Towards an abstraction layer for security assurance measurements: (invited paper)

Measurement of any complex, operational system is challenging due to the continuous independent evolution of the components. Security risks introduce another dimension of dynamicity, reflected to risk management and security assurance activities. The availability of different measurements and their properties will vary during the overall system lifecycle. To be useful, a measurement framework in this context needs to be able to adapt to both the changes in the target of measurement and in the available measurement infrastructure. In this study, we introduce a taxonomy-based approach for relating the available and attainable measurements to the measurement requirements of security assurance plans by providing an Abstraction Layer that makes it easier to manage these dynamic features. The introduced approach is investigated in terms of a security assurance case example of firewall functionality in a Push E-mail service system.

[1]  Heinz W. Schmidt,et al.  Timed probabilistic constraints over the Distributed Management Taskforce common information model , 2005, Ninth IEEE International EDOC Enterprise Computing Conference (EDOC'05).

[2]  Moussa Ouedraogo,et al.  Towards security effectiveness measurement utilizing risk-based security assurance , 2010, 2010 Information Security for South Africa.

[3]  Reijo Savola,et al.  Security-Measurability-Enhancing Mechanisms for a Distributed Adaptive Security Monitoring System , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[4]  Eila Niemelä,et al.  A Taxonomy of Information Security for Service-Centric Systems , 2007, 33rd EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO 2007).

[5]  Mario Piattini,et al.  A Systematic Review and Comparison of Security Ontologies , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[6]  Reijo Savola,et al.  Development of Measurable Security for a Distributed Messaging System , 2010 .

[7]  John Bigham,et al.  Innovations and Advances in Adaptive Secure Message Oriented Middleware , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops.

[8]  A. Zuccato,et al.  Service oriented modeling of communication infastructure for assurance , 2006, 2006 IEEE Information Assurance Workshop.

[9]  Habtamu Abie,et al.  Applicability of security metrics for adaptive security management in a universal banking hub system , 2010, ECSA '10.

[10]  Keith Duncan,et al.  Cognitive Engineering , 2017, Encyclopedia of GIS.

[11]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.

[12]  John Bigham,et al.  GEMOM - Significant and Measurable Progress beyond the State of the Art , 2008, 2008 Third International Conference on Systems and Networks Communications.

[13]  A.,et al.  Cognitive Engineering , 2008, Encyclopedia of GIS.

[14]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[15]  E. Ovaska,et al.  From Security Modelling to Run-time Security Monitoring , 2009 .

[16]  Reijo Savola A Security Metrics Taxonomization Model for Software-Intensive Systems , 2009, J. Inf. Process. Syst..

[17]  Tae-Dal Kim The ISO the research also the ISMS security maturity of 27001 regarding a measurement modeling (ISO 27004 information security management measurement and metric system) , 2007 .