What Then Do We Do About Computer Security?   [open pdf - 681KB]

"In November 2010 Jim Gosler, Sandia Fellow, asked several of us several pointed questions about computer security metrics. Never mind that some of the best minds in the field have been trying to crack this nut without success for decades. Jim asked Campbell to lead an informal and unfunded group to answer the questions. With time Jim invited several more Sandians to join in. We met a number of times both with Jim and without him. At Jim's direction we contacted a number of people outside Sandia who Jim thought could help. For example, we interacted with IBM's T.J. Watson Research Center and held a one-day, videoconference workshop with them on the questions. Over the year Jim added more questions to the list upon occasion and upon occasion we provided our then-current answers in the form of short, informal documents, usually about one page each. As we now complete a year on this work we have gathered our now-current answers and present them in this report. The following are Jim's collected questions: (1) I have a million dollars; how should I spend it to maximize my computer security? (2) I am a program manager for computer security. How do I identify the proposals that will increase my computer security? (3) I am a program manager for computer security. When a funded proposal completes how do I determine how much security I got for my money? (4) Why is this problem so hard? (5) How will our civilization's response to this problem play out? (6) How do I address deterrence in this world? The rest of this report is organized as follows. The next section presents the answers for each of us. The subsequent (and last) section presents a summary."

Report Number:
Sandia National Laboratories, SAND2012-0640
Public Domain
Retrieved From:
Department of Energy: http://www.energy.gov/
Media Type:
Help with citations