Aims: Propose and develop methods that help make security more sustainable.
Background: Currently, when we think of sustainability in security today, models such as “planned obsolescence” and “security as a service” may spring to mind. However, very little work has been done to understand what makes security sustainable in the first place. For instance, to what degree do concepts such as durability, agility, autonomy, resilience and robustness of systems interact. Furthermore, what are the direct and indirect effects of implementing sustainable security? The purpose of this PhD is to investigate characteristics that make cyber security sustainable. Examples include, but are not limited to understanding the relationship between technical and non-technical aspects of security such as: patching, system monitoring, intrusion detection, system hardening, security policies, etc. The purpose of this work is to investigate whether such a term is meaningful in the context of cyber security, whether it ought to be formalised as a set of principles, guidelines, framework (such as a maturity model), text definition or making use of formal methods – dependent on the student’s skills and experience.
Prerequisites: This can be a computer science driven project or a software engineering driven project, and the project should have an awareness of the wider social, economic and political issues that frame sustainable cyber security. We would expect the student to have a strong background in programming and software development using languages such as Python, Java or C/C++ and some background in requirements gathering and analysis. For the social science part, we expect students to have a background in conducting questionnaires, interviews, focus groups, user studies and ethnographic studies. Ideally, the student will have an interest in hypothesis testing using tools such as SPSS (but this is not a requirement).
Early activities: A report describing the state of the art in security and sustainability; a clear work plan describing the set of tests to be performed, tools to be implemented and classes of techniques to be proposed and studied;
Research: The student will be free to tackle the problem as they see fit with guidance from the supervisors. We expect to see either some practical tools development to study the sustainability of security in systems, or studying of how people perceive concepts related to sustainability of security in real world systems. Around the midway point, we would expect the formulation of key (testable) hypotheses to eventually lead to a framework that developers, policy makers and other organisation stakeholders can use to improve sustainability of security in ICT systems and organisations.
Suggested Reading:
There is very little available on this topic. Ross Anderson has a few works on the subject: https://www.cl.cam.ac.uk/~rja14/ , but otherwise most of the work in this area focuses on related topics such as resilience and robustness of systems, including:
- Julia Allen. Measures for managing operational resilience. Technical Report, 2011.
- Julia Allen, Pamela Curtis, Nader Mehravari, Andrew Moore, Kevin Partridge, Robert Stoddard, and Randy Trzeciak. Analyzing cases of resilience success and failure-a research study. Technical report,Carnegie Mellon University, the Software Engineering Institute, 2012.
- Richard A Caralli, Julia Allen, and David W White. CERT resilience management model: A maturity model for managing operational resilience. Addison-Wesley Professional, 2010.
- Deborah Bodeau and Richard Graubart. Cyber resilience metrics: Key observations. Technical Report,2016.
- Ronald J Brachman, Richard E Fikes, and Hector J Levesque. Krypton: A functional approach to knowledge representation. Computer, (10):67–73, 1983.
- Linkov and Trump. The science and practice of resilience. 2019