Netpolicy/Cyber Security Delphi

From MozillaWiki
< Netpolicy
Revision as of 21:28, 19 December 2013 by Mchris (talk | contribs)
Jump to navigation Jump to search

Cyber Security Delphi 1.0

As our global dependence on the Internet has grown, so too have the threats to privacy and security. Many conversations and strategies to lessen the harm of cybersecurity vulnerabilities have taken place, in the public sector, the private sector, and forums that integrate both. Too many of these have focused on "detect and respond" approaches to cybersecurity, under-weighting "prevent" as a target for change. The result is a framework for cybersecurity that emphasizes massive information collection and analysis - with attendant increased risks for privacy and openness - and de-emphasizes practical change to reduce the scale of potential security harms. Rare is the conversation about some of the most major sources of cybersecurity vulnerabilities - such as the widespread use of unpatched operating systems and applications with known vulnerabilities (whether on personal computers or mobile devices), the absence of SSL by default for major web servers or data center connections, or even the direct connection of utility control systems to the Internet without adequate firewalls. What is most needed, right now, is greater clarity into cybersecurity risks and responses, and an effort to build momentum and support for real and pragmatic change.

Mozilla's Cyber Security Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we build expert consensus about the priorities for improving the security infrastructure of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. Specifically, the Cyber Security Delphi 1.0:

  • Creates an expert-generated, consensus-driven, prioritized list of key security vulnerabilities that threaten individual, commercial, and educational organizations;
  • Develops briefs based on the outcomes of the Delphi process for policy makers in the US and abroad; and
  • Defines an agenda for cross sector action to address critical vulnerabilities that leverages participants, intragovernmental groups, and civil society.

The resulting report is a guide and reference point that civil society organizations and other advocates can use to develop positive agendas for change built on grounded facts and data. It will help drive forward-looking policy understanding and discussion around cybersecurity that helps maximize the valuable contributions of the Internet, while mitigating the inherent risks.

How We're Going to Do It

The project execution includes planning, recruitment of the Delphi members, the Delphi process itself, and reporting out to various constituents, culminating in a briefing for the extended DC community. The Delphi takes place across three phases:

  • Planning: During the planning phase, facilitators review existing literature to compile an initial list of topics for discussion, working with the project advisory board. Participants are recruited and the initial round of voting and commenting, powered by customized software and services built and managed by Mozilla, commences.
  • Execution: Participants continue to discuss and vote on the issues under review. Participants are also encouraged to add new topics to the discussion as they emerge and/or if they have been omitted from the original design. Facilitators monitor the discussion, aggregate related threads into categories, and prepare the final report based upon the voting results.
  • Extension: Following the presentation of the report, participants are asked to take the top policy recommendations and conduct a scenario planning exercise to identify potential consequences of the policies being enacted. As with the execution phases, facilitators guide the discussion and summarize the results, to be appended to the report.

We anticipate recruiting 50 participants from across 10 professional disciplines to participate in the study. For example, ideal composition for the study to realize this objective would include specialists in computer security, network security, cryptography, data security, application security, as well as professionals from industry and public sector organizations responsible for addressing threats and vulnerabilities associated with cybersecurity.

What It Takes

Mozilla acts as the convener of the Cyber Security Delphi 1.0, with assistance from four groups:

  1. Advisory Committee: A small group of subject matter experts provide input on the discussion topics and the analysis of key outcomes at the end of each round.
  2. Delphi Facilitators: Provide anonymous summary and justification of the experts' position statements as part of the iterative cycle of discussion.
  3. Delphi Design Specialist: Inform the framing and execution of the discussion.
  4. Technical Support Team: Manage the online survey tools and the asynchronous discussion forums.

Timeline

We expect to kick off the Delphi process in the early weeks of 2014, with a tangible output for public distribution ready at some point in the spring.

Retrieved from "https://wiki.allizom.org/index.php?title=Netpolicy/Cyber_Security_Delphi&oldid=807458"