Economics of Security and Continuous Assurance

Since 2013 each Computational Cybersecurity in Compromised Environments Workshop (C3E) has introduced Challenge Problems. One of the goals of the Challenge Problems is to advance the ideas developed at the Workshop into research projects that will lead to actual implementable solutions. 
C3E is presenting multiple options for the 2020 Challenge Problems based on both the 2020 and 2019 C3E themes.  

As the DoD, IC, and the Nation face enduring challenges and the demand for software/system innovation and cybersecurity evolve and intensify, the need is clear for software enabled systems to:

• Be timely to enable the fielding of new software-enabled systems and upgrades
• Be trustworthy in development and implementation
• Be affordable such that cost of acquisition and operations, despite increased security and capability, is reduced and predictable.

For 2020, C3E sought to consider new approaches to system assurance, leveraging system migration of security and features/capabilities to high assurance achieved through realizing economy of scale and continuous development/integration.

Given the necessity of meeting virtually this year, a series of discussion sessions were devised and held throughout the summer as a replacement to the traditional in-person C3E working meeting. These discussion sessions focused on new approaches to the C3E 2020 Workshop themes of Economics of Security and Continuous Assurance, and their integration. The following topic areas were discussed during these sessions:

• Continuous Reasoning
• Pay-As-You-Go Assurance
• Agile Approaches supported by DevSecOps Practices
• The Economics of Security / Business Models for Secure System Engineering
• Interactive Code Analysis
• The relative merits of Efficiency and Resilience
• How to stimulate appropriate levels of investment

For the concluding session, six participants briefly shared their thoughts and insights on the continuous reasoning and economics of security themes and their intersection based on the presentations during the run-up sessions.

Ultimately the 2020 C3E discussion series advanced ideas into potential research projects that will lead to advances in Economics of Security, Continuous Reasoning, and their integration. We are soliciting proposals and will select 6-10 independent researchers to identify and explore specific issues; we have approved NSF funding to pay a small Honoria to each researchers’ effort.  The results of the research will be presented at the 2021 C3E Workshop as well as other venues or publications. 

2020 Challenge Problems (CP)

For 2020, challenge problems are posed for research and preparation of papers and presentation at the 2021 C3E Workshop based on the themes of Economics of Security and Continuous Assurance.  We will be engaging 6-10 researcher groups or individuals on a part time basis to identify and explore specific issues developed through the 2020 C3E discussion series and will a goal to present their findings at the 2021 C3E workshop.  We have an approved NSF funding source to pay a small honorarium ($2.5 to $10K) for these researcher efforts.  

Economics of Security

Some suggested research questions:

What are the new approaches to system assurance created by developing economically rational formal methods, metrics, and tools?  How can these tools leverage system migration of security features to achieve higher assurance? Should these tools be evaluated, if so by who and by what means are they curated and promulgated? How do these approaches contribute to economies of scale and continuous development and integration?  How can open-source software contribute to economies of scale in the development and implementation of secure systems?  How does the development of advanced technology tools such as AI and ML contribute to cost effectiveness?  How can customers be incented to invest in security systems beyond simple compliance?  What is the enterprise level analysis?  Do economists shy away from addressing cyber knowledge and therefore its impacts due to their lack of knowledge? How does the development of advanced technology tools contribute to cost effectiveness and full utilization of human capital?  What can be learned from major corporation use of code analysis processes to support “C Suite” continuous assurance investment decisions?  What is Government’s role in communicating the importance of applying security in the design of products and what means of policy or regulation is needed?

Continuous Assurance

Some suggested research questions:

What are the new approaches to system assurance created by developing advanced technologies such as AI and ML to support rational formal methods, metrics, and tools?  How can these technology tools leverage system migration of security features to achieve higher assurance? How do these approaches contribute to economies of scale and continuous development and integration?  To what extent can these technologies contribute to autonomic and automated security? What are optimum tradeoffs between efficient system development adapted to an existing environment verses resilience requiring adaption to disruptive changes in the environment? What is the demonstrated value of measuring software development formal methods and in what industry/applications is it most appropriate?  What human education and awareness programs are required to address system reliability including academia curriculum evolution?

C3E 2019 Themes

The C3E 2019 themes of Cognitive Security and Human-Machine Teaming offer another option for the 2020 Challenge Problem.  Researchers are encouraged to apply lessons-learned and outcomes from C3E 2019 to the Economics of Security and Continuous Assurance themes for the 2020 year.  C3E 2019 conference information 

Open Option

You may suggest another research topic related to the C3E 2020 conference themes.

C3E 2020 Challenge Problem Process

Tasks. 
The anticipated outcome will include a description of the critical security events taking place and the reasoning process followed by the researcher. That process may include details on how the research was taken into account and possible issues or limitations associated with the support provided by automation to address one of the themes. Another option might provide an in-depth examination of one of the themes and provide documentation on strengths and weaknesses of solution approaches.  A researcher might prepare software to demonstrate an approach.  This sample software should be available as open source and posted to the CPS-VO web site when completed since the project is federally funded.

Deliverables. 
Researchers will prepare a short and long version of a slide presentation to be given at C3E 2021, a poster and an article suitable for publication in a major academic publication.  If a software demonstration is prepared, that material can be incorporated into the presentation and paper.  The conference may be virtual.

If you are interested, please send a short description of your proposal to Dr. Don Goff, co-PI with Dan Wolf for the Challenge Problem, at dgoff[at]cyberpackventures[dot]com by January 31, 2020.  The proposals will be peer reviewed and 6-10 will be selected for funding with announcements around February 28, 2021.  The awards will be in the form of an honorarium and will not provide sufficient support for full time engagement.

Additional details will be provided via email to the workshop participants and the CPS-VO website.