they might be. Participants agreed that understanding why this is the case⁴ and how to use available tools more effectively might be more useful than generating new research in these specific areas. Internal firewalls were also mentioned as a technique to achieve better protection against insider misuse.

Due to the vast amounts of data that are collected in audit logs it can be difficult to glean relevant information from them. However, even when not useful for on-the-fly analysis, audit logs, if properly created and secured, can be used as forensic evidence after the fact. Unfortunately, retaining large volumes of audit logs for long periods is quite expensive. Cost is always a factor. Participants pointed out that large amounts of money have been spent on nuclear security with good results. Risk management thus becomes a significant factor in deciding what amount of effort and resources to allocate to combating the insider threat. As another example, credit card companies go to great lengths to prevent and detect fraud. It was argued that the percentage of false positives (valid transactions deemed invalid) and false negatives (invalid transactions deemed valid)⁵ such companies will accept is much greater than that acceptable in some other domains (such as national security).

The mix of technologies that is employed in effecting information security deserves scrutiny. Questions that need to be asked include: What set of tools, technologies and strategies constitutes good security practice? Is there a widely accepted standard? If so, is it possible to reduce it to a set of business rules? If not, how could such a standard be developed? Participants identified a significant amount of technology that seems mature but whose application and/or implementation is less than optimal. The reasoning behind decisions about why and when such technology is deployed needs to be understood and communicated. Adding to the complexity, different security mechanisms are deployed in different environments. Often, strong security measures are not applied because the implementation is too difficult is or is too user-unfriendly. Further examinations of how to better make use of available technology are needed. Distinguishing between best security practices and best business practices may prove useful in articulating the issues involved. Participants acknowledged the challenges in communicating technical security concerns to managers whose attention is often elsewhere.

There are a number of new research areas related to information security being explored. A list of potential research topics, some already underway include:

• Attack specification languages

• Intrusion Detection (signature-based, anomaly detection, object-based, distance measures, policy-based)

• New models of inside threat versus outside threat

• Authentication of roles, rights, privileges