policies would be helpful. Thus, better system-administration tools for specifying security policies and checking system configurations quickly against prespecified configurations should be developed.
Auditing Functionality. Validation sets are used to ensure that a piece of hardware (e.g., a chip) has the functionality that its design calls for. However, these sets typically test for existing functionality—that is, can the hardware properly perform some specified function? They do not test for unauthorized functionality that might have been improperly inserted, perhaps by someone seeking to corrupt a production or distribution chain. Research is needed for developing tools to ensure that all of the called-for functionality is present and that no additional functionality is present as well.
Managing Trade-offs Between Functionality and Security. As a general rule, more secure systems are harder to use and have fewer features.29 Conversely, features—such as executable content and remote administration—can introduce unintended vulnerabilities even as they bring operational benefits. (For example, newer word processors allow the embedding of macros into word processing files, a fact that results in a new class of vulnerabilities for users of those programs as well as added convenience.) More research is required for performing essential trade-offs between a rich feature set and resistance to attack.
Transparent, or at least point-and-click, security would be more acceptable to users and hence would be employed more frequently. For example, there are many authentication mechanisms, both electronic and physical, but the most convenient one to use—passwords—has many serious, well-known disadvantages. Smart cards are more secure, but a user must have them available when needed. New authentication mechanisms that combine higher security with lower inconvenience are needed.
Security Metrics. Many quantitative aspects of security are not well understood. For example, if a given security measure is installed—and installed properly (something that cannot be assumed in general)—there is no way of knowing by how much system security has increased. Threat models are often characterized by actuarial data and probability distributions in which the adverse effects of vulnerabilities are prioritized on the basis of how likely it is that they will occur; but such models are of little use in countering deliberate terrorist attacks that seek to exploit nominally low-probability vulnerabilities. Notions such as calculating the return on a security investment—common in other areas in which security is an issue—are not well understood either, thus making quantitative risk manage-