A research cyber risk assessment evaluates the security threats and risks associated with research projects and the information systems they use. The assessment aims to:

• Identify and report potential security threats and risks.
• Provide recommendations to improve the overall security of the research project.

Requesting a research cyber risk assessment is a foundational step in meeting the expectations outlined in the university’s Institutional Research Data Management Strategy, including:

• “Researchers must ensure security requirements and guidelines are implemented and follow the institutional Information Security Control Standard and applicable actions based on levels of criticality in the Data Classification Standard.”
• “Researchers should assess risks to data and implement appropriate security controls to protect against malicious attacks, geopolitical or economic threats, data corruption and data loss.”

Cyber security is a crucial aspect of research due to contractual, funding and sponsor requirements; research ethics and integrity obligations; governmental and university policies; the value of intellectual property; and the increasing targeting of researchers by cyber criminals and nation-states.

Ideally, a research cyber risk assessment should be requested early in a research project when information systems and solutions are being planned. Early assessments allow for greater flexibility in making necessary security changes. However, an assessment remains valuable at any stage of the project.

A research cyber risk assessment is recommended by the university but not required. However, certain research agreements or ethics protocols may require an assessment.

Upon completion, the requester will receive a report from the Research Information Security team detailing:

• Triaged security priorities
• General findings
• Recommendations for risk mitigation

Timelines vary based on workload and the complexity of the assessment. The Research Information Security team strives to complete assessments in a reasonable timeframe and recommends requesting a research cyber risk assessment early in the project.

While a research cyber risk assessment provides recommendations and guidance to mitigate risks, the Research Information Security does not implement these recommendations on your behalf. However, we can assist you and your local technical staff with clarification where needed.