Cybersecurity: From Ad Hoc Patching to Lifecycle of Software Engineering

The role of information assurance (IA) is critical for cyber-based technologies and products, and the risk of cyberterrorism to IA is omnipresent. In particular, to achieve IA, young and dynamic developing technologies and products should be using a defined lifecycle that leverages and builds (throughout the developmental lifecycle) on a rich and proven body of knowledge and practices in risk assessment and management. The lifecycle of software development must include the following (not necessarily sequentially): the needs and requirements; specifications; contractor selection; conceptual design; systems integration, demonstration, and validation; engineering manufacturing, development, and production; and maintenance and major upgrade. In addition to addressing the functionality of the lifecycle development, from the risk analysis perspective it is just as important to focus on (1) the people's perspectives—namely, the individual, the team, the management, and the stakeholder, (2) the hardware-software perspectives, especially the risks associated with the commercial-off-the-shelf (COTS) products and (3) the environment within which the entire system operates. This paper follows and builds on two papers previously published in this journal on the risks of terrorism associated with supervisory control and data acquisition (SCADA) and other cyberdependent systems. Its thesis is that the reliability and integrity of such systems, and thus, the corresponding interdependent infrastructures served by them, are contingent on the following three principles of IA and cybersecurity. Adhering to these principles can be instrumental in achieving the desired level of IA and cybersecurity:(1) Risk of software intrusion must be assessed and managed throughout the lifecycle of software development, focusing on both the functionality of software development and on the people involved in the process, knowing that hackers will exploit every weakness in the system.(2) Achieving information assurance and cybersecurity must be placed high on the priority list of top management. (The two are intricately dependent on software quality and telecommunications fidelity). This is synonymous with performing a holistic risk assessment and management.(3) Risk management of cyberterrorism must be the domain priority of the entire development team and the organization's management. It must be achieved from the perspectives of the total system throughout the software and system development's lifecycles.Building on the multifarious sources of risk envisioned during the lifecycle of software development through Hierarchical Holographic Modeling, resilience in cybersecurity through risk management is discussed. The human role in IA and cybersecurity and the centrality of the educational dimension in risk management are also introduced.

[1]  Jennifer L. Hartnett,et al.  Managing Quality: The Strategic and Competitive Edge , 1988 .

[2]  A. Jones,et al.  A PERSPECTIVE ON CYBERSECURITY RESEARCH IN THE UNITED STATES. IN: TERRORISM. REDUCING VULNERABILITIES AND IMPROVING RESPONSES. U.S.-RUSSIAN WORKSHOP PROCEEDINGS. , 2004 .

[3]  R. Jewett,et al.  Systems Engineering , 1959, IRE Transactions on Military Electronics.

[4]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[5]  Robert J. Chapman,et al.  The controlling influences on effective risk identification and assessment for construction design management , 2001 .

[6]  R. Keeney,et al.  Acceptable Risk , 1986, IEEE Transactions on Reliability.

[7]  Yacov Y. Haimes,et al.  Journal of Homeland Security and Emergency Management A Roadmap for Quantifying the Efficacy of Risk Management of Information Security and Interdependent , 2011 .

[8]  John A. McDermid,et al.  Software Engineer's Reference Book , 1993 .

[9]  Yacov Y. Haimes,et al.  Principles and guidelines for project risk management , 2002 .

[10]  Barry M. Horowitz,et al.  Modeling interdependent infrastructures for sustainable counterterrorism , 2004 .

[11]  James H. Lambert,et al.  Inoperability Input-Output Model for Interdependent Infrastructure Sectors. II: Case Studies , 2005 .

[12]  Yacov Y. Haimes,et al.  Risks of Terrorism to Information Technology and to Critical Interdependent Infrastructures , 2004 .

[13]  Mary Beth Chrissis,et al.  CMMI: Guidelines for Process Integration and Product Improvement , 2003 .

[14]  Shin Ta Liu,et al.  Risk Modeling, Assessment, and Management , 1999, Technometrics.

[15]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[16]  Yacov Y. Haimes,et al.  Software Risk Management , 1996 .

[17]  James H. Lambert,et al.  Inoperability Input-Output Model for Interdependent Infrastructure Sectors. I: Theory and Methodology , 2005 .

[18]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[19]  Noopur Davis,et al.  The Team Software ProcessSM (TSPSM) in Practice: A Summary of Recent Results , 2003 .

[20]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[21]  Watts S. Humphrey,et al.  Managing the software process , 1989, The SEI series in software engineering.

[22]  Paul Clements,et al.  ATAM: Method for Architecture Evaluation , 2000 .

[23]  Alexander Kossiakoff,et al.  Software Systems Engineering , 2005 .

[24]  Barry W. Boehm,et al.  Some future trends and implications for systems and software engineering processes , 2006, Syst. Eng..

[25]  Yacov Y. Haimes,et al.  Systems integration via software risk management , 1996, IEEE Trans. Syst. Man Cybern. Part A.

[26]  Yacov Y. Haimes,et al.  Risk modeling, assessment, and management , 1998 .

[27]  Y. Haimes,et al.  Leontief-Based Model of Risk in Complex Interconnected Infrastructures , 2001 .

[28]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[29]  Yacov Y. Haimes,et al.  Total Risk Management , 1991 .

[30]  Watts S. Humphrey Winning with Software: An Executive Strategy , 2001 .

[31]  Yacov Y. Haimes,et al.  Hierarchical Holographic Modeling , 1981, IEEE Transactions on Systems, Man, and Cybernetics.

[32]  Yacov Y. Haimes,et al.  Assessment and Management of Software Technical Risk , 1994, IEEE Trans. Syst. Man Cybern. Syst..

[33]  Yacov Y. Haimes,et al.  Risk associated with software development: a holistic framework for assessment and management , 1993, IEEE Trans. Syst. Man Cybern..