Science of Security

In anticipation of the challenges in securing the cyber systems of the future, we must develop an organized, cohesive foundation to the body of knowledge that informs the field of cybersecurity. Currently, we spend considerable intellectual energy on a patchwork of targeted, tactical activities, some of which lead to significant breakthroughs while others result in a seemingly endless chase to remedy individual vulnerabilities with solutions of limited scope.

A more fruitful way to ground research efforts, and to nurture and sustain progress, is to develop a science of security. Developing a strong, rigorous scientific foundation to cybersecurity helps the field in the following ways:

• Organizes disparate areas of knowledge – Provides structure and organization to a broad-based body of knowledge in the form of testable models and predictions
• Enables discovery of universal laws – Produces laws that express an understanding of basic, universal dynamics against which to test problems and formulate explanations
• Applies the rigor of the scientific method – Approaches problems using a systematic methodology and discipline to formulate hypotheses, design and execute repeatable experiments, and collect and analyze data

Research is required to develop:

• Methods to model adversaries
• Techniques for component, policy, and system composition
• A control theory for maintaining security in the presence of partially successful attacks
• Sound methods for integrating humans in the system: usability and security
• Quantifiable, forward-looking security metrics (using formal and stochastic modeling methods)
• Measurement methodologies and testbeds for security properties
• Comprehensive, open, and anonymized data repositories