Measuring Risk: Computer Security Metrics, Automation, and Learning

Slayton, Rebecca

doi:10.1109/mahc.2015.30

Cited by 31 publications

(6 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Others feel it is challenging, yet feasible (Pfleeger and Cunningham, 2010). Yet others conjecture that security risk analysis does not provide value through the measurement itself, but through the knowledge analysts gain by thinking about security (Slayton, 2015). Nevertheless, the overwhelming consensus is that cybersecurity assessment is necessary (Jaquith, 2007).…”

Section: Case Study 1: Cybersecurity Metric Researchmentioning

confidence: 99%

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Haastrecht

Sarhan

Özkan

et al. 2021

Front. Res. Metr. Anal.

View full text Add to dashboard Cite

Research output has grown significantly in recent years, often making it difficult to see the forest for the trees. Systematic reviews are the natural scientific tool to provide clarity in these situations. However, they are protracted processes that require expertise to execute. These are problematic characteristics in a constantly changing environment. To solve these challenges, we introduce an innovative systematic review methodology: SYMBALS. SYMBALS blends the traditional method of backward snowballing with the machine learning method of active learning. We applied our methodology in a case study, demonstrating its ability to swiftly yield broad research coverage. We proved the validity of our method using a replication study, where SYMBALS was shown to accelerate title and abstract screening by a factor of 6. Additionally, four benchmarking experiments demonstrated the ability of our methodology to outperform the state-of-the-art systematic review methodology FAST2.

show abstract

Section: Case Study 1: Cybersecurity Metric Researchmentioning

confidence: 99%

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Haastrecht

Sarhan

Özkan

et al. 2021

Front. Res. Metr. Anal.

View full text Add to dashboard Cite

show abstract

“…But rapid technological change and complexity both created uncertainties about potential failure scenarios, and made the construction of actuarial tables impractical if not impossible. Thus, federal agencies remained skeptical of risk management, arguing that it was complicated, expensive, and of questionable value (Slayton 2015).…”

Section: Creating a Regime Of Insecuritymentioning

confidence: 99%

“…One answer is that information systems proliferate unknown risks that elude the monitoring depicted in Figure 2. The "arbitrary complexity" of information systems, combined with a tendency toward constant change, both proliferates and obscures unknown risks (Slayton 2013(Slayton , 2015. Unpredictability stems not only from the complexity of modern information systems-including complex software that can run in an effectively infinite number of ways, myriad hardware devices, and communications links-but from the fact that each of these components is linked to human and social organizations that defy deterministic behavior-software manufacturers and maintainers, Internet service providers, web platform companies such as Google and Facebook, and more.…”

Section: Conceptualizing Information Security Governancementioning

confidence: 99%

Governing Uncertainty or Uncertain Governance? Information Security and the Challenge of Cutting Ties

Slayton

2020

Science, Technology, & Human Values

Self Cite

View full text Add to dashboard Cite

Information security governance has become an elusive goal and a murky concept. This paper problematizes both information security governance and the broader concept of governance. What does it mean to govern information security, or for that matter, anything? Why have information technologies proven difficult to govern? And what assurances can governance provide for the billions of people who rely on information technologies every day? Drawing together several distinct bodies of literature—including multiple strands of governance theory, actor–network theory, and scholarship on sociotechnical regimes—this paper conceptualizes networked action on a spectrum from uncertain governance to governing uncertainty. I advance a twofold argument. First, I argue that networks can better govern uncertainty as they become more able not only to enroll actors in a collective agenda, but also to cut ties with those who seek to undermine that agenda. And second, I argue that the dominant conception of information security governance, which emphasizes governing uncertainty through risk management, in practice devolves to uncertain governance. This is largely because information technologies have evolved toward greater connectedness—and with it, greater vulnerability—creating a regime of insecurity. This evolution is illustrated using the history of the US government’s efforts to govern information security.

show abstract

“…Two recent special issues of the IEEE Annals of the History of Computing provided a range of new histories (Yost, 2015(Yost, , 2016, from the early US government policy in computer security (Lipner, 2015;Warner, 2015), to security discourse at government contractors (Misa, 2016), to the late twentieth century efforts to deploy public key infrastructure in South Korea (Park, 2015). Other works in these special issues included histories of computer security metrics (Slayton, 2015), as well as what DeNardis (2015) calls the "design tension between surveillance and security". In this works, DeNardis (2015, p. 74) argued that security was a concern by 1986, pointing to interest in access control and authentication.…”

Section: Histories Of Network Cybersecurity and Internet Governancementioning

confidence: 99%

Cybersecurity governance: a prehistory and its implications

Fidler

2017

DPRG

View full text Add to dashboard Cite

Purpose The purpose of this paper is to understand the emerging challenges of cybersecurity governance by analyzing the internet’s early history. Design/methodology/approach Tracing the design and management of early internet and network security technologies in the USA in the 1970s and 1980s. Findings The US Department of Defense separated the research and management regimes for networks and network security, with the latter restricted to military networks. As such, the absence of cybersecurity technologies on the early internet was not an oversight, but a necessary compromise. This ordering of networks and security had enduring technological, political and even cultural consequences, which are breaking down today. Social implications Political, technological and metaphoric distinctions between networks and security should be challenged; cybersecurity will transform internet governance. Originality/value New historical sources and analysis provide a novel perspective on contemporary challenges of cybersecurity governance.

show abstract

Measuring Risk: Computer Security Metrics, Automation, and Learning

Cited by 31 publications

References 23 publications

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Governing Uncertainty or Uncertain Governance? Information Security and the Challenge of Cutting Ties

Cybersecurity governance: a prehistory and its implications

Contact Info

Product

Resources

About