Supporting Cybersecurity Standard Development with Security Assurance Cases
Dr. Jason Jaskolka of the CyberSEA Research Lab presents at the 2019 Smart Cybersecurity Network (SERENE-RISC) Annual Workshop.
Presentation Abstract
The existence of well-defined or documented sets of standards, guidelines, or best practices for developing secure systems is limited. Those that are available often lack focus and specificity, making compliance either too difficult or too easy. As a result, many practitioners are never quite sure what needs to be done to demonstrate that they have taken appropriate measures to adequately secure the systems they are developing. Without readily available guidance documents, assuring the security and trustworthiness of critical systems will remain challenging. As demonstrated by both Canada and the United States in their recent National Cyber Strategies, further research efforts in developing more rigorous standards, guidelines, and best practices is needed. In particular, better guidance for practitioners to incorporate suitable security measures at all stages of system development, and to generate and gather the evidence needed to support assurance claims can help to improve system security. In this presentation, I will discuss the need for more rigorous, outcome-oriented cyber security standards, guidelines, and best practices based on sound technological principles. I will present recent research efforts in the development of security assurance cases and describe the role they can have in the understanding and development of such cyber security standards.