Please use this identifier to cite or link to this item:
Title: Risk Management and Information Assurance Decision Support
Authors: Hanan Hibshi
Travis D. Breaux
Keywords: Risk Management
Information Assurance
Risk Framework
Component-Based Architecture
Security Threats
Multi-Factor Quality Measurement
Cybersecurity Mitigations
Issue Date: 5-Sep-2018
Publisher: Acquisition Research Program
Citation: Published--Unlimited Distribution
Series/Report no.: Information Technology
Abstract: Modern information technology (IT) systems rely on architectural paradigms that leverage small units of computation composed into larger, more complex systems. Component reuse enables more complex systems that are capable of processing information faster and of improved integration into dynamic workflows. For example, smart phone applications are composed from the phone hardware, the operating system (e.g., Android and iOS), the cellular network, and the individual mobile phone applications or "apps" that are sold in marketplaces. Apps increasingly use remote services for authentication, storage, runtime analytics and advertising. The DoD challenge is how to manage security risk across service compositions when services and data use must evolve to meet new mission needs. Dr. Travis Breaux at Carnegie Mellon University will investigate new ways to leverage component-based architecture in reducing security threats. These new techniques integrate human security expert judgements with notions of composable security to identify interactions among security requirements that affect overall system assurance levels. The research is based on factorial vignettes and multi-level models that can detect significant interactions among components through human subject surveys. The results will be integrated into a decision support tool that will be evaluated based to assess the effect on DoD IA certification processes. This research will yield important public benefits to private sector companies who supply and consume the dual-purpose information technology (IT) used by the DoD and who are frequently subject to security threats from organized crime, foreign governments and stateless hackers. This IT increasingly makes use of new architectural paradigms, such as mobile and cloud-based platforms, that increase reuse and agility at the risk of decreased transparency across multi-party, distributed systems. The ability to rapidly and reliability certify IT components in multi-party IT systems will have important public benefits, including increased awareness of security requirements across suppliers, increased innovation that meets emerging demands by composing new systems from trusted components, and reduced costs from increased automation and agility of the workforce. If new technologies are not trusted, companies will continue to rely on outdated hardware and software that often limits information reuse and requires unnecessary redundancy.
Description: Information Technology / Grant-funded Research
Appears in Collections:Sponsored Acquisition Research & Technical Reports

Files in This Item:
File SizeFormat 
CMU-IT-18-227.pdf1.19 MBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.