I’m starting on an academic-oriented research project and I’m looking for collaborators, contributors, reviewers, etc.
The topic is the arms race between attackers and defenders from the perspective of innovation rates and “evolutionary success” – the Red Queen problem (running just to stand still). Here’s a sample research question: “can bureaucracies (defenders) keep up with a decentralized black market (attackers)?”, and similar. Answering these research questions would have policy implications on the effectiveness of regulation/mandates vs. incentive-based approaches, R&D policy, etc.
Sail shells from Borneo shaped by a Red Queen arms race with their main predator (a slug of the genus Atopos)
I want to focus primarily on theoretical models, but I’m also keen on grounding them in reality. If I can present some empirical data on the rate of innovation for various players as calibration, that would be superb.
On the theory side, I will be drawing from Evolutionary Ecology (host-parasite co-evolution, adaptive landscapes), Political Economy (models of *real* arms races), Computational Social Science (agent-based models, genetic algorithms, evolutionary game theory), and Economic-Engineering models of innovation and organization learning (risk/reward, optimal investment, etc.). I will also draw on “computable economics” that attempts to measure the information processing/learning capabilities of central planning vs. markets, etc.
Regarding empirical data, I would be interested in any of the following:
- Rate of innovation in the underlying information and IT environment
- What’s the half-life of the IT architecture in a large organization?
- What’s the product life for computing platforms?
- What’s the innovation rate for new forms of information or information standards (e.g. XML)?
- Rate of innovation in attacker tools, methods, and capabilities
- Timeline of major innovations (first appearance and widespread use)
- Time between discovery of vuln and widespread availability of exploit
- % of exploits that are Zero-day vs. known/resolved vulns
- Regime change in time series data that signals a major innovation (e.g. the phishing boom)
- Appearance rate of new monetization schemes, etc.
- Rate of innovation in defender tools, methods, controls, and capabilities
- Lifecycle of major technology solutions (products or products+services)
- What’s the half-life of corporate security policies? How often do policy manuals or training need to be completely redone?
- How long does it take to evaluate, test, and widely deploy some new capability? (e.g. web application security after 2000)
- Rate of innovation in regulations, standards (e.g. PCI-DSS), and other top-down mandates
- How long does it take to design and publish?
- How often are they updated and revised?
- How much forward-looking investigation do they do to anticipate future information security environments or threats?
- Evolution processes in the “Black Hat ecosystem
- Evolution processes information security technology and professional services ecosystem
Of course, this list is extremely broad. I’m all in favor of narrowing down to a particular security domain and ecosystem. Please make suggestions! Pointers to existing empirical reports are most welcome! Please email me privately (russell.thomas A-T meritology D-O-T com) if you are interested in collaborating or contributing in any way. Ideally, I’d like to have a paper ready to submit to WEIS, in Feb. Grad students welcome!
What You’ve Said