Developed multi-level security mechanisms for a CIA-funded project in research and development of distributed information retrieval systems. 1984-1987

Responsible for security issues in a range of distributed computing environments and networks over many years. 1988-2006

In looking for a tractable design methodology for secure systems, I came to realize that none existed. Although much is understood about many aspects of computer security, little attention has been given to the the issue of how to integrate this knowledge into a design process; of how to generate and maintain a security architecture in a systematic, predictable manner. 1988-1990

Developed a new security design methodology (Ph.D. research), based on object-oriented modeling of the application and environment, with information flow analysis to automatically discover security policy violations. Safeguards can then be modeled and added to the flow analysis to readily assess their effects. 1990-1993

A Note on Security, Safety, and Privacy

Security, safety, and privacy are essentially all the same problem. They differ only in terms of the policy that must be enforced. In each, the overall goal is the same, that is, for the system to do what you want it do do, and never do what you don't want it to do. The problem then becomes, how to deal with this "negative requirements specification" -- defining what you do not want to occur, and then ensuring it. Thus, the same tools and knowledge apply in all three arenas.