1. Financial Sector Cybersecurity R&D Priorities The Members of the FSSCC R&D Committee November 2014

2. The FSSCC Research and Development Committee: Overview FSSCC  FSSCC is the Cybersecurity Coordinating Committee for the Financial sector  FSSCC members represent a broad cross-section of Financial sector institutions of all types FSSCC R&D Committee Mission and Purpose:  Identify research needs and priorities of the Financial Services Sector  Identify, influence and help transition promising research  Educate researchers to financial sector unique needs and constraints Current FSSCC R&D Committee Chairs: Bob Blakley, Citigroup bob.blakley@citi.com Joseph Schatz, US Department of Treasury, Joseph.Schatz@treasury.gov

3. The Financial Sector Cybersecurity Landscape: Challenges Secrets and personal information are declining in utility as authenticators. We need new methods, not based on secrets, for establishing identities of users. Perimeter-based, prevention-oriented security architectures are less and less successful at thwarting attackers. We need new architectures which enable quick detection of and effective response to attacks in progress and attacks in preparation. We have insufficient real-time awareness of the state of our systems and the activities of users in those systems. We need analytics which provide accurate, detailed information about who’s doing what to which resources on our networks, and we need powerful, sensemaking visualization tools which allow security analysts to understand the significance of the information the analytics provide. Attackers are increasingly exploiting human rather than technical weaknesses We need a better understanding of how education and user experience design can be used to defend users against getting conned into participating in malicious activity without their knowledge or against their will. Attackers can cheaply mount attacks which are very costly (in losses or in resources spent on countermeasures) to defenders.. We need ways to drive up the costs and risks of an attack, even in cases in which attackers use automated tools.

4. Financial Sector Cybersecurity R&D Priorities 1.Identity Assurance - Need to identify and authenticate people, organizations, devices, services, application software in real-time, at the level of assurance commensurate with the risk, at assurance levels an order of magnitude greater than currently. 2.Analysis and Intelligence - Need for more effective real-time identification of malware, infected devices, and suspicious activities of people and organizations, capable of forecasting, learning and adapting to changing threats and tactics through feedback from real-time and after-the-fact forensic analysis. 3.Human Behavior - Need for human-computer interactions models which reduce the risks of social- engineering attacks, reduce security-relevant errors and omissions, and actively discourage malicious acts by outside attackers and insiders alike. 4.Proactive Measures - Need for a suite of proactive measures that provides demonstrative success over current purely defensive measures, including a set of tools and analyses that justify these measures, taking into account the unique regulatory and compliance environment of the financial services sector. 5.Architecture and Infrastructure - Need for new system structures, communications protocols, and security controls designed to be effective in an increasingly distributed, richly-connected, highly- virtualized, mobile computing environment.

5. The full FSSCC R&D Agenda is available at the following URL. Note that there are blank spaces in the URL. http://www.fsscc.org/fsscc/news/2013/FSSCC RD Agenda April 24 2013.pdf The FSSCC Research and Development Agenda