Over the last decades, software quality attributes such as maintainability, reliability, and understandability have been widely studied. In contrast, less attention has been paid to the field of software security. Attackability is a concept proposed recently in the research literature t to measure the extent that a software system or service could be the target of successful attacks. Like most external attributes, attackability is to some extent disconnected from the internal of software products. To improve the quality of software products we need to be able to affect its internal features. So, for attackability measures to be useful for software products enhancement, we need to identify related internal software attributes. We study in this paper the empirical relationship between attackability as an external software quality attribute with coupling as an internal software attribute. Specifically, we use a case study based on denial of service (DOS) attacks conducted against a on line medical record keeping system. Through regression analysis, we establish that there is a strong correlation between attackability and coupling.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	S. Brocklehurst, B. Littlewood, T. Olovsson, E. Johsson, On Measurement of Operational Security, Proceedings of the 9th Annual Conference on Computer Assurance, 1994.
	2	Andy Chou , Junfeng Yang , Benjamin Chelf , Seth Hallem , Dawson Engler, An empirical study of operating systems errors, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
	3	Norman E. Fenton , Martin Neil, A Critique of Software Defect Prediction Models, IEEE Transactions on Software Engineering, v.25 n.5, p.675-689, September 1999  [doi>10.1109/32.815326 ]
	4	J. Gray, A census of tandem system availability between 1985 and 1990, IEEE Transactions on Software Engineering, vol. 39, no. 4, Oct. 1990.
	5	M. Howard, J. Pincus, J. M. Wing, Measuring Relative Attack Surfaces, Proceeding of Workshop on Advanced Developments in Software and System Security, 2003.
	6	B. Littlewood, S. Brocklehurst, E. N. Fenton, P. Mellor, S. Page, D. Wright, Towards Operational Measures of Computer Security, Journal of Computer Security 2,2/3 (1993) p. 211--229.
	7	I. Lee, R. Iyer, Faults, Symptoms, And Software Fault Tolerance In The Tandem GUARDIAN Operating System, Proceedings of the International Symposium on Fault-Tolerant Computing, 1993.
	8	M. Y. Liu, I. Troare, UML-based Security Measures of Software Products. International Workshop on Methodologies for Pervasive and Embedded Software (MOMPES'04), 4th International Conference on Application of Concurrency to System Design (ACSD-04), Hamilton, Ontario, Canada, June 2004.
	9	Rodolphe Ortalo , Yves Deswarte , Mohamed Kaâniche, Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security, IEEE Transactions on Software Engineering, v.25 n.5, p.633-650, September 1999  [doi>10.1109/32.815323 ]
	10	M. Sullivan, R. Chillarge, Software Defects And Their Impact On System 118 Availability, Proceedings of the International Symposium on Fault-Tolerant Computing, June 1991.
	11	J. Voas, A. Ghosh, G. McGraw, F. Charron, K. Miller, Defining an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure, Proceedings of the 11th Annual Conference on Computer Assurance, 1996.
	12	M. Andrews, J. A. Whittaker, How to Break Web Software, Addison-Wekley, 2005.
	13	http://www.javaperformancetuning.com/tools/jprobe/
	14	http://tomcat.apache.org/
	15	http://www.eviews.com/eviews4/