Keeping an eye on your security through assurance indicators

Despite the incommensurable effort made from across computer sciences disciplines to provide more secure systems, compromising the security of a system has now become a very common and stark reality for organizations of all sizes and from a variety of sectors. The lax in the technology has often been cited as the salient cause of systems insecurity. In this paper we advocate the need for a Security Assurance (SA) system to be embedded within current IT systems. Such a system has the potential to address one facet of cyber insecurity, which is the exploit of lax within the deployed security and its underlining policy. We discuss the challenges associated to such an SA assessment and present the flavor of its evaluation and monitoring through an initial prototype. By providing indicators on the status of a security matter that is more and more devolved to the provider as it is the case in the cloud, the SA tool can be used as a means of fostering better security transparency between a cloud provider and client.

[1]  James F. Burke,et al.  Toward a Generic Model of Security in an Organizational Context:  Exploring Insider Threats to Information Infrastructure , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[2]  Steven Furnell,et al.  The irreversible march of technology , 2009, Inf. Secur. Tech. Rep..

[3]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[4]  Jacobo García-Germán Vázquez About the operational , 2010 .

[5]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[6]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[7]  Moussa Ouedraogo,et al.  Towards security effectiveness measurement utilizing risk-based security assurance , 2010, 2010 Information Security for South Africa.

[8]  L. DeNardis,et al.  Mapping Today's Cybersecurity Landscape , 2013 .

[9]  William A. Arbaugh,et al.  Living with Insecurity , 2011, IEEE Secur. Priv..

[10]  Haralambos Mouratidis,et al.  Appraisal and reporting of security assurance at operational systems level , 2012, J. Syst. Softw..

[11]  Muhammad Ali Babar,et al.  Proceedings of the Fourth European Conference on Software Architecture: Companion Volume , 2010, ECSA 2010.

[12]  Moussa Ouedraogo,et al.  Towards an abstraction layer for security assurance measurements: (invited paper) , 2010, ECSA '10.

[13]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[14]  Peter Buxmann,et al.  Cloud Computing Providers' Unrealistic Optimism regarding IT Security Risks: A Threat to Users? , 2013, ICIS.

[15]  Artur Hecker,et al.  On the Operational Security Assurance Evaluation of Networked IT Systems , 2009, NEW2AN.

[16]  Shirley C. Payne,et al.  A Guide to Security Metrics , 2007 .

[17]  Haralambos Mouratidis,et al.  Taxonomy of quality metrics for assessing assurance of security correctness , 2011, Software Quality Journal.