The future of systematic information protection

Information plays a critical role in global economics as well as our security, safety, and quality of life. There is a growing disparity between the value of information and our capability to manage and protect it. Technical and policy research is needed to address this disparity. Fundamentally, we can not answer the following question, "how much security is enough?" We lack the capability to quantify the value of information, particularly information that has been processed and aggregated. We also face many difficulties when attempting to measure information security, characterize threats, understand vulnerabilities, or even formulate and sustain any specific security posture. As a result, we can not measure our risk and therefore can not manage it. Our efforts to address this problem can be divided into two categories, legal/policy and technical. Owners of physical assets, such as cash or gold, have the legal and technical means to augment fortification protections with armed guards and lethal force. From a legal perspective, protection of information is limited to fortification, in part because we lack sufficient attribution. From a technical perspective, we have built complex mountains of computer code on top of hardware architectures that will attempt to execute any arbitrary instructions. These systems cannot be effectively analyzed for vulnerabilities so as to ensure trustworthy and secure operation. Research is needed to address the systematic protection of information including information valuation, security metrics, strong attribution, trustworthy computing, sustainable security processes, and legal devices that will support comprehensive protection and risk management.