TY - JOUR T1 - A Research Agenda for Security Engineering JF - Technology Innovation Management Review Y1 - 2013 A1 - Rich Goyette A1 - Yan Robichaud A1 - François Marinier KW - cybersecurity KW - information system security engineering KW - research KW - risk management KW - security engineering KW - security measurement KW - threat modelling AB - Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security – upon which society is increasingly dependent – appears in the news almost daily. In this article, we outline a research agenda designed to begin addressing this deficit and to move information system security engineering toward a mature engineering discipline. Our experience suggests that there are two key areas in which this movement should begin. First, a threat model that is actionable from the perspectives of risk management and security engineering should be developed. Second, a practical and relevant security-measurement framework should be developed to adequately inform security-engineering and risk-management processes. Advances in these areas will particularly benefit business/government risk assessors as well as security engineers performing security design work, leading to more accurate, meaningful, and quantitative risk analyses and more consistent and coherent security design decisions. Threat modelling and security measurement are challenging activities to get right – especially when they need to be applied in a general context. However, these are decisive starting points because they constitute the foundation of a scientific security-engineering practice. Addressing these challenges will require stronger and more coherent integration between the sub-disciplines of risk assessment and security engineering, including new tools to facilitate that integration. More generally, changes will be required in the way security engineering is both taught and practiced to take into account the holistic approach necessary from a mature, scientific discipline. PB - Talent First Network CY - Ottawa VL - 3 UR - http://timreview.ca/article/715 IS - 8 U1 - Communications Security Establishment Canada Richard Goyette is Senior Security Architect at Communications Security Establishment Canada. Richard has a BEng and MEng in Electrical Engineering, both from the Royal Military College of Canada in Kingston, Canada. Richard spent 22 years as a Signals officer in the Canadian Forces, where he was involved with a multitude of projects in the areas of intelligence, security, and command and control. He is currently employed in the area of architecture and technology assurance developing security guidance for the wider Government of Canada. U2 - Communications Security Establishment Canada Yan Robichaud is a Senior Security Architect at Communications Security Establishment Canada. Yan has a BASc degree in Computer Engineering and MSc degree in Electrical Engineering, both from Université Laval, Québec City, Canada. He provides advice and guidance related to security architecture and engineering, threat assessment, and risk management to Government of Canada departments and agencies. He is involved in key government IT initiatives, such as large IT consolidation projects, enterprise security architecture, and the security of space-based systems. Yan is also involved in the development of IT security courses and leads the production of publications about IT-security guidance, such as "ITSG-33 IT Security Risk Management: A Lifecycle Approach". U3 - François Marinier is an independent IT security analyst with experience in all facets of IT-security risk management. François started his career working in computer operations and mainframe application support. He eventually migrated to IT security, where he acquired knowledge and experience in the development and application of processes for IT-security risk management. He has also worked as an analyst, supporting large IT-infrastructure initiatives, in both the public and private sectors. For the last three years, François has dedicated his work almost exclusively to the development of ITSG-33, the next generation of guidelines for IT security risk management for the Government of Canada. ER -