Institute for Information Infrastructure Protection

The Institute for Information Infrastructure Protection (I3P) is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have long-standing, widely recognized expertise in cyber security research and development (R&D). The I3P is managed by The George Washington University, which is home to a small administrative staff that oversees and helps direct consortium activities.[1]

The Institute for Information Infrastructure Protection (I3P)
AbbreviationI3P
Founded2002
Typeresearch institute
Focuscomputer security
critical infrastructure protection
Location
OriginsDartmouth College
Key people
Diana L. Burley, Executive Director
Martin N. Wybourne, Director Emeritus
Websitehttp://www.thei3p.org

The I3P coordinates and funds cyber security research related to critical infrastructure protection and hosts high impact workshops that bring together leaders from both the public and private sectors.[2][3] The I3P brings a multi-disciplinary and multi-institutional perspective to complex and difficult problems, and works collaboratively with stakeholders in seeking solutions. Since its founding in 2002,[4] more than 100 researchers from a wide variety of disciplines and backgrounds have worked together to understand better and mitigate critical risks in the field of cyber security.

History

edit

The I3P came into existence following several government assessments of the U.S. information infrastructure's susceptibility to catastrophic failure. The first study, published in 1998 by the United States President's Council of Advisors on Science and Technology (PCAST), recommended that a nongovernmental organization be formed to address national cyber security issues. Subsequent studies–by the Institute for Defense Analyses, as well as a white paper jointly produced by the National Security Council and the Office of Science and Technology Policy, agreed with the PCAST assessment, affirming the need for an organization dedicated to protecting the nation's critical infrastructures.[4]

In 2002, the I3P was founded at Dartmouth College through a grant from the federal government.[2] Martin Wybourne chaired the I3P from 2003 to 2015. Since its inception, the I3P has:

  • coordinated a national cyber security research and development program
  • built informational and research bridges among academic, industrial, and government stakeholders
  • developed and delivered technologies to address an array of vulnerabilities

Funding for the I3P has come from various sources, including the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST) and the National Science Foundation (NSF).[5]

Member Institutions

edit

The I3P consortium consists of 18 academic research centers, 5 national laboratories, and 3 nonprofit research organizations.[6]

Each member institution appoints a primary and secondary representative to attend regular consortium meetings.[7]

Research areas

edit

2011-2014 Research Projects

edit

Advanced Technological Education

edit

The I3P has partnered with the Community College System of New Hampshire (CCSNH) on an educational project, “Cybersecurity in Healthcare Industry: Curriculum Adaptation and Implementation.” Funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program, the goal of the project is to produce well-qualified technicians to serve the healthcare information technology needs of rural northern New England.

Improving CSIRTs

edit

The I3P launched a project called "Improving CSIRT Skills, Dynamics, and Effectiveness." This effort, funded by the United States Department of Homeland Security's Science and Technology Directorate, aims to explore what makes and sustains a good CSIRT. The results should help organizations ensure that their CSIRTs fulfill their maximum potential and become invaluable tools in securing cyber infrastructure. The interdisciplinary team working on the new project will include cyber security and business researchers from Dartmouth College, organizational psychologists from George Mason University, and researchers and practitioners from Hewlett-Packard.

Usable Security

edit

In April 2011, I3P convened a NIST-sponsored workshop examining the challenge of integrating security and usability into the design and development of software. One of the several workshop recommendations was the development of case studies to show software developers how usable security has been integrated into an organization's software development process. Consequently, the I3P has begun a Usable Security Project. Using a uniform study methodology, the project will document usable security in three different organizations. The results will be used to understand how key usable security problems were addressed, to teach developers about solutions, and to enable other researchers to perform comparative studies.

Information Sharing

edit

The nation's Critical Infrastructure is under threat of cyber attack today as never before. The main response to the cyber threat facing the country is increased information sharing. Traditionally, agencies store data in databases, and the information is not readily available to others who might benefit from it. The Obama administration made it clear that this strategy will not work – data must be readily available for sharing. The preferred way to do this would be using a cloud, where numerous government agencies would all store information, and the information would be available to all who have the appropriate credentials. This model has tremendous added benefits – but what are the associated risks? Researchers from RAND and The University of Virginia took on the challenge of answering that question in our Information Sharing Project.

2010-2011 Research Projects

edit

Privacy in the Digital Era

edit

Researchers from five I3P academic institutions are engaged in a sweeping effort to understand privacy in the digital era. Over the course of 18 months, this research project will take a multidisciplinary look at privacy, examining the roles of human behavior, data exposure, and policy expression on the way people understand and protect their privacy. [8]

Leveraging Human Behavior to Reduce Cyber Security Risk

edit

This project brings a behavioral-sciences lens to security, examining the interface between human beings and computers through a set of rigorous empirical studies. The multi-disciplinary project draws together social scientists and information security professionals to illuminate the intricacies of human perceptions, cognitions, and biases, and how these impact computer security. The project's goal is to leverage these new insights in a way that produces more secure systems and processes.[9]

2008-2009 Research Projects

edit

Better Security Through Risk Pricing

edit

I3P researchers on this project have examined ways to quantify cyber risk by exploring the potential for a multi-factor scoring system, analogous to risk scoring in the insurance sector. Overall, the work takes into account the two key determinants of cyber risk: technologies that reduce the likelihood of attack and internal capabilities to respond to successful or potential attacks.[10]

2007-2009 Research Projects

edit

Survivability and Recovery of Process Control Systems Research

edit

This project builds on an earlier I3P project in control-systems security to develop strategies for enhancing control-system resilience and allowing for rapid recovery in the event of a successful cyber attack.[11]

Business Rationale for Cyber Security

edit

This project, an offshoot of an earlier study on the economics of security, addresses the challenge of corporate decision-making when it comes to investing in cyber security. It attempted to answer questions such as, “How much is needed?” “How much is enough?” “And how does one measure the return on investment?” The study includes an investigation of investment strategies, including risks and vulnerabilities, supply-chain interdependencies, and technological fixes.[12]

Safeguarding Digital Identity

edit

Multidisciplinary in scope, this project addresses the security of digital identities, emphasizing the development of technical approaches for managing digital identities that also meet political, social, and legal needs. The work has focused primarily on the two sectors for which privacy and identity protection are paramount: financial services and healthcare.[13]

Insider Threat

edit

This project addresses the need to detect, monitor, and prevent insider attacks, which can inflict serious harm on an organization. The researchers have undertaken a systematic analysis of insider threat, one that addresses technical challenges but also takes into account ethical, legal, and economic dimensions.[14]

U.S. Senate Cyber Security Report

edit

The I3P delivered a report titled National Cyber Security Research and Development Challenges: An Industry, Academic and Government Perspective,[15] to U.S. Senators Joseph Lieberman and Susan Collins on February 18, 2009. The report reflects the finding of three forums hosted by the I3P in 2008[16][17] that brought together high-level experts from industry, government and academia to identify R&D opportunities that would advance cyber security research in the next five to 10 years. The report contains specific recommendations for technology and policy research that reflect the input of the participants and also the concerns of both the public and private sectors.

Workshops

edit

The I3P connects with and engages with stakeholders through workshops and other outreach activities that are often held in partnership with other organizations. The workshops encompass a range of topics, some directly related to I3P research projects; others that are intended to bring the right people together to probe a particularly difficult foundational challenge, such as security systems engineering or workforce development.[18]

Postdoctoral Fellowship Program

edit

The I3P sponsored a postdoctoral research fellowship program from 2004 to 2011 that provides funding for a year of research at an I3P member institution. These competitive awards were granted according to the merit of the proposed work, the extent to which the proposed work explored creative and original concepts, and the potential impact of the topic on the U.S. information infrastructure. Prospective applicants were expected to address a core area of cyber security research, including trustworthy computing, enterprise security management, secure systems engineering, network response, and recovery, identity management and forensics, wireless computing and metrics, as well as the legal, policy, and economic dimensions of security.[3]

References

edit
  1. ^ People
  2. ^ a b "About". thei3p.org. Archived from the original on 2015-10-07. Retrieved 2015-10-06.
  3. ^ a b "Initiatives". thei3p.org. Retrieved 2015-10-06.
  4. ^ a b "History". thei3p.org. Retrieved 2015-10-06.
  5. ^ "History". thei3p.org. Retrieved 2015-10-06.
  6. ^ "Member Institutions". www.thei3p.org. Archived from the original on 2015-10-07. Retrieved 2015-10-06.
  7. ^ "Institute for Information Infrastructure Protection (I3P) | Member Representatives". www.thei3p.org. Archived from the original on 2015-10-07. Retrieved 2015-10-06.
  8. ^ "Privacy Policies, Perceptions and Trade-offs" (PDF). Thei3p.org. Archived from the original (PDF) on 20 March 2012. Retrieved 26 February 2015.
  9. ^ "Human Behavior Project". Thei3p.org. Archived from the original on 2012-03-01. Retrieved 2013-09-02.
  10. ^ "Better Security Through Risk Pricing". Thei3p.org. Archived from the original on 2012-03-01. Retrieved 2013-09-02.
  11. ^ "Survivability and Recovery of Process Control Systems". Thei3p.org. Archived from the original on 2015-01-15. Retrieved 2013-09-02.
  12. ^ "Business Rationale for Cyber Security". Thei3p.org. Archived from the original on 2012-03-01. Retrieved 2013-09-02.
  13. ^ "Safeguarding Digital Identity". Thei3p.org. Archived from the original on 2012-03-01. Retrieved 2013-09-02.
  14. ^ "Human Behavior, Insider Threat and Awareness". Thei3p.org. Archived from the original on 2013-08-14. Retrieved 2013-09-02.
  15. ^ "Senate Report". Thei3p.org. Archived from the original on 2012-10-25. Retrieved 2013-09-02.
  16. ^ Oltsik, Jon (2009-03-03). "A busy cybersecurity week in Washington | Security & Privacy - CNET News". News.cnet.com. Retrieved 2013-09-02.
  17. ^ "Report from Dartmouth's Institute for Information Infrastructure Protection (I3P) makes cyber security research recommendations". Dartmouth.edu. 2010-06-07. Archived from the original on 2012-10-10. Retrieved 2013-09-02.
  18. ^ "News & Events". thei3p.org. Archived from the original on 2015-10-07. Retrieved 2015-10-06.
edit