%0 Journal Article %J Technology Innovation Management Review %D 2017 %T Editorial: Cybersecurity (April 2017) %A Chris McPhee %A Michael Weiss %K anomaly detection %K automation %K big data %K cybersecurity %K exploration %K Hypponen’s law %K Internet of Things %K IOT %K legislation %K medical devices %K privacy %K real time %K risk assessment %K security engineering %K smart devices %K value proposition %K vulnerabilities %B Technology Innovation Management Review %I Talent First Network %C Ottawa %V 7 %P 3-4 %8 04/2017 %G eng %U http://timreview.ca/article/1065 %N 4 %1 Technology Innovation Management Review Chris McPhee is Editor-in-Chief of the Technology Innovation Management Review. Chris holds an MASc degree in Technology Innovation Management from Carleton University in Ottawa, Canada, and BScH and MSc degrees in Biology from Queen's University in Kingston, Canada. He has nearly 20 years of management, design, and content-development experience in Canada and Scotland, primarily in the science, health, and education sectors. As an advisor and editor, he helps entrepreneurs, executives, and researchers develop and express their ideas. %2 Carleton University Michael Weiss holds a faculty appointment in the Department of Systems and Computer Engineering at Carleton University in Ottawa, Canada, and is a member of the Technology Innovation Management program. His research interests include open source, ecosystems, mashups, patterns, and social network analysis. Michael has published on the evolution of open source business, mashups, platforms, and technology entrepreneurship. %R http://doi.org/10.22215/timreview/1065 %0 Journal Article %J Technology Innovation Management Review %D 2017 %T The Internet of (Vulnerable) Things: On Hypponen's Law, Security Engineering, and IoT Legislation %A Mikko Hypponen %A Linus Nyman %K consumers %K cybersecurity %K Hypponen’s law %K Internet of Things %K IOT %K legislation %K manufacturers %K security engineering %K smart devices %K vulnerability %X The Internet of Things (IoT) and the resulting network-connectedness of everyday objects and appliances in our lives bring not only new features and possibilities, but also significant security concerns. These security concerns have resulted in vulnerabilities ranging from those limited in effect to a single device to vulnerabilities that have enabled IoT-based botnets to take over hundreds of thousands of devices to be used for illegal purposes. This article discusses the vulnerable nature of the IoT – as symbolized by Hypponen’s law – and the parts both manufacturers and consumers play in these vulnerabilities. This article makes the case for the importance of security engineering for IoT manufacturers, highlights some significant issues to help consumers address these vulnerabilities, and argues for legislation as perhaps the only reliable means of securing the Internet and its connected devices. %B Technology Innovation Management Review %I Talent First Network %C Ottawa %V 7 %P 5-11 %8 04/2017 %G eng %U http://timreview.ca/article/1066 %N 4 %1 F-Secure Mikko Hypponen is Chief Research Officer at F-Secure. He has written about his research for The New York Times, Wired, and Scientific America, and he has lectured at several universities, among them Stanford, Oxford, and Cambridge. He has been selected as one of the 50 most important people on the web by PC World Magazine and was included in the FP Global Thinkers list. He is a member of the board of the Nordic Business Forum and the advisory board of the t2 infosec conference. %2 Hanken School of Economics Linus Nyman is an Assistant Professor at the Hanken School of Economics in Helsinki, Finland. He has lectured on a range of topics, including corporate strategy and open source software development. His current research focuses on information security and privacy, which are topics he also covers in a blog for the Finnish daily newspaper Hufvudstadsbladet. Linus holds a PhD and a Master’s degree, both from the Hanken School of Economics. %R http://doi.org/10.22215/timreview/1066 %0 Journal Article %J Technology Innovation Management Review %D 2013 %T A Research Agenda for Security Engineering %A Rich Goyette %A Yan Robichaud %A François Marinier %K cybersecurity %K information system security engineering %K research %K risk management %K security engineering %K security measurement %K threat modelling %X Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security – upon which society is increasingly dependent – appears in the news almost daily. In this article, we outline a research agenda designed to begin addressing this deficit and to move information system security engineering toward a mature engineering discipline. Our experience suggests that there are two key areas in which this movement should begin. First, a threat model that is actionable from the perspectives of risk management and security engineering should be developed. Second, a practical and relevant security-measurement framework should be developed to adequately inform security-engineering and risk-management processes. Advances in these areas will particularly benefit business/government risk assessors as well as security engineers performing security design work, leading to more accurate, meaningful, and quantitative risk analyses and more consistent and coherent security design decisions. Threat modelling and security measurement are challenging activities to get right – especially when they need to be applied in a general context. However, these are decisive starting points because they constitute the foundation of a scientific security-engineering practice. Addressing these challenges will require stronger and more coherent integration between the sub-disciplines of risk assessment and security engineering, including new tools to facilitate that integration. More generally, changes will be required in the way security engineering is both taught and practiced to take into account the holistic approach necessary from a mature, scientific discipline. %B Technology Innovation Management Review %I Talent First Network %C Ottawa %V 3 %P 41-50 %8 08/2013 %G eng %U http://timreview.ca/article/715 %N 8 %1 Communications Security Establishment Canada Richard Goyette is Senior Security Architect at Communications Security Establishment Canada. Richard has a BEng and MEng in Electrical Engineering, both from the Royal Military College of Canada in Kingston, Canada. Richard spent 22 years as a Signals officer in the Canadian Forces, where he was involved with a multitude of projects in the areas of intelligence, security, and command and control. He is currently employed in the area of architecture and technology assurance developing security guidance for the wider Government of Canada. %2 Communications Security Establishment Canada Yan Robichaud is a Senior Security Architect at Communications Security Establishment Canada. Yan has a BASc degree in Computer Engineering and MSc degree in Electrical Engineering, both from Université Laval, Québec City, Canada. He provides advice and guidance related to security architecture and engineering, threat assessment, and risk management to Government of Canada departments and agencies. He is involved in key government IT initiatives, such as large IT consolidation projects, enterprise security architecture, and the security of space-based systems. Yan is also involved in the development of IT security courses and leads the production of publications about IT-security guidance, such as "ITSG-33 IT Security Risk Management: A Lifecycle Approach". %3 François Marinier is an independent IT security analyst with experience in all facets of IT-security risk management. François started his career working in computer operations and mainframe application support. He eventually migrated to IT security, where he acquired knowledge and experience in the development and application of processes for IT-security risk management. He has also worked as an analyst, supporting large IT-infrastructure initiatives, in both the public and private sectors. For the last three years, François has dedicated his work almost exclusively to the development of ITSG-33, the next generation of guidelines for IT security risk management for the Government of Canada. %R http://doi.org/10.22215/timreview/715