This paper describes the evolution of REQcollect (REQuirements Collection). REQcollect was developed through several iterations of agile development and the transition of other projects. Multiple federal agencies have sponsored the work as well as transitioned the technologies into use. The parents of REQcollect are REQdb (REQuirements Database) and DART3 (Department of Homeland Security Assistant for R&D Tracking and Technology Transfer) [1]. DART3 was developed from three other projects: TPAM (Transition Planning and Assessment Model) [2], GNOSIS (Global Network Operations Survey and Information Sharing) [3,4] Aqueduct [5], a semantic MediaWiki extension.REQcollect combines the best components of these previous systems: a requirements elicitation and collection tool and a Google-like matching algorithm to identify potential transitions of R&D projects that match requirements.
Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the "best" set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for cybersecurity mitigations. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.
Abstract-Stakeholders often conduct cyber risk assessments as a first step towards understanding and managing their risks due to cyber use. Many risk assessment methods in use today include some form of vulnerability analysis. Building on prior research and combining data from several sources, this paper develops and applies a metric to estimate the proportion of latent vulnerabilities to total vulnerabilities in a software system and applies the metric to five scenarios involving software on the scale of operating systems. The findings suggest caution in interpreting the results of cyber risk methodologies that depend on enumerating known software vulnerabilities because the number of unknown vulnerabilities in large-scale software tends to exceed known vulnerabilities.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.