Mitigating Your Research Security Risks

Research security risk mitigation aims to reduce the likelihood and impact of risks to a level that is acceptable to the researcher, their institution, the federal research funding organization, and the Government of Canada.

This page offers information that can be used for the development of risk mitigation plans. Other resources that provide best practices to protect Canadian research include the following two guides:

• Mitigating economic and/or geopolitical risks in sensitive research projects
• Travel security guide for university researchers and staff

---

Why is developing a risk mitigation plan important?

Risk mitigation plans should identify the appropriate mitigation measures to reduce the likelihood of an identified security risk from materializing, and/or to lessen the impact in case the identified risk materializes. Having a risk-targeted mitigation plan in place will secure the research project while pursuing open and collaborative research partnerships that benefit Canada.

All researchers, whether or not they seek federal funding, can use this guidance to develop their risk mitigation plan when establishing and/or continuing research partnerships with national, international and multinational partners.

Who should be involved in the development of a risk mitigation plan?

A risk mitigation plan should be developed with your institution. The institution’s corporate support services (e.g., IT, security, legal) should also be involved to confirm the viability and feasibility of the proposed measures.

What are mitigation measures?

Mitigation measures should be tailored to the research project and commensurate with the risks identified while considering open science principles. Examples of risk mitigation measures include, but are not limited to:

• Training Courses (e.g., research security, cyber security, and intellectual property training)
• Guidance on how to identify, assess and mitigate security risks to research, including best practices, published by the Government of Canada departments and agencies
• Research partnership agreements that include clauses to protect intellectual property and technology transfer
• Data management plans
• Cyber security plans
• Establishing internal protocols to restrict access to research facilities for partners and personnel to an “as needed” basis
• Ensuring internal regular reporting mechanisms are in place on the implementation and effectiveness of the proposed risk mitigation measures

The Government of Canada recognizes the importance of making Canadian science open to all, maximizing benefits for the well-being, health, and economy of our country. Open Science is the practice of making scientific inputs, outputs, and processes freely available to all with minimal restrictions. Scientific research outputs include peer-reviewed science articles and publications; scientific and research data; and public contribution to and dialogue about science. Open Science is enabled by people, technology and infrastructure. It is practiced in full respect of privacy, security, ethical considerations, and appropriate intellectual property protection.

Additional guidance on principles, tools, and resources for research data management can be found in the Frequently Asked Questions of the Tri-Agency Data Management Policy.

A risk mitigation plan could cover areas, such as, but not limited to:

1. Building a Strong Research Team

The integrity of your research relies heavily on knowing and trusting the people who make up your research team (e.g., researchers, fellows, and graduate students). In sensitive research areas, people may be more motivated to misrepresent themselves to gain access to information. Strong, trust-driven research teams set the foundation to pursue research in sensitive areas with a high degree of confidence. There are several best practices that can help mitigate these risks:

• Verify all team members' professional history and assess alignment with the research objectives for this project: Conduct appropriate reference and background checks on all members of the research team. Are their credentials, publications and affiliations in line with what they told you? Consider asking colleagues who have previously worked with the individual within or outside of your organization to confirm any information on the individual’s history and research affiliations. In addition to that, one can review and verify an individual’s publication history though SCOPUS or a similar tool.
• Assess existing or potential conflicts of interest or affiliation that would impede collaboration with any team member: Ask yourself, "Could the interests or affiliations of a team member compromise the integrity of the team’s research in a manner that jeopardizes Canada’s national and economic security?".
• Discuss project risks internally and make a plan for their mitigation, involving external team members as appropriate: Brainstorm potential project security risks with your team. Researchers can use the online risk register template to assess whether the practices of your collaborator(s) and/or collaborating institution(s) are consistent with your institution's standards on ethics and research conduct. Ask yourself whether all aspects of the project, regardless of where the work is or was performed, would pass ethics review at your institution.

2. Assessing the Alignment of Your Partners Motivations With Your Own

Collaboration with partner organizations can bring significant benefits. When working with partner organizations, it is important to verify alignment of their motivations with your research objectives and that your partner organization does not have ulterior motives. There are several best practices that can help mitigate these risks:

• Verify that the motivations of all partners are clear and aligned with the goals of the research team, including any expectations about intellectual property: Ask the partner directly what they expect from the research team throughout the duration of the project in terms of everyone’s roles, responsibilities, and deliverables. It is also important to ask what the partner hopes to gain from the research project once it has been successfully completed (e.g., access to new intellectual property or the commercialization of the research results).
• Assess if the partner's governance structure is transparent and whether the ultimate beneficiary of their collaboration on your project is clear: Conduct your own open source due diligence by looking at your partner’s website to identify who leads the organization and if there are any linkages to foreign governments, organizations, and/or actors. Ask yourself, “Are there are any information gaps that exist?”.
• Explore if other academics have had positive experiences collaborating with this partner organization: Reach out to researchers across your institution and at other institutions to gather valuable information on past experiences and solutions to address potential concerns.
• Assess whether the practices and contributions of your partner(s) are consistent with the standards on ethics and research conduct at your own institution: Ask yourself whether any contributions (e.g., data, IP) are consistent with your institution’s policies and/or Canadian laws. Open source due diligence can be used to verify that your research partner’s intentions and relationships are clear and appropriate for your project. This will help you assess potential risks to your intellectual property, stay in control of your research, and ensure that the partnership meets its intended goals. For more information on conducting open source due diligence, researchers are encouraged to reference the Government of Canada’s voluntary guide titled Conducting Open Source Due Diligence for Safeguarding Research Partnerships.

3. Using Sound Cybersecurity and Data Management Practices

The emergence of new technology has opened the doors to greater research collaboration by facilitating the sharing of data and results in real time. It is important to verify that adequate cybersecurity and data management policies, practices, and infrastructure are in place and agreed on by all research team members and partners to maintain the integrity and intended ownership of the research.

• Verify that all team members have completed cyber hygiene and data management training: Discuss appropriate training options with your Chief Information Officer (CIO) or with the relevant person in your institution who is responsible for maintaining strong cyber hygiene and data management practices.
• Assess if the data management and cybersecurity measures needed to adequately protect research integrity are in place across all partners: Consult and engage with your institution on the policies and practices in place. Internal research and IT services should also be involved. Public Safety Canada and the Canadian Centre for Cyber Security offer resources and best practices.
• Focus on addressing divergent cybersecurity and data management practices and decide on a mutually acceptable approach to securing your research data: Verify that your organization has a strong security posture as it will assist in protecting core assets, including research data and results. It is good practice to identify areas of vulnerability within an organization’s infrastructure and business processes that could contribute to unauthorized access to research methods, techniques, and results. When reflecting on existing divergences, ask yourself, "Given the sensitivity of the research topic and data, what is the level of risk associated with a breach and what is the probability it may occur?".
• If professional or personal international travel is expected during the project, agree to a protocol for device management: Consult the Travel security guide for university researchers and staff for more information on how to protect your research when traveling within or outside of Canada is required.

4. Agreement on Intended Use of Research Findings

The publication of research findings and the generation of intellectual property are lucrative within the academic community. Partner organizations that are involved in a research project may have different views on the intended use of the research. There are several best practices that can help to confirm that the researcher and partner organization are aware and agree on the potential use of the research and its results:

• Agree to a plan of how and when you will share details about the project, including publication, conferences, teaching, mass media, social media and personal communication. This will increase effectiveness and minimize disagreement later: Consult the Communications in Health Care Improvement toolkit that has been published by the UK’s Health Foundation. This resource provides an introduction on how to increase your understanding and use of communications to better plan, implement, and spread of your research work.
• Assess the potential value of any project- related IP and what you need to do to protect it: Ask yourself, "What types of IP could be generated through this research project? What do we need to do to preserve the value of this IP?"
• Ensure all collaborators and partners have agreed on how IP will be handled: Consult the appropriate contacts at your institution to better understand your institution's policies with respect to IP, as well as how internal policies, laws and enforcement measures might vary across relevant institutions and jurisdictions.
• Discuss how restrictions on academic freedom or commercial interests may impact the research project and the communication of research results: Ask yourself, "Do the restrictions imposed on communicating results have potentially harmful impacts on the integrity of our research or our ability to publish results?"
• Ensure all collaborators and partners are comfortable with the likely uses of any research results: Brainstorm with your team the likely uses of the results of the project, then ask members if they remain comfortable proceeding with the project.
• Ensure mechanisms exist that guarantee that any researcher involved in the project is able to use the results to complete their studies: Verify with the appropriate contacts at your institution what measures exist at your institution and make all partners and collaborators aware of this requirement. Participants in NSERC-supported research must ensure that a researcher’s graduation is not impeded by intellectual property issues, and must support the publication of results in the open literature. See the Policy on Intellectual Property for more information.