Institute for Information Infrastructure Protection
The Institute for Information Infrastructure Protection is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have long-standing, widely recognized expertise in cyber security research and development. The I3P is managed by The George Washington University, which is home to a small administrative staff that oversees and helps direct consortium activities.
The I3P coordinates and funds cyber security research related to critical infrastructure protection and hosts high impact workshops that bring together leaders from both the public and private sectors. The I3P brings a multi-disciplinary and multi-institutional perspective to complex and difficult problems, and works collaboratively with stakeholders in seeking solutions. Since its founding in 2002, more than 100 researchers from a wide variety of disciplines and backgrounds have worked together to better understand and mitigate critical risks in the field of cyber security.
History
The I3P came into existence following several government assessments of the U.S. information infrastructure’s susceptibility to catastrophic failure. The first study, published in 1998 by the United States President's Council of Advisors on Science and Technology, recommended that a nongovernmental organization be formed to address national cyber security issues. Subsequent studies–by the Institute for Defense Analyses, as well as a white paper jointly produced by the National Security Council and the Office of Science and Technology Policy–agreed with the PCAST assessment, affirming the need for an organization dedicated to protecting the nation’s critical infrastructures.In 2002, the I3P was founded at Dartmouth College through a grant from the federal government?. Martin Wybourne chaired the I3P from 2003 to 2015. Since its inception, the I3P has:
- coordinated a national cyber security research and development program
- built informational and research bridges among academic, industrial and government stakeholders
- developed and delivered technologies to address an array of vulnerabilities
Member Institutions
The I3P consortium consists of 18 academic research centers, 5 national laboratories, and 3 nonprofit research organizations.- Binghamton University
- Carnegie Mellon University, H. John Heinz III College of Public Policy and Management
- Carnegie Mellon University, Software Engineering Institute
- Dartmouth College
- George Mason University
- George Washington University
- Georgia Institute of Technology
- Idaho National Laboratory
- Indiana University
- Johns Hopkins University
- Lawrence Berkeley National Laboratory
- MITRE Corporation
- New York University
- Oak Ridge National Laboratory
- Pacific Northwest National Laboratory
- Purdue University
- RAND Corporation
- Sandia National Laboratories
- SRI International
- University of California, Berkeley
- University of California, Davis
- University of Idaho
- University of Illinois
- University of Massachusetts, Amherst
- University of Tulsa
- University of Virginia
Research areas
2011-2014 Research Projects
Advanced Technological EducationThe I3P has partnered with the Community College System of New Hampshire on an educational project, “Cybersecurity in Healthcare Industry: Curriculum Adaptation and Implementation.” Funded by the National Science Foundation’s Advanced Technological Education program, the goal of the project is to produce well-qualified technicians to serve the healthcare information technology needs of rural northern New England.
Improving CSIRTs
The I3P launched a project called "Improving CSIRT Skills, Dynamics, and Effectiveness." This effort, funded by the Department of Homeland Security's Science and Technology Directorate, aims to explore what makes and sustains a good CSIRT. The results should help organizations ensure that their CSIRTs fulfill their maximum potential and become an invaluable tool in securing cyber infrastructure. The interdisciplinary team working on the new project will include cyber security and business researchers from Dartmouth College, organizational psychologists from George Mason University, and researchers and practitioners from Hewlett-Packard.
Usable Security
In April 2011, I3P convened a NIST-sponsored workshop examining the challenge of integrating security and usability into the design and development of software. One of the several workshop recommendations was the development of case studies to show software developers how usable security has been integrated into an organization's software development process. Consequently, the I3P has begun a Usable Security Project. Using a uniform study methodology, the project will document usable security in three different organizations. The results will be used to understand how key usable security problems were addressed, to teach developers about solutions, and to enable other researchers to perform comparable studies.
Information Sharing
The nation's Critical Infrastructure is under threat of cyber attack today as never before. The main response to the cyber threat facing the country is increased information sharing. Traditionally, agencies store data in data bases, and the information is not readily available to others who might benefit from it. The Obama administration made it clear that this strategy will not work – data must be readily available for sharing. The preferred way to do this would be using a cloud, where numerous government agencies would all store information, and the information would be available to all who have the appropriate credentials. This model has tremendous added benefits – but what are the associated risks? Researchers from RAND and The University of Virginia took on the challenge of answering that question in our Information Sharing Project.
2010-2011 Research Projects
Privacy in the Digital EraResearchers from five I3P academic institutions are engaged in a sweeping effort to understand privacy in the digital era. Over the course of 18 months, this research project will take a multidisciplinary look at privacy, examining the roles of human behavior, data exposure, and policy expression on the way people understand and protect their privacy.
Leveraging Human Behavior to Reduce Cyber Security Risk
This project brings a behavioral-sciences lens to security, examining the interface between human beings and computers through a set of rigorous empirical studies. The multi-disciplinary project draws together social scientists and information security professionals to illuminate the intricacies of human perceptions, cognitions, and biases, and how these impact computer security. The project’s goal is to leverage these new insights in a way that produces more secure systems and processes.
2008-2009 Research Projects
Better Security Through Risk PricingI3P researchers on this project have examined ways to quantify cyber risk by exploring the potential for a multi-factor scoring system, analogous to risk scoring in the insurance sector. Overall, the work takes into account the two key determinants of cyber risk: technologies that reduce the likelihood of attack and internal capabilities to respond to successful or potential attacks.
2007-2009 Research Projects
Survivability and Recovery of Process Control Systems ResearchThis project builds on an earlier I3P project in control-systems security to develop strategies for enhancing control-system resilience and allowing for rapid recovery in the event of a successful cyber attack.
Business Rationale for Cyber Security
This project, an offshoot of an earlier study on the economics of security, addresses the challenge of corporate decision-making when it comes to investing in cyber security. It attempted to answer questions such as, “How much is needed?” “How much is enough?” “And how does one measure the return on investment?” The study includes an investigation of investment strategies, including risks and vulnerabilities, supply-chain interdependencies and technological fixes.
Safeguarding Digital Identity
Multidisciplinary in scope, this project addresses the security of digital identities, emphasizing the development of technical approaches for managing digital identities that also meet political, social and legal needs. The work has focused primarily on the two sectors for which privacy and identity protection are paramount: financial services and healthcare.
Insider Threat
This project addresses the need to detect, monitor and prevent insider attacks, which can inflict serious harm on an organization. The researchers have undertaken a systematic analysis of insider threat, one that addresses technical challenges but also takes into account ethical, legal and economic dimensions.