Institute for Information Infrastructure Protection

The  Institute for Information Infrastructure Protection (I3P) is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have long-standing, widely recognized expertise in cyber security research and development (R&D). The I3P is managed by The George Washington University, which is home to a small administrative staff that oversees and helps direct consortium activities.

The I3P coordinates and funds cyber security research related to critical infrastructure protection and hosts high impact workshops that bring together leaders from both the public and private sectors. The I3P brings a multi-disciplinary and multi-institutional perspective to complex and difficult problems, and works collaboratively with stakeholders in seeking solutions. Since its founding in 2002, more than 100 researchers from a wide variety of disciplines and backgrounds have worked together to understand better and mitigate critical risks in the field of cyber security.

History
The I3P came into existence following several government assessments of the U.S. information infrastructure's susceptibility to catastrophic failure. The first study, published in 1998 by the United States President's Council of Advisors on Science and Technology (PCAST), recommended that a nongovernmental organization be formed to address national cyber security issues. Subsequent studies–by the Institute for Defense Analyses, as well as a white paper jointly produced by the National Security Council and the Office of Science and Technology Policy, agreed with the PCAST assessment, affirming the need for an organization dedicated to protecting the nation's critical infrastructures.

In 2002, the I3P was founded at Dartmouth College through a grant from the federal government. Martin Wybourne chaired the I3P from 2003 to 2015. Since its inception, the I3P has: Funding for the I3P has come from various sources, including the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST) and the National Science Foundation (NSF).
 * coordinated a national cyber security research and development program
 * built informational and research bridges among academic, industrial, and government stakeholders
 * developed and delivered technologies to address an array of vulnerabilities

Member Institutions
The I3P consortium consists of 18 academic research centers, 5 national laboratories, and 3 nonprofit research organizations. Each member institution appoints a primary and secondary representative to attend regular consortium meetings.
 * Binghamton University
 * Carnegie Mellon University, H. John Heinz III College of Public Policy and Management
 * Carnegie Mellon University, Software Engineering Institute
 * Dartmouth College
 * George Mason University
 * George Washington University
 * Georgia Institute of Technology
 * Idaho National Laboratory
 * Indiana University
 * Johns Hopkins University
 * Lawrence Berkeley National Laboratory
 * MITRE Corporation
 * New York University
 * Oak Ridge National Laboratory
 * Pacific Northwest National Laboratory
 * Purdue University
 * RAND Corporation
 * Sandia National Laboratories
 * SRI International
 * University of California, Berkeley
 * University of California, Davis
 * University of Idaho
 * University of Illinois
 * University of Massachusetts, Amherst
 * University of Tulsa
 * University of Virginia

Advanced Technological Education
The I3P has partnered with the Community College System of New Hampshire (CCSNH) on an educational project, “Cybersecurity in Healthcare Industry: Curriculum Adaptation and Implementation.” Funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program, the goal of the project is to produce well-qualified technicians to serve the healthcare information technology needs of rural northern New England.

Improving CSIRTs
The I3P launched a project called "Improving CSIRT Skills, Dynamics, and Effectiveness." This effort, funded by the United States Department of Homeland Security's Science and Technology Directorate, aims to explore what makes and sustains a good CSIRT. The results should help organizations ensure that their CSIRTs fulfill their maximum potential and become invaluable tools in securing cyber infrastructure. The interdisciplinary team working on the new project will include cyber security and business researchers from Dartmouth College, organizational psychologists from George Mason University, and researchers and practitioners from Hewlett-Packard.

Usable Security
In April 2011, I3P convened a NIST-sponsored workshop examining the challenge of integrating security and usability into the design and development of software. One of the several workshop recommendations was the development of case studies to show software developers how usable security has been integrated into an organization's software development process. Consequently, the I3P has begun a Usable Security Project. Using a uniform study methodology, the project will document usable security in three different organizations. The results will be used to understand how key usable security problems were addressed, to teach developers about solutions, and to enable other researchers to perform comparative studies.

Information Sharing
The nation's Critical Infrastructure is under threat of cyber attack today as never before. The main response to the cyber threat facing the country is increased information sharing. Traditionally, agencies store data in databases, and the information is not readily available to others who might benefit from it. The Obama administration made it clear that this strategy will not work – data must be readily available for sharing. The preferred way to do this would be using a cloud, where numerous government agencies would all store information, and the information would be available to all who have the appropriate credentials. This model has tremendous added benefits – but what are the associated risks? Researchers from RAND and The University of Virginia took on the challenge of answering that question in our Information Sharing Project.

Privacy in the Digital Era
Researchers from five I3P academic institutions are engaged in a sweeping effort to understand privacy in the digital era. Over the course of 18 months, this research project will take a multidisciplinary look at privacy, examining the roles of human behavior, data exposure, and policy expression on the way people understand and protect their privacy.

Leveraging Human Behavior to Reduce Cyber Security Risk
This project brings a behavioral-sciences lens to security, examining the interface between human beings and computers through a set of rigorous empirical studies. The multi-disciplinary project draws together social scientists and information security professionals to illuminate the intricacies of human perceptions, cognitions, and biases, and how these impact computer security. The project's goal is to leverage these new insights in a way that produces more secure systems and processes.

Better Security Through Risk Pricing
I3P researchers on this project have examined ways to quantify cyber risk by exploring the potential for a multi-factor scoring system, analogous to risk scoring in the insurance sector. Overall, the work takes into account the two key determinants of cyber risk: technologies that reduce the likelihood of attack and internal capabilities to respond to successful or potential attacks.

Survivability and Recovery of Process Control Systems Research
This project builds on an earlier I3P project in control-systems security to develop strategies for enhancing control-system resilience and allowing for rapid recovery in the event of a successful cyber attack.

Business Rationale for Cyber Security
This project, an offshoot of an earlier study on the economics of security, addresses the challenge of corporate decision-making when it comes to investing in cyber security. It attempted to answer questions such as, “How much is needed?” “How much is enough?”   “And how does one measure the return on investment?”  The study includes an investigation of investment strategies, including risks and vulnerabilities, supply-chain interdependencies, and technological fixes.

Safeguarding Digital Identity
Multidisciplinary in scope, this project addresses the security of digital identities, emphasizing the development of technical approaches for managing digital identities that also meet political, social, and legal needs. The work has focused primarily on the two sectors for which privacy and identity protection are paramount: financial services and healthcare.

Insider Threat
This project addresses the need to detect, monitor, and prevent insider attacks, which can inflict serious harm on an organization. The researchers have undertaken a systematic analysis of insider threat, one that addresses technical challenges but also takes into account ethical, legal, and economic dimensions.

U.S. Senate Cyber Security Report
The I3P delivered a report titled National Cyber Security Research and Development Challenges: An Industry, Academic and Government Perspective, to U.S. Senators Joseph Lieberman and Susan Collins on February 18, 2009. The report reflects the finding of three forums hosted by the I3P in 2008 that brought together high-level experts from industry, government and academia to identify R&D opportunities that would advance cyber security research in the next five to 10 years. The report contains specific recommendations for technology and policy research that reflect the input of the participants and also the concerns of both the public and private sectors.

Workshops
The I3P connects with and engages with stakeholders through workshops and other outreach activities that are often held in partnership with other organizations. The workshops encompass a range of topics, some directly related to I3P research projects; others that are intended to bring the right people together to probe a particularly difficult foundational challenge, such as security systems engineering or workforce development.

Postdoctoral Fellowship Program
The I3P sponsored a postdoctoral research fellowship program from 2004 to 2011 that provides funding for a year of research at an I3P member institution. These competitive awards were granted according to the merit of the proposed work, the extent to which the proposed work explored creative and original concepts, and the potential impact of the topic on the U.S. information infrastructure. Prospective applicants were expected to address a core area of cyber security research, including trustworthy computing, enterprise security management, secure systems engineering, network response, and recovery, identity management and forensics, wireless computing and metrics, as well as the legal, policy, and economic dimensions of security.