How to elicit, specify and validate security assurances for service composition in the presence of uncertainty, dynamism and human behaviour (including addressing direct and indirect dependencies and resulting systemic risks)?
Predictability is an inherent goal in security: knowing what can and will happen, what can be done to mitigate it and the extent to which any mitigation is effective. Predictability requires measuring security which is a hard problem in any system. It is compounded in digital infrastructures as complexity is paramount: mix of technology (legacy and non-legacy), uncertainty about threats and effectiveness of controls, emergent behaviour, interactions between security and other system goals, trustworthiness of people and organisations and divergence from rules (shadow practices).
A large body of work has focused on developing metrics. Reference sources such as NIST 800-55 and ISO 27004 adopt a catalogue approach: reference metrics classified into categories and documented with scenarios and examples. However, the contextualisation of metrics relies on arbitrary examples and use cases, limiting their expressiveness and hence their ability to address the complexity and inherent uncertainty. Others promote a more structured way of designing security measurements. However, they presume that one knows a priori what is pertinent to measuring security and that instrumenting all elements is feasible—not the case given the dynamism and opaqueness in contemporary and future digital infrastructures.
Standards such as NIST SP 800-160 Volumes 1 and 2 offer guidance on engineering trustworthy secure and resilient systems. However, such standards are based on the premise that the problem, solution and trustworthiness contexts can be established a priori and that systems can be architected with a high degree of control over their components. These assumptions do not hold in largescale infrastructures. There are systems about which one can collect relevant metrics (e.g., a sub-system into which deep instrumentation can be deployed) and for others one can not. Uncertainty also comes from what is unseen, e.g., shadow practice. So modelling the dependencies and deriving relevant metrics to understand the security implications of those dependencies is a major scientific challenge.