Why isn’t security research making us more secure?
Over the last 25 years, research in computer security has flourished — thousands of papers written, systems tested, insights gleaned and proposals made. At the same time, public and private sectors have spent untold hundreds of billions to implement cybersecurity efforts. In spite of these efforts, few would confidently argue that this investment in security has produced a commensurate reduction in real-world security outcomes. Why not?
In this talk Stefan Savage opines on this “why not?” question and, in particular, the role of the security research community in this matter. Where do real-world security failures arise and why hasn’t the research community been effective in addressing these failures? What structural challenges and incentives focus the research community in ways that limit its impact? And, perhaps most importantly, what might the security research community do to improve this situation?