Assumption-Driven Design


Download PDF Document


Peter Loscocco, Machon Gregory, Robert Meushaw

Tech report number

CERIAS TR 2018-2

Entry type



More than ever, information system designers must provide security protection against a wide variety of threats. While numerous sources of guidance are available to inform the design process, system architects often improvise their own design methods. This paper aims to distil the experience gained by NSA trusted system analysts over decades so that it that can be practically applied by others. The general approach is to identify and reduce the number of assumptions on which the security of the system depends. Simply making these assumptions explicit and showing their interdependence has significant, albeit difficult to quantify, benefits for system security. Our hope is that this design methodology will serve as the starting point for the development of a more formal and robust engineering methodology for trusted system design.




2018 – 1 – 1

Key alpha



National Security Agency

Publication Date


BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

Coming Up!

Our annual security symposium will take place on April 9th and 10th, 2019.
Purdue University, West Lafayette, IN

More Information