News Archive
CIM's Matt Spencer awarded RISCS-NCSC Impact Prize for his work on Principles Based Assurance
Product assurance schemes have a long history in computer security, with the goal of enabling effective and trustworthy evaluation of the security characteristics of digital technology products. Recent years have seen increasing recognition that adequate specification of technical evaluation criteria is not, on its own, sufficient to ensure buy-in from product developers, customers and evaluators. Matt's work contributes to our understanding of assurance as a socio-technical, rather than purely technical, problem: institutional, social, economic and communicative dimensions play a key role in whether schemes succeed or fail. Interdisciplinary research is needed to understand these factors and their potential effects, and to communicate the implications for policy.
As part of the UKRI-funded Scaling Trust project, and in collaboration with the Research Institute for Sociotechnical Cyber Security, Matt has studied recent developments in cyber security assurance, interviewing and running workshops with practitioners and policymakers, doing document analysis, studying the broader historical and theoretical context, and developing recommendations to support policy in this important area of technology governance.
You can read Matt's work on the socio-technical side of cyber security product assurance in two reports, and in a paper published in the Journal of Cultural Economy
While this work spans several disciplines, the primary practical message has been to emphasise the need for policymakers to pay close attention to communication, as the new Principles Based Assurance approach is implemented across sectors and product segments. Context-sensitive policy narratives will be essential for the credibility of the approach among practitioners. The embedding of the PBA philosophy in wider national strategic narratives will be crucial to ensure that self-fulfilling prophesies enhance rather than impede adoption. And to support this work, it will be necessary for the NCSC to closely monitor interpretations of assurance policy within professional communities.
The RISCS Impact Award was announced at the 2026 RISCS Annual Conference in Bristol..