Premium
Risk and the Five Hard Problems of Cybersecurity
Author(s) -
Scala Natalie M.,
Reilly Allison C.,
Goethals Paul L.,
Cukier Michel
Publication year - 2019
Publication title -
risk analysis
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.972
H-Index - 130
eISSN - 1539-6924
pISSN - 0272-4332
DOI - 10.1111/risa.13309
Subject(s) - computer security , risk analysis (engineering) , computer science , agency (philosophy) , software deployment , composability , united states national security agency , scalability , field (mathematics) , realm , national security , business , political science , software engineering , distributed computing , philosophy , mathematics , epistemology , database , pure mathematics , law
This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy‐governed secure collaboration; (3) security‐metrics–driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.