@article {1065, title = {Editorial: Cybersecurity (April 2017)}, journal = {Technology Innovation Management Review}, volume = {7}, year = {2017}, month = {04/2017}, pages = {3-4}, publisher = {Talent First Network}, address = {Ottawa}, keywords = {anomaly detection, automation, big data, cybersecurity, exploration, Hypponen{\textquoteright}s law, Internet of Things, IOT, legislation, medical devices, privacy, real time, risk assessment, security engineering, smart devices, value proposition, vulnerabilities}, issn = {1927-0321}, doi = {http://doi.org/10.22215/timreview/1065}, url = {http://timreview.ca/article/1065}, author = {Chris McPhee and Michael Weiss} } @article {1066, title = {The Internet of (Vulnerable) Things: On Hypponen{\textquoteright}s Law, Security Engineering, and IoT Legislation}, journal = {Technology Innovation Management Review}, volume = {7}, year = {2017}, month = {04/2017}, pages = {5-11}, publisher = {Talent First Network}, address = {Ottawa}, abstract = {The Internet of Things (IoT) and the resulting network-connectedness of everyday objects and appliances in our lives bring not only new features and possibilities, but also significant security concerns. These security concerns have resulted in vulnerabilities ranging from those limited in effect to a single device to vulnerabilities that have enabled IoT-based botnets to take over hundreds of thousands of devices to be used for illegal purposes. This article discusses the vulnerable nature of the IoT {\textendash} as symbolized by Hypponen{\textquoteright}s law {\textendash} and the parts both manufacturers and consumers play in these vulnerabilities. This article makes the case for the importance of security engineering for IoT manufacturers, highlights some significant issues to help consumers address these vulnerabilities, and argues for legislation as perhaps the only reliable means of securing the Internet and its connected devices.}, keywords = {consumers, cybersecurity, Hypponen{\textquoteright}s law, Internet of Things, IOT, legislation, manufacturers, security engineering, smart devices, vulnerability}, issn = {1927-0321}, doi = {http://doi.org/10.22215/timreview/1066}, url = {http://timreview.ca/article/1066}, author = {Mikko Hypponen and Linus Nyman} } @article {715, title = {A Research Agenda for Security Engineering}, journal = {Technology Innovation Management Review}, volume = {3}, year = {2013}, month = {08/2013}, pages = {41-50}, publisher = {Talent First Network}, address = {Ottawa}, abstract = {Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security {\textendash} upon which society is increasingly dependent {\textendash} appears in the news almost daily. In this article, we outline a research agenda designed to begin addressing this deficit and to move information system security engineering toward a mature engineering discipline. Our experience suggests that there are two key areas in which this movement should begin. First, a threat model that is actionable from the perspectives of risk management and security engineering should be developed. Second, a practical and relevant security-measurement framework should be developed to adequately inform security-engineering and risk-management processes. Advances in these areas will particularly benefit business/government risk assessors as well as security engineers performing security design work, leading to more accurate, meaningful, and quantitative risk analyses and more consistent and coherent security design decisions. Threat modelling and security measurement are challenging activities to get right {\textendash} especially when they need to be applied in a general context. However, these are decisive starting points because they constitute the foundation of a scientific security-engineering practice. Addressing these challenges will require stronger and more coherent integration between the sub-disciplines of risk assessment and security engineering, including new tools to facilitate that integration. More generally, changes will be required in the way security engineering is both taught and practiced to take into account the holistic approach necessary from a mature, scientific discipline.}, keywords = {cybersecurity, information system security engineering, research, risk management, security engineering, security measurement, threat modelling}, issn = {1927-0321}, doi = {http://doi.org/10.22215/timreview/715}, url = {http://timreview.ca/article/715}, author = {Rich Goyette and Yan Robichaud and Fran{\c c}ois Marinier} }