Nearly every aspect of modern life relies on microelectronics, which are in turn subject to threats ranging from counterfeit to sabotage to disruption of logistics and supply chains, with potentially devastating consequences. In this environment, it is crucial to determine an economically feasible level of security for integrated hardware and software (IoT) systems.
In On metrics and prioritization of investments in hardware security, a paper published by INCOSE (International Council on Systems Engineering), Zachary A. Collier, Brett Briglia, Tom Finkelston, Mark C. Manasco, David L. Slutzky, and James H. Lambert examine risk reduction metrics for prioritizing hardware security countermeasures. University of Virginia students Brett Briglia and Tom Finkelston, now graduates, assisted with the research.
The authors state:
Given budgetary constraints, risk managers and systems engineers must determine what combinations of countermeasures cost-effectively maximize risk reduction, and what metrics best guide the investment process. In this paper, we seek to answer these questions through exploration of risk reduction metrics from the field of security economics, including the benefit/cost ratio, return on security investment (ROSI), expected benefit of information security (EBIS), and expected net benefit of information security (ENBIS).
“While hardware security is typically thought of as a purely technological problem, the reality is that security decision making is embedded within organizations with constrained budgets and competing objectives,” said author Zachary Collier, an Assistant Professor in the Department of Management at Radford University and president of Collier Research Systems. “The goal of this project was to explore how economic metrics could guide the selection and investment in portfolios of hardware security countermeasures.”
The effort was supported by the National Science Foundation, the Center for Hardware and Embedded Systems Security and Trust (NSF CHEST), and CCALS. CCALS joins with several dozen industry and agency members of the NSF CHEST Industrial Advisory Board to publish research and to select several million dollars annually in projects with students and faculty.
“Through the examination of risk reduction metrics from the field of security economics, the researchers aimed to identify cost-effective combinations of countermeasures that maximize risk reduction and guide the investment process in hardware security countermeasures,” said Dawit Haile, CCALS’ Board Chair as well as Dean for the College of Engineering and Technology and Interim Dean for the College of Natural and Health Sciences at Virginia State University.
“By staying engaged with NSF CHEST membership, CCALS can leverage the latest research and insights to enhance the security of integrated hardware and software systems and mitigate the potentially devastating consequences of threats ranging from counterfeiting to sabotage.”