core of research specialists necessary to advance the state of the art; the broad-based education of developers, administrators, and users, making security-conscious practices second nature just as optimizing for performance or functionality is; making it easy and intuitive for users to “do the right thing”; the employment of business drivers and policy mechanisms to facilitate security technology transfer and diffusion of R&D into commercial products and services; and the promotion of risk-based decision making (and metrics to support this effort).

Second, the earlier reports have identified as meriting research investment a number of important areas that are consistent with those identified in this report, including authentication, identity management, secure software engineering, modeling and testbeds, usability, privacy, and benchmarking and best practices. Understanding the intersection between critical infrastructure systems and the IT systems increasingly used to control them is another common theme for research needs.

Third, taken together the activities reviewed give an overall sense that—unless we as a society make cybersecurity a priority—IT systems are likely to become overwhelmed by cyberthreats of all kinds and eventually to be limited in their ability to serve society. This future is avoidable, but precluding it requires the effective coordination and collaboration of private and public sector; continuous, comprehensive, and coordinated research; and appropriate policies to promote security and deter attackers.