SoS Musings #6 - Toward Improving Security

SoS Musings #6

Toward Improving Security

This year the National Academies Press published A Consensus Study Report of the National Academies of Sciences, Engineering, and Medicine. 2017. Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions. Washington, DC: The National Academies Press. It is focused on strategies rather than recommendations. The committee’s analysis was organized under the four following broad aims for cybersecurity research:

• Support, develop, and improve security science—a long-term, inclusive, multidisciplinary approach to security science.
• Integrate the social, behavioral, and decision sciences into the security science research effort, since all cybersecurity challenges and mitigations involve people and organizations.
• Integrate engineering and operations for a life-cycle understanding of systems.
• Sustain long-term support for security science research providing institutional and community opportunities to support these approaches.

It is interesting to compare the ongoing research programs and initiatives, reported on the VO, to the strategies. Some form of all four strategies are represented.  What appears weak is a strategy to transition research to practice.

The New York State Department of Financial Services (NYDFS) proposed a broad set of regulations for banks, insurers, and other financial institutions in 2016. NYDFS issued a set of regulations called “Cybersecurity Requirements for Financial Services Companies” which became effective March 1st 2017.  The individual requirements are being phased in over two years. August 28th 2017 ended an initial 180-day transition period requiring:  The Formal Risk-Based Cybersecurity Program, 14-Point Cybersecurity Policy, Seven-Point Incident Response Plan, A Qualified Chief Information Security Officer, Continuously Trained Cybersecurity Personnel, Limited User Access Privileges, 72-Hour Notice of Certain Events. NYDFS is mandating rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents which is intended to thwart future cyberattacks and protect consumers. It does not follow NIST Framework guidelines but creates its own. Other states are watching and some are inclined to do the same. The effect of having multiple specifications on security science is unclear.