http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf
Thanks to big yellow for not making us register! Oh, and Adam thanks you for not using pie charts…
Tag Archive for 'research'
I’m starting on an academic-oriented research project and I’m looking for collaborators, contributors, reviewers, etc.
The topic is the arms race between attackers and defenders from the perspective of innovation rates and “evolutionary success” – the Red Queen problem (running just to stand still). Here’s a sample research question: “can bureaucracies (defenders) keep up with a decentralized black market (attackers)?”, and similar. Answering these research questions would have policy implications on the effectiveness of regulation/mandates vs. incentive-based approaches, R&D policy, etc.
Sail shells from Borneo shaped by a Red Queen arms race with their main predator (a slug of the genus Atopos)
I want to focus primarily on theoretical models, but I’m also keen on grounding them in reality. If I can present some empirical data on the rate of innovation for various players as calibration, that would be superb.
On the theory side, I will be drawing from Evolutionary Ecology (host-parasite co-evolution, adaptive landscapes), Political Economy (models of *real* arms races), Computational Social Science (agent-based models, genetic algorithms, evolutionary game theory), and Economic-Engineering models of innovation and organization learning (risk/reward, optimal investment, etc.). I will also draw on “computable economics” that attempts to measure the information processing/learning capabilities of central planning vs. markets, etc.
Regarding empirical data, I would be interested in any of the following:
- Rate of innovation in the underlying information and IT environment
- What’s the half-life of the IT architecture in a large organization?
- What’s the product life for computing platforms?
- What’s the innovation rate for new forms of information or information standards (e.g. XML)?
- Rate of innovation in attacker tools, methods, and capabilities
- Timeline of major innovations (first appearance and widespread use)
- Time between discovery of vuln and widespread availability of exploit
- % of exploits that are Zero-day vs. known/resolved vulns
- Regime change in time series data that signals a major innovation (e.g. the phishing boom)
- Appearance rate of new monetization schemes, etc.
- Rate of innovation in defender tools, methods, controls, and capabilities
- Lifecycle of major technology solutions (products or products+services)
- What’s the half-life of corporate security policies? How often do policy manuals or training need to be completely redone?
- How long does it take to evaluate, test, and widely deploy some new capability? (e.g. web application security after 2000)
- Rate of innovation in regulations, standards (e.g. PCI-DSS), and other top-down mandates
- How long does it take to design and publish?
- How often are they updated and revised?
- How much forward-looking investigation do they do to anticipate future information security environments or threats?
- Evolution processes in the “Black Hat ecosystem
- Evolution processes information security technology and professional services ecosystem
Of course, this list is extremely broad. I’m all in favor of narrowing down to a particular security domain and ecosystem. Please make suggestions! Pointers to existing empirical reports are most welcome! Please email me privately (russell.thomas A-T meritology D-O-T com) if you are interested in collaborating or contributing in any way. Ideally, I’d like to have a paper ready to submit to WEIS, in Feb. Grad students welcome!
– Hi, Alex here, today I want to welcome guest blogger Russell Thomas. Those on the metrics mailing list are already pretty familiar with Russell, and we’re delighted to have him post with us. For those who don’t know Russell, an independent consultant specializing in modeling the business value and risks of information technology. Even though he’s got an EE degree, he’s more of a business guy than a technologist, and certainly not an InfoSec technologist. For the last four years, he’s been focused on research to advance the state of the art in the economics of InfoSec. Russell lives in the Bay Area.–
There might be more US government research funding for security metrics in coming years. This is hugely important because there are major unsolved research problems in security metrics and incentives. This has been known for years. It’s also been well known that funding for research in this area (both public and private) has been chronically low.
But this depends on whether the US Feds and Congress are be persuaded by the report from the NCLY Summit held recently. The Summit report will be published in few weeks. I hope they succeed this time, but I have doubts. Either way, the NCLY is not a good model for public-private collaboration going forward.
In case you haven’t heard, 2008-9 was “National Cyber Leap Year” (NCLY) in the US. It has been sponsored by the White House Office of Science and Technology Policy (OSTP) and the Network and Information Technology R&D council (NITRD). The main and final event was the invitation-only National Cyber Leap Year Summit, held Aug. 17-20. The Summit reports are now being written and will be made public in few weeks. (My focus is on “Cyber Economics” track, one of five tracks, because it was most relevant to security metrics and associated incentives.)
I wasn’t at the Summit, but I was involved both before and after, and my doubts arise because of the preparation and collaboration process leading up to it (or lack thereof). People who were at the Summit have blogged about what happened there:
In a nutshell, here’s why I’m critical about the NCLY process:
- Most of the year was wasted on redundant RFIs,
- The Summit had inadequate preparation and pre-work
- The Summit itself was a glorified brainstorming process, which isn’t adequate to deal with problems and ideas of this depth and complexity
- The organizers missed the opportunity to promote true collaboration through out the year.
- There is no follow-on process other than to submit the recommendations to the sponsors.
(I also have concerns about who participated and who didn’t, based on the blog posts above. But since the participant list isn’t public and I wasn’t there, I won’t comment further.)
Maybe NCLY will lead to good things in spite of the shortcomings in the process. I hope so. But I’m blogging about this with hopes that the next public-private collaboration will be done much better. Keep reading if you want to know the details…
Continue reading ‘National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap’
What You’ve Said