts by hand, repeatedly, in each funder’s format. A regime that penalises inadvertent disclosure errors while forcing manual assembly manufactures the errors it then punishes.

    Disclosures anchored in persistent identifiers change this. An award identified by a Crossref grant ID, an organisation by a ROR ID, an investigator by an ORCID iD, generated from a structured profile, becomes a checkable assertion rather than a hand-typed document. The same machinery described for research administration generally — entering each fact once and reading it everywhere — is what makes research security proportionate instead of punitive. See persistent identifiers for authors for the building blocks.

    Where shared vocabulary fits

    The terms in this area are easy to misuse and the cost of misuse is high — a “foreign component” is not a prohibited act, a “malign” talent programme is a narrow defined category, and conflating them damages people and partnerships. A shared, federated vocabulary that defines these terms precisely, pointing back to JCORE, NIH, and the NPSA for the authoritative content, is exactly what keeps security proportionate. Supplying that definitional layer is the role the CASRAI dictionary is designed to play.

    What to do now

    For institutions: build research-security programmes around generating disclosures from authoritative, identifier-anchored records, not around adding manual forms. For researchers: maintain your awards, affiliations, and support in structured profiles so disclosures are a query, not a memory test. For standards work: pin down the precise definitions that separate disclosable from prohibited, federating to the authoritative national guidance.

    Related reading