A Security Metrics Taxonomization Model for Software-Intensive Systems

Abstract: We introduce a novel high-level security metrics objective taxonomization model for soft-ware-intensive systems. The model systematizes and organizes security metrics development activities. It focuses on the security level and security performance of technical systems while taking into account the alignment of metrics objectives with different business and other management goals. The model emphasizes the roles of security-enforcing mechanisms, the overall security quality of the system un-der investigation, and secure system lifecycle, project and business management. Security correctness, effectiveness and efficiency are seen as the fundamental measurement objectives, determining the di-rections for more detailed security metrics development. Integration of the proposed model with risk-driven security metrics development approaches is also discussed. Keywords: Security Metrics, Security Objectives, Tax onomy, Correctness, Effectiveness, Efficiency 1. Introduction The increasing complexity and connectivity of software-intensive systems, products and services are boosting the needs for pertinent and reliable software security and trusted system solutions. Systematic approaches to measur-ing security are needed to obtain evidence of the security level and performance in systems, products and services. In addition, early security evidence will enable cost-effective secure software development. It is easier to make business and engineering decisions concerning security if sufficient and credible evidence of security is available. The field of developing security metrics systematically is young. The complication behind the immaturity of secu-rity metrics is that the current practice of security is still a highly diverse field, and holistic and widely accepted ap-proaches are still missing [1]. , attempts to measure secu-rity have only obtained limited success [2]. Lately, security metrics has become an emerging research area rapidly gaining momentum. The main contribution of this study is to introduce a novel model for security metrics objective taxonomization of technical systems and discuss the motivation for it. The model systematizes and organizes security metrics devel-opment. We analyze the role of different emphasis areas and fundamental measurement objectives and show how the model can be integrated with risk-driven security met-rics development activities. In our model, we have made a premeditated choice not to divide security metrics into technical, operational and organizational metrics, which is the most common classification. The rest of this article is organized in the following way. Section 2 analyzes related work, and Section 3 gives a short introduction to security metrics. Section 4 presents our Security Metrics Objective Segments (SMOS) model, and Section 5 discusses the design of security metrics tax-onomies with the help of the proposed model. Section 6 analyzes how the model can be integrated with the security metrics development process. Section 7 incorporates a dis-cussion on the results and security metrics in general terms, and finally, Section 8 gives conclusions and finalizes the study with some future research questions.

[1]  Robert A. Martin Managing Vulnerabilities in Networked Systems , 2001, Computer.

[2]  Karen A. Scarfone,et al.  Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 , 2010 .

[3]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[4]  Marianne Swanson,et al.  Security Self-Assessment Guide for Information Technology Systems , 2001 .

[5]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[6]  Rita C. Summers Secure Computing: Threats and Safeguards , 1996 .

[7]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[8]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[9]  Habtamu Abie,et al.  Identification of Basic Measurable Security Components for a Distributed Messaging System , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[10]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[11]  Reijo Savola Requirement Centric Security Evaluation of Software Intensive Systems , 2007, 2nd International Conference on Dependability of Computer Systems (DepCoS-RELCOMEX '07).

[12]  Virgil D. Gligor,et al.  On the Security Effectiveness of Cryptographic Protocols , 1995 .

[13]  William A. Wulf,et al.  TOWARDS A FRAMEWORK FOR SECURITY MEASUREMENT , 1997 .

[14]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[15]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[16]  Karen A. Scarfone,et al.  SP 800-117. Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 , 2010 .

[17]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[18]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[19]  Dennis Longley,et al.  Data & Computer Security: Dictionary of Standards Concepts and Terms , 1987 .

[20]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[21]  S S Stevens,et al.  On the Theory of Scales of Measurement. , 1946, Science.

[22]  Reijo Savola,et al.  Towards a taxonomy for information security metrics , 2007, QoP '07.

[23]  Jeannette M. Wing,et al.  A Formal Model for a System's Attack Surface , 2011, Moving Target Defense.

[24]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[25]  Reijo Savola A taxonomical approach for information security metrics development , 2007 .

[26]  Ioannis Lambadaris,et al.  Current Trends and Advances in Information Assurance Metrics , 2004, Conference on Privacy, Security and Trust.

[27]  Bennet S. Yee Security Metrology and the Monty Hall Problem , 2001 .

[28]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[29]  A. Berger,et al.  On the theory of C[alpha]-tests , 1989 .

[30]  Reijo Savola,et al.  A Novel Security Metrics Taxonomy for R&D Organisations , 2008, ISSA.

[31]  Reijo Savola A Security Metrics Development Method for Software Intensive Systems , 2009 .

[32]  Habtamu Abie,et al.  Development of security metrics for a distributed messaging system , 2009, 2009 International Conference on Application of Information and Communication Technologies.