Science of Security Joint Statement of Understanding (2011)

This is a joint statement of understanding between agencies of the Canadian, United Kingdom and United States governments on the subject of "Security Science" - known respectively within these nations as "Science of Security", "IA Science" and "Science of IA." This statement is based on output from an IA Science Workshop, May 2010. It describes our collective understanding of the problem space; why we believe IA requires a stronger foundation today, and the body of work which is required in order to deliver it.

Security is still an art
With the exception of cryptography, we lack a proper scientific basis for Information Assurance today. Security is now a much broader field, and because of the rising complexity of networks and services, the risk exposure that our operational systems are subject to is increasingly difficult to assess. And yet we need to be able to make this assessment more quickly than ever before. Although we have a great deal of process and methodology, the underlying appraisal of possible weaknesses is still very subjective - carried out by individuals based on their own level of skill and experience. We often measure security based on process, rather than on objective measures. It is also difficult to carry out trade-offs, to determine how to get the most effective security from limited resources. We cannot currently quantify the effectiveness of different security technologies or policies. We cannot assess the security of systems or organizations.

There are systemic problems in the way security is perceived. This has wide ranging impact, for example on the rate of compliance in the user community; on the motivation of security professionals; on risk decision making by mission leaders.

In addition, we have a mindset which is focused on defending against known attacks. There is a general lack of awareness of the limitations of security technologies, particularly with regard to previously unseen attack. We react to attacks we see, after they have succeeded. There is little appetite to contemplate or debate the extent of attacks which we may not be detecting. We need to move away from the reactive model to be able to apply pre-emptive defence, based on foundational principles.

A foundational science for security
In the context of security, science can be thought of as knowledge that results in correct predictions or reliable outcomes. The "Science of security" resides in a particularly complex area, being at the intersection of behavioral sciences, formal sciences and natural sciences. We identify a set of 7 core themes that together form the foundational basis for our discipline. The themes are strongly inter-related, and mutually inform and benefit each other. They are:

Core theme: Common language
This theme seeks ways to express security in a precise and consistent way. This is a vital foundational requirement so that we can express and develop our understanding of security. Languages do not have to be textual; they may be symbolic, graphical or model-based. However, they must have an agreed upon semantics. All other themes will drive requirements for language. Examples include: Can we define a modeling language to express the security aspects of system architecture? Can we develop new visualization techniques to describe the output from risk assessments? Can we find a language to express core principles such as trust relocation?

Core theme: Core principles
Security is lacking in foundational principles and fundamental definitions of concepts. There is a body of work to draw upon, and some well-established terms, such as the principle of least privilege or of defence in depth. Definitions, however, tend to vary, and there is little guidance on practical application, where the security principles are often in direct conflict with other design principles. Complicating this matter further is the fact that we often compose principles in an ad hoc fashion without truly understanding the implications. There are other areas where new principles may be developed, dealing with topics such as: trust relocation; and composition of security properties.

Core theme: Attack analysis
The deepest understanding of security is obtained when it is informed from an attacker's perspective. As government bodies, we have excellent access to attack information and data. Proper management and analysis of this data could deliver many varied benefits. It could help justify security investment, and in carrying out balanced trade-offs between different security options and the application of core principles. It could help in addressing problems in the public perception of security - making the deliverable more tangible. Careful analysis may help us to estimate where we are not detecting attacks.

Core theme: Measurable Security
A raft of work is required to explore techniques to measure security and develop the economic model. Measurements must be developed which include not just technical measures, but also the influence of security policy and user behaviour. It is important to be able to carry out trade-offs between security, usability, functionality and cost to enable better informed investment decisions. We need to be able to measure and compare the security of: individual products; system architectures; or an entire organization.

Core theme: Risk
Work is required to improve the quality and consistency of risk assessment. Much of the work in this field has focused on process and methodology, but assessment is still based on individual expertise. Our desire is for risk assessment to be more consistent and less subjective. Research is required to assess the level of variability in risk decision making and to determine the underlying rationale.

Core theme: Agility
IA Services in general need to become more agile, to reflect the more dynamic environment that systems now reside in. We need to be able to respond to an evolving threat landscape and rapidly evolving technology. We need to be able to assess threat and risk much more quickly, and to detect and respond to attacks on our systems in real time.

Core theme: Human Factors
This theme tackles factors affecting people's security-relevant behaviour. It tackles issues such as: how to make the intangible benefits of IA visible; how to secure the optimum psychological contract for user compliance; the most effective way to communicate information risk, and how the communication method affects subsequent attitude to risk. It also includes usability issues - particularly in designing security so it incentivizes secure behaviour.

We must deliver short term benefit...
In general, the development of a "science" will be a long term effort, and should be pursued as a collaborative effort among governments, industry and academia. However, all nations are agreed that Security Science must deliver tangible benefit in the short term, without compromising the longer term effort. It should be strongly informed by the needs and insights of practitioners in the field.

Source: www.cse-cst.gc.ca/en/system/files/pdf_documents/csredp-prdecs-eng_1.pdf