I’m starting on an academic-oriented research project and I’m looking for collaborators, contributors, reviewers, etc.

The topic is the arms race between attackers and defenders from the perspective of innovation rates and “evolutionary success” – the Red Queen problem (running just to stand still).  Here’s a sample research question: “can bureaucracies (defenders) keep up with a decentralized black market (attackers)?”, and similar.    Answering these research questions would have policy implications on the effectiveness of regulation/mandates vs. incentive-based approaches, R&D policy, etc.

Sail shells from Borneo shaped by a Red Queen arms race with their main predator (a slug of the genus Atopos)

 I want to focus primarily on theoretical models, but I’m also keen on grounding them in reality.  If I can present some empirical data on the rate of innovation for various players as calibration, that would be superb.

On the theory side, I will be drawing from Evolutionary Ecology (host-parasite co-evolution, adaptive landscapes), Political Economy (models of *real* arms races), Computational Social Science (agent-based models, genetic algorithms, evolutionary game theory), and Economic-Engineering models of innovation and organization learning (risk/reward, optimal investment, etc.).   I will also draw on “computable economics” that attempts to measure the information processing/learning capabilities of central planning vs. markets, etc.

Regarding empirical data, I would be interested in any of the following:

• Rate of innovation in the underlying information and IT environment
  • What’s the half-life of the IT architecture in a large organization?
  • What’s the product life for computing platforms?
  • What’s the innovation rate for new forms of information or information standards (e.g. XML)?
• Rate of innovation in attacker tools, methods, and capabilities
  • Timeline of major innovations (first appearance and widespread use)
  • Time between discovery of vuln and widespread availability of exploit
  • % of exploits that are Zero-day vs. known/resolved vulns
  • Regime change in time series data that signals a major innovation (e.g. the phishing boom)
  • Appearance rate of new monetization schemes, etc.
• Rate of innovation in defender tools, methods, controls, and capabilities
  • Lifecycle of major technology solutions (products or products+services)
  • What’s the half-life of corporate security policies?  How often do policy manuals or training need to be completely redone?
  • How long does it take to evaluate, test, and widely deploy some new capability?  (e.g. web application security after 2000)
• Rate of innovation in regulations, standards (e.g. PCI-DSS), and other top-down mandates
  • How long does it take to design and publish?
  • How often are they updated and revised?
  • How much forward-looking investigation do they do to anticipate future information security environments or threats?
• Evolution processes in the “Black Hat ecosystem
• Evolution processes information security technology and professional services ecosystem

 Of course, this list is extremely broad.  I’m all in favor of narrowing down to a particular security domain and ecosystem.  Please make suggestions!  Pointers to existing empirical reports are most welcome!  Please email me privately (russell.thomas A-T meritology D-O-T com) if you are interested in collaborating or contributing in any way.  Ideally, I’d like to have a paper ready to submit to WEIS, in Feb.  Grad students welcome!