[Itpolicy-np] (Highly Recommended) “Metaphors for Cyber Security” Sandia Report; August 2008

Thu Sep 2 03:40:03 GMT 2010

(SOURCE, 42 page):
http://evolutionofcomputing.org/Multicellular/Cyberfest%20Report.pdf

This report is based upon a workshop, called “CyberFest,” held at
Sandia National Laboratories on May 27-30, 2008. Participants in the
workshop came from organizations both outside and inside Sandia. The
premise of the workshop was that thinking about cyber security from a
metaphorical perspective could lead to a deeper understanding of
current approaches to cyber defense and perhaps to some creative new
approaches. A wide range of metaphors was considered, including those
relating to: military and other types of conflict, biological, health
care, markets, three-dimensional space, and physical asset protection.
These in turn led to consideration of a variety of possible approaches
for improving cyber security in the future. From the proposed
approaches, three were formulated for further discussion.

These approaches were labeled “Heterogeneity” (drawing primarily on
the metaphor of biological diversity),

“Motivating Secure Behavior” (taking a market perspective on the
adoption of cyber security measures) and

“Cyber Wellness” (exploring analogies with efforts to improve
individual and public health)”

...(SKIPPING).....

Whether used consciously or unconsciously, metaphors are integral to
human thought and communication. As with other subjects, this is true
in discussions of cyber security. Analyzing the metaphors implicit in
the current mainstream of cyber security thought can illuminate the
assumptions, logic, and perhaps the limitations of that thought.

Experimenting with alternative metaphors can lead to different
perspectives on the problem and may even stimulate creatively
different ways of dealing with it. In the workshop reported here,
participants were inspired to explore three broad concepts for
approaching cyber security in the future: one emphasizing the utility
of heterogeneously composed computer network systems in defending
against cyber attacks; one stressing the importance of finding the
right incentives to motivate information technology users, managers,
vendors, suppliers, and developers to behave in ways that would make
systems more resistant to attack; and one taking a metaphorical
“wellness” view of cyber security that might enable a holistic design
for “baking” better security into the next generation of information
network systems.

Some final observations of workshop participants were that those
responsible for setting future directions for cyber security need to

* have a bold vision of where we want to go, then figure out a gradual
adoption/implementation strategy;

*accept and sustain a strategy through the inevitably gradual and
evolutionary process that will ensue; and

* show benefits for users and operators, not just push solutions that
aren’t seen as beneficial outside the security world”

...