Dagstuhl-Seminar 19451
Biggest Failures in Security
( 03. Nov – 08. Nov, 2019 )
Permalink
Organisatoren
- Frederik Armknecht (Universität Mannheim, DE)
- Ingrid Verbauwhede (KU Leuven, BE)
- Melanie Volkamer (KIT - Karlsruher Institut für Technologie, DE)
- Moti Yung (Columbia University - New York, US)
Kontakt
- Andreas Dolzmann (für wissenschaftliche Fragen)
- Annette Beyer (für administrative Fragen)
Programm
In the present era of ubiquitous digitalization, security is a concern for everyone. Despite enormous efforts, securing IT systems still remains an open challenge for community and industry. One of the main reasons is that the variety and complexity of IT systems keeps increasing, making it practically impossible for security experts to grasp the full system. A further problem is that security has become an interdisciplinary challenge. While inter-disciplinary research does exist already, it is mostly restricted to collaborations between two individual disciplines and has been rather bottom-up by focusing on very specific problems.
The idea of the Dagstuhl Seminar is to go one step back and to follow a comprehensive top-down approach instead. The goal is to identify the "biggest failures" in security and to get a comprehensive understanding on their overall impact on security. To this end, the focus will be on the following questions:
- What are the main recurring reasons within disciplines why security solutions fail, i.e., the biggest failures? (Top View)
- How do these failures impact solutions that haven been developed in other sub-disciplines? (Broad View)
- What are possible strategies to solve these problems?
The Dagstuhl Seminar will be roughly divided into two parts. In the first half, experienced experts from different disciplines will give overview talks on the main problems of their field. Based on these, overlapping topics but also common research interests among the participants will be identified. The second half of the seminar is then reserved for discussions in individual working groups.
General Introduction
In the present era of ubiquitous digitalization, security is a concern for everyone. Consequently, it evolved as one of the most important fields in computer science.
However, one may get the impression that the situation is hopeless. Nearly on a daily basis, reports of new security problems and cyberattacks are published. Thus, one has to admit that despite the huge efforts continuously invested since many decades, securing IT systems remains an open challenge for community and industry.
One of the main reasons is that the variety and complexity of IT systems keeps increasing, making it practically impossible for security experts to grasp the full system. This results into the development of independent and isolated security solutions that at best can close some specific security holes. Summing up, security requires to solve an increasing number of inter- and intradisciplinary challenges while current approaches are not sufficiently effective. The aim of this seminar was to gain an interdisciplinary view on security and to identify new strategies for comprehensively securing IT systems.
Goals
The goals of the seminar was to address the following main challenges and to commonly discuss solution strategies:
Challenge 1: Interdisciplinarity The topic of security is getting more and more complex and already understanding the state-of-the-art within one discipline is highly challenging. This makes it practically impossible to understand the problems and constraints from other disciplines. Moreover, different disciplines often have their own methods and "culture". From our experience, working with colleagues from other disciplines requires at the beginning an enormous effort to understand each other. The complexity grows even further when more than two disciplines are involved.
Challenge 2: Variety of Problems In each discipline, a variety of problems do exist. Naturally, researchers have to single out specific problems that they work on instead of aiming for comprehensive solutions. The selection of problems usually depends on several factors, e.g., background of the researcher, topicality of the subject, etc. Most often, researchers aim for solving very specific problems rather than coming up with more comprehensive solutions. Moreover, the selection is driven by interdisciplinary factors.
For sure, interdisciplinary research does exist already. However, it is mostly restricted to address very few disciplines and has been rather bottom-up by focusing on very specific problems. Instead, the scope of the seminar was to aim for a broad top-down approach. To this end, the focus was on the following questions:
- What are the main recurring reasons within disciplines why security solutions fail, i.e., the biggest failures? (Top View)
- How do these failures impact solutions developed in other sub-disciplines? (Broad View)
- What are possible strategies to solve these problems?
Sturcture
The seminar was structured accordingly. Before the seminar, a survey was conducted where the participants have been asked, what they consider to be biggest failures in security. The list of participants was composed of experts from different, selected sub-fields who were encouraged to explain the main challenges in their field to the audience. Here, ample opportunities for discussions have been provided. That is, instead of having many different talks back-to-back, we had several overview talks from different fields within the first few days. Afterwards, the whole audience commonly identified three topics to be further investigated in separate working groups:
- The process and role of certifications
- The human factor in security
- The education of the society in security
These subgroups met in parallel and worked on specific questions. The remaining days were composed of workgroup meetings and individual talks. At the end of the seminar, the workgroups reported to the whole audience their findings.
This report summarizes the finding of the survey (Section 3), the topics of the individual talks (Section 4), and also the findings of the individual workgroups (Section 5).
- Tigist Abera (TU Darmstadt, DE) [dblp]
- Magnus Almgren (Chalmers University of Technology - Göteborg, SE) [dblp]
- Frederik Armknecht (Universität Mannheim, DE) [dblp]
- Daniel J. Bernstein (University of Illinois - Chicago, US) [dblp]
- Sarani Bhattacharya (KU Leuven, BE) [dblp]
- Robert Biddle (Carleton University - Ottawa, CA) [dblp]
- Begül Bilgin (Rambus - Rotterdam, NL & KU Leuven, BE) [dblp]
- Dominik Brodowski (Universität des Saarlandes, DE) [dblp]
- Marc C. Dacier (EURECOM - Sophia Antipolis, FR) [dblp]
- Hervé Debar (Télécom SudParis, FR) [dblp]
- Fabio di Franco (ENISA - Attica, GR) [dblp]
- Sven Dietrich (City University of New York, US) [dblp]
- Felix Freiling (Universität Erlangen-Nürnberg, DE) [dblp]
- Daisuke Fujimoto (Nara Institute of Science and Technology, JP) [dblp]
- Lucy Hunt (Lancaster University, GB) [dblp]
- Ghassan Karame (NEC Laboratories Europe - Heidelberg, DE) [dblp]
- Stefan Katzenbeisser (Universität Passau, DE) [dblp]
- Florian Kerschbaum (University of Waterloo, CA) [dblp]
- Youngwoo Kim (Nara Institute of Science and Technology, JP) [dblp]
- Tanja Lange (TU Eindhoven, NL) [dblp]
- Gabriele Lenzini (University of Luxembourg, LU) [dblp]
- Olivier Levillain (Télécom SudParis - Evry, FR) [dblp]
- Volkmar Lotz (SAP Labs France - Mougins, FR) [dblp]
- Michael Meier (Universität Bonn, DE) [dblp]
- Joachim Meyer (Tel Aviv University, IL) [dblp]
- Vasily Mikhalev (Universität Mannheim, DE) [dblp]
- Christian Müller (Universität Mannheim, DE) [dblp]
- Sebastian Pape (Goethe-Universität Frankfurt am Main, DE) [dblp]
- Michalis Polychronakis (Stony Brook University, US) [dblp]
- Kai Rannenberg (Goethe-Universität Frankfurt am Main, DE) [dblp]
- Ahmad-Reza Sadeghi (TU Darmstadt, DE) [dblp]
- Kazue Sako (NEC - Kawasaki, JP) [dblp]
- Martina Angela Sasse (Ruhr-Universität Bochum, DE) [dblp]
- Stephan Somogyi (Google Inc. - Mountain View, US) [dblp]
- Christoph Sorge (Universität des Saarlandes, DE) [dblp]
- Borce Stojkovski (University of Luxembourg, LU) [dblp]
- Ingrid Verbauwhede (KU Leuven, BE) [dblp]
- Melanie Volkamer (KIT - Karlsruher Institut für Technologie, DE) [dblp]
- Edgar Weippl (SBA Research - Wien, AT) [dblp]
- Lennert Wouters (KU Leuven, BE) [dblp]
- Yuval Yarom (University of Adelaide, AU) [dblp]
- Moti Yung (Columbia University - New York, US) [dblp]
Klassifikation
- security / cryptology
- society / human-computer interaction
Schlagworte
- Security Engineering
- Cryptography
- Hardware
- Usability
- Software Engineering