The global nature of modern computing ecosystems and supply chains led to increased interest among the technologists and policy makers for studying approaches to trust. In technology, research in trust, trustworthiness, and trusted systems has risen sharply over the last decade, leading to the emergence of more flexible and nuanced concepts compared to the earlier views, represented by the first generation of Trusted Computing. Descriptors such as “flexible” or “agile” or “nuanced”abound in the recent writings on trust, and broader trust frameworks, such as “trust evidence” have started to gain ground.
Flexibility and agility are necessary to address complexity and diversity of the computing environment today. In a general example, IoT includes a broad range of systems and systems of systems, from one function sensors to industrial control operations and Smart Cities. The technologies in this space have lifespans from one time use for some sensors to decades for some industrial environments. The contexts of use comprise range from casual to mission critical. Today’s IT and productivity systems are also very diverse. Progress in these environments is impossible without addressing specific requirements of the extremely diverse contexts, but it is also imperative to create broadly applicable cross-cutting approaches to trust and risk management, not only to ensure interoperability and consistency, but also to address security and privacy for very complex ecosystems, such as Smart Cities.
The need to create cross-cutting approaches to trust has affected views on security evaluation. Traditional security evaluation schemes require a certain level of stability in the core technology, due to the nature of the traditional evaluation frameworks. These evaluation environments will continue to be relevant, and they are adapting to new environments and processes, but more flexible approaches are also needed to address the needs of the fast changing technology areas. Already the need for flexibility and agility has been embraced by governments and technology communities through their work on a number of self-assessment systems. In a few examples, the US government fostered the development of NIST Cybersecurity Framework (CSF) based on self-assessment principles. The UK government has promoted Cybersecurity Essentials, another self-assessment paradigm geared towards small businesses. The industry organizations have moved forward with the creation of the self-assessment frameworks adjusted for modern environments, such as GSMA’s extensible IoT security self-assessment framework. In the area of capacity building. Oxford’s Capacity Building Center has defined a broadly applicable evaluation approach based on the new capability maturity model developed by the Center. The list can be continued.
Although the interest in self-assessment approaches is growing, flexible security self-assessment frameworks for fast moving emerging technology spaces are still in their infancy. The existing efforts hold considerable promise. In time, these approaches will mature and become international standards, with well developed assessment and benchmarking frameworks.