Skip to main content

Currently Skimming:

5 Institutional Opportunities to Improve Security Science
Pages 54-68

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 54...
... The research cultures that have developed in the security community and in affiliated disciplines will increasingly need to adjust to embrace and incorporate lessons and results not just from a wider variety of disciplines, but also from practitioners, developers, and system administrators who are responsible for securing real-world operational systems. This chapter first explores opportunities to improve research practices, structural approaches that can help in interdisciplinary environments, and ways to address security science in federal research programs.
From page 55...
... Given the dynamic and rapidly evolving nature of the cybersecurity problem, the research community itself has struggled to develop a sustained science of security. The CRA memo above suggests that computing research in general suffers from counterproductive incentives related to publication quantity and an emphasis on short-term results.2 Of course, 1 B
From page 56...
... An effective security science demands (among other things) replication of studies in different contexts, not only to verify the results stated in alreadypublished papers, but also to help determine in which other contexts the results hold.
From page 57...
... With regard to experimental methods and investigational approaches, there are opportunities for cybersecurity researchers to learn from the ways that other disciplines communicate about methodology. For instance, if a project involves human subjects, then make clear the characteristics of the subject pool from which the subjects were drawn, what the selection mechanism was, and what the pool's general demographics were.3 Other questions to consider are the following: How are the subjects compensated for their time?
From page 58...
... The committee identified the seemingly prosaic function of publication practices as the following potentially effective leverage points: •  ncourage structured abstracts5 -- structured abstracts facilitate E rapid comprehension, are easier to read, facilitate effective peer review, are more easily evaluated and comprehended, and lend themselves more readily to meta-analyses. •  ncourage clear statements of the research questions and how E results relate to improving the understanding or management of real-world problems.
From page 59...
... The assessment process itself should be under ongoing scrutiny to prevent this. STRUCTURAL APPROACHES TOWARD IMPROVED INTERDISCIPLINARITY To achieve effective interdisciplinary outcomes, work will need to be done across disciplinary boundaries -- incorporating experts from many disciplines as well as individuals with deep expertise in more than one discipline.7 There are often institutional impediments related to the difficulties of interdisciplinary work -- for instance, regarding the respect members of one discipline give members of other disciplines; ensuring that cultural differences across disciplines reflecting conventions for documenting studies and their results are respected; and appropriate incorpo 6 Proceedings of the IFIP Working Goup, Workshop on The Science of Cyber Security, 2015, Bristol, U.K.
From page 60...
... The resulting report, Enhancing the Effectiveness of Team Science,8 offers policy recommendations for science research agencies and policy­makers along with recommendations for individual scientists and universities. A separate effort explored the challenge of interdisciplinary research specifically at the intersection of computing research and sustainability.
From page 61...
... In addition to applying knowledge from other disciplines to the cybersecurity challenge, foundational cybersecurity efforts would also benefit from a deeper understanding of methods from other disciplines and how they might apply to cybersecurity. Applying methods of social, behavioral, and decision sciences in cybersecurity research, where appropriate, is a way to enhance foundational approaches and also to open up potentially fruitful areas of insight and inquiry that more traditional technically focused agendas might overlook.
From page 62...
... Sponsors of cybersecurity research need to create the conditions that make it worth their while to work on these issues. If successful, cybersecurity research will benefit not only from the substantive knowledge of the social, behavioral, and decision sciences, but also from absorbing their research culture, with respect to theory building, hypothesis testing, method validation, experimentation, and knowledge accumulation -- just as these sciences will learn from the complementary expertise of the cybersecurity community.
From page 63...
... The committee urges an emphasis on situating research efforts in security science within the framework outlined in this report, which can help spotlight high-leverage opportunities for impact, and on thinking about how those opportunities can be translated into practice and deployed at scale. This goes beyond a traditional technology transfer challenge -- which is hard enough -- to connecting research results with anticipated social, behavioral, and organizational implications and with what practitioners understand about managing the full life cycle of deployed technologies.
From page 64...
... Thus, in addition to monitoring technology transfer of applied or incremental results, sponsors can consider the following ways of assessing research: •  Publication of research results in high-quality journals or confer ence proceedings is the canonical indicator of research quality. To the extent that journals or conferences include editors, reviewers, or program committee members from development organizations and from other disciplines, their selections may be an especially useful indication of the long-term value of research (see also the next point)
From page 65...
... However, all may be worth sponsors' consideration as they evaluate their research programs and associated projects they have chosen to sponsor and r ­ esearchers they have chosen to support. MISSION CRITICALITY The committee was also asked to consider how foundational efforts in cybersecurity bear on mission-critical applications and challenges, such as those faced by agencies in the Special Cyber Operations Research and Engineering (SCORE)
From page 66...
... In classified environments whose systems need to be secured, different kinds of security training might be done and different controls in terms of configuration and processes put in place than are likely in most private-sector organizations. This could have an impact on how effective certain security approaches and tools are -- but the general point that social, behavioral, and decision sciences in tandem with technical cybersecurity research can help inform better choices in terms of people, processes, and institutional policies still holds.
From page 67...
... The fact that these systems are designed, developed, deployed, and used by humans, and that humans are also the adversaries behind attacks on them, means that the work done in the social, behavioral, and decision sciences will be critical. Deepening our understanding of humans and human organizations, and linking that understanding to more traditional research in cybersecurity, is necessary to develop a robust security science and to deploy systems most effectively so that they do what they were designed to do, to say nothing of securing them against human adversaries.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.