A Roadmap for Cybersecurity Research

Defining effective metrics for information security has been difficult because of the rapid evolution of information technology and the shifting locus of adversarial action. Defining effective metrics would be useful, however, for comparing different security systems and tracking the progress of security measures. Cyber security decisions on how to control and avoid threats have been hindered by the lack of enterprise-level metrics (ELMs). The security industry lacks methods to evaluate its products, which halts progress toward handling security threats. A suitable life cycle methodology would be helpful for system procurement. Evaluation methods are required to quantify performance methods of a security system through its life cycle. A measurement over a system's life cycle would allow us to properly allocate resources. This method of evaluation would drive research, development, operational decisions, and investment. Part of the challenge in information security is finding out whether a system is under attack, who the attacker is, what the attacker's intent is, and how to defend against the attack. Attack attribution is discovering the location or source of the attacker or the attacker's intermediary. Attack attribution helps one understand his role, environment, adversary, mission, resource status, et cetera. Accurate attribution may only be possible in increments as more information is interpreted. Attribution is a key part of situational understanding because it helps understand who the attacker is and how to respond. Information attacks on large infrastructures are especially important. Attacks can come from a variety of sources, so attribution also presents a challenge. However, this is an important challenge to overcome, as attribution is central to defense, remediation, and deterrence from future attacks. Privacy-aware security enables users and organizations to protect their private information, even when sharing that information with others, and encompasses topics such as anonymity, pseudo-anonymity, confidentiality, protection of queries, monitoring, and appropriate accessibility. Threats to private information come from accidents (intrinsic) or exploitation from outside threats (extrinsic). The main problem with privacy-aware security is the tension between disclosure and use of private information. There are currently no frameworks for enforcing protection requirements while allowing for the sharing of private information for legitimate purposes. The research goal for privacy-aware software should be to gather more information to make informed decisions about the trade-off between disclosure and use of information.