Supporting Cyber Security Standards Development with Security Assurance Cases

The existence of well-defined or documented sets of standards, guidelines, or best practices for developing secure systems is limited. Those that are available often lack focus and specificity, making compliance either too difficult or too easy. As a result, many practitioners are never quite sure what needs to be done to demonstrate that they have taken appropriate measures to adequately secure the systems they are developing. Without readily available guidance documents, assuring the security and trustworthiness of critical systems will remain challenging.

As demonstrated by both Canada and the United States in their recent national cyber strategies, further research efforts in developing more rigorous standards, guidelines and best practices is needed. In particular, better guidance for practitioners to incorporate suitable security measures at all stages of system development, and to generate and gather the evidence needed to support assurance claims can help to improve system security.

In this presentation, Jason discussed the need for more rigorous, outcome-oriented cyber security standards, guidelines and best practices based on sound technological principles. He presented recent research efforts in the development of security assurance cases and describe the role they can have in the understanding and development of such cyber security standards.

About the speaker

Jason Jaskolka is an Assistant Professor in the Department of Systems and Computer Engineering and the Director of the Cyber Security Evaluation and Assurance (CyberSEA) Research Lab at Carleton University, in Ottawa, Canada. He received his PhD in Software Engineering in 2015 from McMaster University (Hamilton, Canada). He is a licensed Professional Engineer in Ontario.

His research interests include cyber security evaluation and assurance, threat modeling, security-by-design, and formal methods and algebraic approaches for software and security engineering. He is interested in applying his research to critical infrastructures, cyber-physical and distributed systems, and the Internet of Things (IoT).

Watch Jason’s presentation