Cybersecurity: From Ad Hoc Patching to Lifecycle of Software Engineering

The role of information assurance (IA) is critical for cyber-based technologies and products, and the risk of cyberterrorism to IA is omnipresent. In particular, to achieve IA, young and dynamic developing technologies and products should be using a defined lifecycle that leverages and builds (throughout the developmental lifecycle) on a rich and proven body of knowledge and practices in risk assessment and management. The lifecycle of software development must include the following (not necessarily sequentially): the needs and requirements; specifications; contractor selection; conceptual design; systems integration, demonstration, and validation; engineering manufacturing, development, and production; and maintenance and major upgrade. In addition to addressing the functionality of the lifecycle development, from the risk analysis perspective it is just as important to focus on (1) the people's perspectives-namely, the individual, the team, the management, and the stakeholder, (2) the hardware-software perspectives, especially the risks associated with the commercial-off-the-shelf (COTS) products and (3) the environment within which the entire system operates. This paper follows and builds on two papers previously published in this journal on the risks of terrorism associated with supervisory control and data acquisition (SCADA) and other cyberdependent systems. Its thesis is that the reliability and integrity of such systems, and thus, the corresponding interdependent infrastructures served by them, are contingent on the following three principles of IA and cybersecurity. Adhering to these principles can be instrumental in achieving the desired level of IA and cybersecurity:(1) Risk of software intrusion must be assessed and managed throughout the lifecycle of software development, focusing on both the functionality of software development and on the people involved in the process, knowing that hackers will exploit every weakness in the system.(2) Achieving information assurance and cybersecurity must be placed high on the priority list of top management. (The two are intricately dependent on software quality and telecommunications fidelity). This is synonymous with performing a holistic risk assessment and management.(3) Risk management of cyberterrorism must be the domain priority of the entire development team and the organization's management. It must be achieved from the perspectives of the total system throughout the software and system development's lifecycles.Building on the multifarious sources of risk envisioned during the lifecycle of software development through Hierarchical Holographic Modeling, resilience in cybersecurity through risk management is discussed. The human role in IA and cybersecurity and the centrality of the educational dimension in risk management are also introduced.