Adaptive information security and privacy

Abstract

Although security and privacy by design underpin effective engineering of software intensive systems, the dynamic reality of modern information systems means that such systems are the subject of changes of many different forms that can affect their operational environment, their behaviour, and the behaviour of their users, both legitimate and malicious. Systems must therefore be adaptive by design, in order to adapt effectively at runtime. In particular, these systems must be able to adapt their security and privacy controls, both proactively or in response to a variety of changes in their environment, in the threats they face, and in the assets they are required to protect. This talks presents both empirical and engineering challenges to achieving adaptive security and privacy in information systems. Acknowledging that information systems are increasingly both socio-technical and cyber-physical, the talk explores the impact of cyber-physical-social boundaries and their effective management when engineering secure, privacy-aware, and forensics-ready systems.