A new science of security decision making

Summary form only given. The computer science community has spent the last 40-plus years attempting to identify a science of secure systems. Such efforts have yielded formal methods for proving security properties of computing artifacts and systems. Despite these advances, there does not yet exist a widely-applicable science for holistically reasoning about security in heterogenous and changing network environments. This talk introduces the research objectives and early results of a 10-year project seeking to develop such a science. Embodied in the Cyber-Security Collaborative Research Alliance, this effort aims to develop a science of decision making in the presence of uncertainty and potentially hostile users, systems, and networks. We begin by outlining the challenges of such a science and describe our efforts in exploring new models of risk assessment, detection, and systems agility aimed at maximizing the outcomes of system activities. We consider the roles of users and the need to integrate models of human behaviors into models of security. We conclude the talk with a roadmap of future research within the consortium.