Thus, while much of this report is moderately supportive of the idea of the concept of review boards, we must examine the implementation of a system of analysis that will necessarily come with administrative costs. We note particular ones below. But more generally, those costs will exist. To be sure, there is every reason to expect that the benefits of analysis will outweigh those costs, but open research questions exist regarding the quantification of that expectation.
Access to Data The workshop identified many opportunities for the research community to help develop the learning process in the cybersecurity industry. For that to happen, the research community will need access to data. Given liability concerns with organizations sharing this data, the NSF could fund efforts at data extraction and anonymization.91 A focused effort to identify incidents in which concerns over liability can be addressed or minimized through anonymization could produce valuable data sets. For instance, incidents at Federal agencies could be good sources for testing investigative techniques and anonymization approaches and technologies as share price impact and lawsuits are not concerns. The authors acknowledge that we are not experts in the NSF’s funding processes, and recognize that they have many priorities. Nevertheless, we believe this would be a powerful lever in improving both applied cybersecurity and the science of cybersecurity.
Research Questions The workshop has resulted in the discovery of many questions as participants challenged one anothers’ assumptions or experiences. Many of these questions are sparked by our findings, but so far unanswered by them, and which we suggest then could be carried forward profitably in 91
56
Tyler Moore et al., “Valuing Cybersecurity Research Datasets” (paper presented at Workshop on the Economics of Information Security, Cambridge, MA, June 3, 2019), [Page 13], https://weis2017.econinfosec. org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_41.pdf. Moore et al. discuss the need for information sharing about cybersecurity incidents and evaluate the value created by the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT).
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
