Entries for month: June 2013

Understanding How Network Security Professionals Perceive Risk

CERT , Risk 1 Comment »

By James Cebula
Senior Member of the Technical Staff
CERT Division
James Cebula

Risk inherent in any military, government, or industry network system cannot be completely eliminated, but it can be reduced by implementing certain network controls. These controls include administrative, management, technical, or legal methods.  Decisions about what controls to implement often rely on computed-risk models that mathematically calculate the amount of risk inherent in a given network configuration. These computed-risk models, however, may not calculate risk levels that human decision makers actually perceive. These decision makers include the network team (e.g., those people who work to implement the controls to ensure the network is secure), the information assurance (IA) officer, and authorizing officials. For example, these models may be missing immeasurable risk factors (e.g., adversarial sophistication or the value to an adversary of data stored on the network) that decision makers perceive as high risk. This blog post describes the problem of how network security professionals perceive risk in more depth, as well as the SEI’s research efforts to study what risk factors influence perceptions of network risk and how risk perceptions are formulated. 

Read more...

A New CTO and Technical Strategy for the SEI

No Comments »

By Kevin Fall
Chief Technology Officer

Kevin FallI recently joined the Carnegie Mellon Software Engineering Institute (SEI) as deputy director and chief technology officer (CTO). My goal in this new role is to help the SEI advance computer science, software engineering, cybersecurity, and related disciplines to help ensure that the acquisition, development, and operation of software-dependent systems have lower cost, higher quality, and better security. I have spent the past two decades conducting a range of research and development activities, and I have served on various Department of Defense (DoD) advisory boards. In this blog posting, I’d like to talk a little bit about my background and outline the priorities I’m pursuing at the SEI. In subsequent blog postings, I’ll describe the SEI technical strategy in more detail.

Read more...

Situational Awareness Mashups at the Tactical Edge

Handheld Devices 1 Comment »

By Soumya Simanta
Senior Member of the Technical Staff
Software Solutions Division

Soumya Simanta Warfighters in a tactical environment face many constraints on computational resources, such as the computing power, memory, bandwidth, and battery power. They often have to make rapid decisions in hostile environments. Many warfighters can access situational awareness data feeds on their smartphones to make critical decisions. To access these feeds, however, warfighters must contend with an overwhelming amount of information from multiple, fragmented data sources that cannot be easily combined on a small smartphone screen. The same resource constraints apply to emergency responders involved in search-and-rescue missions, who often must coordinate their efforts with multiple responders. This posting describes our efforts to create the Edge Mission-Oriented Tactical App Generator (eMontage), a software prototype that allows warfighters and first responders to rapidly integrate geotagged situational awareness data from multiple remote data sources.

Read more...

Improving Safety-critical Systems with a Reliability Validation & Improvement Framework

1 Comment »

By Peter Feiler
Senior Member of the Technical Staff
Software Solutions Division

Peter FeilerAircraft and other safety-critical systems increasingly rely on software to provide their functionality. The exponential growth of software in safety-critical systems has pushed the cost for building aircraft to the limit of affordability. Given this increase, the current practice of build-then-test is no longer feasible. This blog posting describes recent work at the SEI to improve the quality of software-reliant systems through an approach known as the Reliability Validation and Improvement Framework that will lead to early defect discovery and incremental end-to-end validation.

Read more...