In today’s digital world, cybersecurity is an ever-growing concern. As software becomes an integral part of virtually every system, ensuring that its components are secure is critical. One way to achieve this is through the Software Bill of Materials (SBOM), a tool designed to promote transparency by outlining the components of software and identifying potential vulnerabilities. Combining Human Intelligence with Artificial Intelligence for a Usable, Adaptable SBOM (CHIAUS), aims to make these SBOMs not just informative, but actionable and effective for decision-makers, ensuring that security risks are mitigated from the very beginning of the software development lifecycle.
Bridging the Gap Between Human and AI
Led by L. Jean Camp, a professor at Indiana University, CHIAUS addresses a critical gap in current cybersecurity practices. SBOMs have emerged as a vital tool to improve transparency in software systems. However, their effectiveness hinges on their accessibility and usability. Many existing SBOMs are often too technical, leaving decision-makers struggling to interpret the information and apply it in ways that safeguard against vulnerabilities.
“There are three main failure modes when it comes to security: people don’t have the necessary information, they have it but can’t understand the risk, or they have the information but the mitigation is not usable,” said Camp, reflecting on the project’s goal to bridge these gaps. The research focuses on ensuring that SBOMs are not only detailed but also comprehensible and actionable for a diverse group of stakeholders, including developers, system operators, and decision-makers at all levels.
Meeting Stakeholder Needs Through Human-Centered Design
At the heart of the CHIAUS project is human-centered design. The project integrates artificial intelligence (AI) with human intelligence to develop SBOMs that are both informative and easy to navigate. Researchers are exploring three key questions: What do different stakeholders want from an SBOM? How can the information be made reliable and accurate? And how should it be communicated to ensure it supports effective decision-making?
“We’ve spent a lot of time engaging with stakeholders through interviews, surveys, and focus groups,” Camp explained. “The information that SBOMs provide needs to meet the needs of developers and decision-makers, but also be digestible and useful.” In doing so, the team works to create a solution that will guide users in making risk-aware decisions about the software they develop, adopt, and use.
Collaborating with DHS and Industry Partners for Greater Impact
The project has garnered strong support from the Cybersecurity and Infrastructure Security Agency (CISA), and other key stakeholders within the Department of Homeland Security (DHS). Through these collaborations, the team has gained critical insights into the challenges and needs of the cybersecurity landscape. A key realization from these discussions is that stakeholders, such as software buyers, are willing to pay a premium for trusted products—akin to how consumers choose products with Energy Star labels because they are assured of their quality.
“This collaboration has opened doors to better understand the market and the real-world challenges of implementing SBOMs effectively,” said Camp. “One of the most exciting outcomes is the growing optimism for security labels in the software industry, which could revolutionize how we approach transparency and security.”
Mentoring the Next Generation of Cybersecurity Leaders
In addition to advancing cybersecurity research, the project also provides valuable mentorship opportunities for students. Four students, including two doctoral candidates, are directly involved in the project. Their work will culminate in three dissertations, with at least 12 undergraduates gaining hands-on research experience under the guidance of faculty and doctoral students.
“I’ve had the privilege of mentoring over 100 undergraduate students and 16 doctoral candidates throughout my career,” Camp shared. “Seeing these students develop a passion for cybersecurity and helping them succeed is one of the most rewarding parts of my work.”
Through these mentorships, the project not only advances research but also helps prepare the next generation of cybersecurity professionals for the challenges ahead.
Research Progress and Achievements
As part of the research process, the team has made significant strides. Initial tasks, such as requirements elicitation for acceptable SBOMs, are complete. In addition, experiments to integrate risk data with SBOMs are currently underway, with promising results. The team has also participated in key industry standards and working groups, ensuring their findings contribute to broader efforts in the field.
The team’s work has revealed an interesting insight: the same code can generate different SBOMs, each identifying different vulnerabilities. This highlights the need for a standardized, transparent approach to SBOM creation that can be universally trusted by all stakeholders.
A Shift in the Software Industry
The long-term impact is expected to be transformative. By combining AI with human intelligence, the project is addressing the root causes of software vulnerabilities and helping to shape the future of security standards in the industry. As the project continues, it will provide a framework that allows stakeholders to make informed decisions based on accurate, accessible, and actionable information.
Through careful integration of human-centered design, cutting-edge technology, and strong partnerships with key stakeholders, Camp’s project is paving the way for more secure software development practices that will benefit both the industry and its users for years to come.
“SBOM is a foundational change in how we approach software security,” said Camp. “Though the process is slow, it will fundamentally alter the industry, just like how early consumer protections have changed how we view product safety.”
