Four Testing Types Core to Informed ICT Governance for Cyber-Resilient Systems

Research on ICT projects continues to report very high cost and schedule overruns, as well as many high-profile ICT projects experiencing high incidences of unexpected cyber-vulnerabilities. Consequently, there is renewed interest in ICT governance from diverse areas. Some of the proposed governance models considered have great complexity while others appeal to simplicity for success. Three diverse and practical research efforts in ICT governance in Australian Government, as well as observations in the Banking Sector, came to similar concerns about the importance and type of ICT testing and expertise critical for ICT project governance to build cyber-resilience. Today's ICT Governance critically depends on: (1) information coming from all four types of testing, (2) the management of the testing as a coherent whole, and (3) that such test capabilities must endure through the whole life-cycle, so as to provide a sufficient degree of commercial and architectural independence to enable hard and timely decisions. Further, cyber-resilience challenges ICT testing to cope with increasing system configurations, threat permutations, future upgrades and threat sequencing. Therefore, this research uniquely calls for all ICT test types to use new combinatorial test design techniques for efficient screening and cyber threat rigor. These lessons were shared at a special conference panel on ICT governance for resilient systems [1] [4], where for the first time authors called for ICT governance frameworks to directly include test-informed previews in all decisions so that ICT can be more innovative, competitive, and cyber-resilient. This paper outlines the four testing types and lists the test infrastructure and combinatorial test design skills necessary for each.