research-article

Free access

Engineering trustworthy systems: a principled approach to cybersecurity

Author:

O. Sami SaydjariAuthors Info & Claims

Communications of the ACM, Volume 62, Issue 6

Pages 63 - 69

https://doi.org/10.1145/3282487

Published: 21 May 2019 Publication History

All formats PDF

Abstract

Cybersecurity design reduces the risk of system failure from cyberattack, aiming to maximize mission effectiveness.

References

[1]

Avizienis, A., Laprie, J.-C., and Randell, B. Fundamental concepts of dependability. In Proceedings of the 3<sup>rd</sup> IEEE Information Survivability Workshop (Boston, MA, Oct. 24--26). IEEE, 2000, 7--12.

Google Scholar

[2]

Hamilton, S.N., Miller, W.L., Ott, A., and Saydjari, O.S. The role of game theory in information warfare. In Proceedings of the 4<sup>th</sup> Information Survivability Workshop. 2001.

Google Scholar

[3]

Hammond, S.A. and Mayfield, A.B. The Thin Book of Naming Elephants: How to Surface Undiscussables for Greater Organizational Success. McGraw-Hill, New York, 2004, 290--292.

Google Scholar

[4]

Morgan, S. Top 5 Cybersecurity Facts, Figures and Statistics for 2018. CSO Online; https://bit.ly/2KG6jJV.

Google Scholar

[5]

NASA. Report of the Presidential Commission on the Space Shuttle Challenger Accident. June 6, 1986; https://history.nasa.gov/rogersrep/genindex.htm

Google Scholar

[6]

Rand Corporation. Foundations of Effective Influence Operations: A Framework for Enhancing Army Capabilities. Rand Corp. 2009; https://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG654.pdf

Google Scholar

[7]

Saydjari, O.S. Why Measure? Engineering Trustworthy Systems. McGraw-Hill, New York, 2018, 290--292.

Google Scholar

[8]

Saydjari, O.S. Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time. McGraw-Hill Education, 2018.

Google Scholar

[9]

Wiegmann, D. and Shappell, S.A. A Human Error Approach to Aviation Accident Analysis: The Human Factors Analysis and Classification System. Ashgate Publishing, 2003.

Google Scholar

[10]

Zarate, J.C. The Cyber Attacks on Democracy. The Catalyst 8, (Fall 2017); https://bit.ly/2IXttZr

Google Scholar

Cited By

View all

Kim YYang JLee YEarwood B(2024)Assessing Cybersecurity Problem-Solving Skills and Creativity of Engineering Students Through Model-Eliciting Activities Using an Analytic RubricIEEE Access10.1109/ACCESS.2023.334855412(5743-5759)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348554
Jamil NChe Cob ZAbdul Rahim FMohd Sidek LBasri HSharizan Sharizal N(2024)A Short Review of Cybersecurity Issues and Efforts in the Water IndustryProceedings of the 2nd International Conference on Dam Safety Management and Engineering10.1007/978-981-99-3708-0_27(385-408)Online publication date: 5-Feb-2024
https://doi.org/10.1007/978-981-99-3708-0_27
Yang JRae Kim YEarwood B(2022)A Study of Effectiveness and Problem Solving on Security Concepts with Model-Eliciting Activities2022 IEEE Frontiers in Education Conference (FIE)10.1109/FIE56618.2022.9962412(1-9)Online publication date: 8-Oct-2022
https://doi.org/10.1109/FIE56618.2022.9962412
Show More Cited By

Index Terms

Engineering trustworthy systems: a principled approach to cybersecurity
1. Security and privacy
  1. Systems security

Recommendations

Risk-based Systems Security Engineering: Stopping Attacks with Intention

Government and industry increasingly rely on modern information systems (IS) for mission successes. But their critical IS must survive in hostile environments; thus, mission owners need systems security engineers to build systems that are secure against ...
Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness

Publicly accessible adaptive systems such as collaborative recommender systems present a security problem. Attackers, who cannot be readily distinguished from ordinary users, may inject biased profiles in an attempt to force a system to “adapt” in a ...
AI for Trustworthy Security, Security for Trustworthy AI

Reviews

Reviewer: Eduardo B. Fernandez

In this article-an extract of his book on 223 security principles [1]-Saydjari discusses the ten "most fundamental" principles. Both the book and article are addressed to software engineers who want to build secure systems. Cybersecurity technology is advancing too slowly to keep pace with threats, and system designers need principles in order to do a better job. My own experience analyzing recent attacks (Equifax, Uber, Sony, Capital One, and so on) shows that these attacks succeeded not because they were impossible to stop, but because management made the deliberate decision to not spend money and effort on protecting customer data. In fact, the attacks were very simple, but the systems were quite naked. The proposed principles are all well known [2,3,4,5], which confirms that the problem is not a lack of cybersecurity knowledge but a failure to apply this knowledge. Even companies that develop security-critical systems such as Microsoft or Adobe don't use the most advanced secure systems development methodologies, relying instead on secure coding and code analysis. While having a list of principles as a guide when building systems is better than nothing, I doubt that developers will be able to apply 223 principles without the support of a systematic methodology. I have found that the use of security architectural patterns is an effective way to implicitly apply principles, and after surveying a variety of approaches to secure software design [6], I believe that model-based methodologies are the only hope to produce systems with a high level of security and that comply with privacy and other regulations. However, we first need government regulations that punish institutions that do not protect the data in their trust, as the European regulations do. Until that happens, cyberattacks will continue to succeed.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

Communications of the ACM Volume 62, Issue 6

June 2019

85 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3336127

Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 May 2019

Published in CACM Volume 62, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
2,134
Total Downloads

Downloads (Last 12 months)226
Downloads (Last 6 weeks)17

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kim YYang JLee YEarwood B(2024)Assessing Cybersecurity Problem-Solving Skills and Creativity of Engineering Students Through Model-Eliciting Activities Using an Analytic RubricIEEE Access10.1109/ACCESS.2023.334855412(5743-5759)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3348554
Jamil NChe Cob ZAbdul Rahim FMohd Sidek LBasri HSharizan Sharizal N(2024)A Short Review of Cybersecurity Issues and Efforts in the Water IndustryProceedings of the 2nd International Conference on Dam Safety Management and Engineering10.1007/978-981-99-3708-0_27(385-408)Online publication date: 5-Feb-2024
https://doi.org/10.1007/978-981-99-3708-0_27
Yang JRae Kim YEarwood B(2022)A Study of Effectiveness and Problem Solving on Security Concepts with Model-Eliciting Activities2022 IEEE Frontiers in Education Conference (FIE)10.1109/FIE56618.2022.9962412(1-9)Online publication date: 8-Oct-2022
https://doi.org/10.1109/FIE56618.2022.9962412
Udroiu ADumitrache MSandu I(2022)Improving the cybersecurity of medical systems by applying the NIST framework2022 14th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)10.1109/ECAI54874.2022.9847498(1-7)Online publication date: 30-Jun-2022
https://doi.org/10.1109/ECAI54874.2022.9847498
Earwood BYang JKim Y(2021)Effective Learning of Cybersecurity Concepts with Model-Eliciting Activities2021 IEEE International Conference on Engineering, Technology & Education (TALE)10.1109/TALE52509.2021.9678713(01-07)Online publication date: 5-Dec-2021
https://doi.org/10.1109/TALE52509.2021.9678713
Rouff CWatkins LSterritt RHariri S(2021)SoK: Autonomic Cybersecurity - Securing Future Disruptive Technologies2021 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR51186.2021.9527908(66-72)Online publication date: 26-Jul-2021
https://doi.org/10.1109/CSR51186.2021.9527908
Zohrevand ZGlasser U(2020)Dynamic Attack Scoring Using Distributed Local DetectorsICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP40776.2020.9054264(2892-2896)Online publication date: May-2020
https://doi.org/10.1109/ICASSP40776.2020.9054264

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Risk-based Systems Security Engineering: Stopping Attacks with Intention

Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness

AI for Trustworthy Security, Security for Trustworthy AI

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Digital Edition

Magazine Site

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations