ABSTRACT
Security assessment is largely ad hoc today due to its inherent complexity. The existing methods are typically experimental in nature highly dependent of the assessor's experience, and the security metrics are usually qualitative. We propose to address the dual problems of experimental analysis and qualitative metrics by developing two complementary approaches for security assessment: (1) analytical modeling, and (2) metrics-based assessment. To avoid experimental evaluation, we put forward a formal model that permits the accurate and scientific analysis of different security attributes and security flaws. To avoid qualitative metrics leading to ambiguous conclusions, we put forward a collection of mathematical formulas based on which quantitative metrics can be derived. The vulnerability analysis model responses to the need for a theoretical foundation for modeling information security, and security metrics are the cornerstone of risk analysis and security management. In addition to the security analysis approach, we discuss security testing methods as well. A Relative Complete Coverage (RCC) principle is proposed along with an example of applying the RCC principle. The innovative ideas proposed in this paper include a hierarchical multi-level modeling approach to modeling vulnerability using model composition and refinement techniques, a data-centric, quantitative metrics mechanism, and multidimensional assessment capturing both process and product elements in a formalized framework.
- {ALF 04} Luca de Alfaro, Marco Faella, Thomas A. Henzinger, Rupak Majumdar, and Marielle Stoelinga. "Model checking discounted temporal properties". Proceedings of the 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Lecture Notes in Computer Science 2988, Springer-Verlag, 2004, pp. 77--92.Google ScholarCross Ref
- {ALF 01} Luca de Alfaro and Thomas A. Henzinger. "Interface automata". Proceedings of the Ninth Annual Symposium on Foundations of Software Engineering (FSE), ACM Press, 2001, pp. 109--120. Google ScholarDigital Library
- {BIS 03} Matt Bishop, "Computer Security: Art and Science", Addison Wesley, 2003. ISBN: 0-201-44099-7.Google Scholar
- {CC 199} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part I: Introduction and General Model", Version 2.1, CCIMB-99-031, August 1999.Google Scholar
- {CC2 99} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part II: Security Function Requirements", Version 2.1, CCIMB-99-031, August 1999.Google Scholar
- {CC3 99} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part III: Security Assurance Requirements", Version 2.1, CCIMB-99-031, August 1999.Google Scholar
- {CEC 91} Commission of the European Communities, "Information Technology Security Evaluation Criteria", Version 1.2, 1991.Google Scholar
- {DOD 85} Department of Defense, "Trusted Computer System Evaluation Criteria", DOD 5200.28-STD, December 1985.Google Scholar
- {GHE 91} Carlo Ghezzi, Mehdi Jazayeri, and Dino Mandrioli, Fundamentals of Software Engineering, Prentice Hall, 1991. Google ScholarDigital Library
- {HMU 01} John E. Hopcroft, Rajeev Motwani, and Jeffery D. Ullman, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, 2001.Google ScholarDigital Library
- {Land 81} C. E. Landwehr, "Formal Models for Computer Security", ACM Computing Surveys, Vol. 13, No. 3, 1981. pp. 247--278. Google ScholarDigital Library
- {NIST 01} National Institute of Standards and Technology, "Security Requirements for Cryptographic Modules", PIPS PUB 140-2, May 2001.Google Scholar
- {NIST 03} Marianne Swanson, Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo, "Security Metrics Guide for Information Technology Systems", NIST Special Publication 800-55, National Institute of Standards and Technology, http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf. July 2003.Google Scholar
- {POT 00} Ronald W. Potter, "The Art of Measurement, Theory and Practice", Printice Hall PTR, Upper Saddle River, New Jersey, 2000. ISBN 0-13-026174-2. Google ScholarDigital Library
- {Wang 02} J. A. Wang, "Algebra for Components", in Proceedings of The 6th World Multiconference on Systemics, Cybernetics and Informatics, V. 5, Computer Science I, eds. Nagib Callaos, Tau Leng, and Belkis Sanchez. ISBN: 980-07-8150-1, July 2002, pp. 213--218.Google Scholar
- {Wang 04} J. A. Wang, Security Testing in Software Engineering Courses, Proceedings of Frontiers in Education Conference, Session F1C, IEEE Catalog Number 04CH37579C, ISBN: 0-7803-8553-5. October 2004, Savannah, Georgia.Google Scholar
- Information security models and metrics
Recommendations
Security as a theoretical attribute construct
This paper provides an overview of the field of security metrics and discusses results of a survey of security experts on the topic. It describes a new framework for developing security metrics that focuses on effectiveness measures while maintaining ...
Performance Metrics for Information Security Risk Management
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring ...
Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness
The objectives are: (1) to determine the risk assessment of information security threats, based upon the perceived impact and the perceived probability of occurrence of these threats; (2) to determine the extent of risk mitigation, based upon the ...
Comments