What sort of beast is “cybersecurity” anyway?
Is it simply a variation of software failure? According to this analysis, a security lapse is a software engineering failure, not technically different from an unintended “404” error or an “uncaught” exception.
Is it simply a failure to implement corrective measures? This analysis likens cybersecurity to physical security. Facilities such as military bases or electric power plants are vulnerable targets. Rather than try to remove all the points of vulnerability, a virtual “layer” of physical security is drawn around the facility. The Department of Defense Physical Security Program provides a useful glimpse into this approach. Consider DoD 5200.08-R. A version last updated in 2009 is hosted by DTIC. To some extent, there is a reasonable analogy to protecting software.
Is it a design failure? In architecture, it is not uncommon for architects to receive the blame for collapsed, or otherwise unsuccessful buildings. For instance, consider the failure of a walkway in the Kansas City Hyatt Regency hotel in 1981. In this failure, 114 persons were killed, and initial blame settled on architects. A more nuanced view recognizes multiple sources of responsibility, including project sponsors, customers, auditors, and sometimes public officials and even politicians. This was the analysis made by one K. Bristol in a 1991 analysis of the Pruitt-Igoe towers project in St. Louis.
Regardless of which of these approaches is chosen, the relative contributions of alternative models for failure should be taken into account. There is a tendency to focus excessively on the specific lapse (e.g., buffer underflow). Issues such as engineer training, IDEs, development frameworks, test environments and constraints imposed by sponsors and other stakeholders also deserve investigation, if not blame.