Strategies for security measurement objective decomposition

Systematically managed, sufficient and credible security metrics increase the understanding of the security effectiveness level of software-intensive systems during the system development and operation. Risk-driven top-down modeling enables systematic and meaningful security metrics development. We propose six strategies for security measurement objective decomposition. Their focus is on metrics development for security correctness, software and system quality, partial security effectiveness, as well as security-related compliance and tradeoff decision-making. The proposed strategies integrate an abstract security effectiveness model, security measurement objectives, and the associated measurement points in relevant system components. Security effectiveness is emphasized in all strategies despite of other objectives.

[1]  Kimmo Hätönen,et al.  Utilizing a Risk-Driven Operational Security Assurance Methodology and Measurement Architecture - Experiences from a Case Study , 2012, ICNS 2012.

[2]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[3]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[4]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[5]  Habtamu Abie,et al.  Identification of Basic Measurable Security Components for a Distributed Messaging System , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[6]  David P. Kirkman Requirement decomposition and traceability , 2008, Requirements Engineering.

[7]  Reijo Savola,et al.  Development of Measurable Security for a Distributed Messaging System , 2010 .

[8]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[9]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[10]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[11]  John Bigham,et al.  GEMOM - Significant and Measurable Progress beyond the State of the Art , 2008, 2008 Third International Conference on Systems and Networks Communications.

[12]  Lance Hayden,et al.  It Security Metrics: A Practical Framework for Measuring Security & Protecting Data , 2010 .

[13]  Bertrand Marquet,et al.  Operational security assurance evaluation in open infrastructures , 2011, 2011 6th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[14]  Haralambos Mouratidis,et al.  Deployment of a Security Assurance Monitoring Framework for Telecommunication Service Infrastructures on a VoIP Service , 2008, 2008 New Technologies, Mobility and Security.

[15]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[16]  Haralambos Mouratidis,et al.  Taxonomy of quality metrics for assessing assurance of security correctness , 2011, Software Quality Journal.

[17]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[18]  Philip J. Koopman A TAXONOMY OF DECOMPOSITION STRATEGIES BASED ON STRUCTURES, BEHAVIORS, AND GOALS , 1995 .

[19]  Emre Kiciman,et al.  Discovering correctness constraints for self-management of system configuration , 2004 .

[20]  X Itu,et al.  Information technology-open systems interconnection-the directory: Public-key and attribute certific , 2000 .

[21]  Moussa Ouedraogo,et al.  Towards security effectiveness measurement utilizing risk-based security assurance , 2010, 2010 Information Security for South Africa.

[22]  Rudolf Schmid,et al.  Organization for the advancement of structured information standards , 2002 .

[23]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[24]  Habtamu Abie,et al.  Applicability of security metrics for adaptive security management in a universal banking hub system , 2010, ECSA '10.

[25]  Reijo Savola A Security Metrics Taxonomization Model for Software-Intensive Systems , 2009, J. Inf. Process. Syst..

[26]  Reijo Savola,et al.  A visualization and modeling tool for security metrics and measurements management , 2011, 2011 Information Security for South Africa.

[27]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[28]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[29]  Yi-Min Wang,et al.  Discovering correctness constraints for self-management of system configuration , 2004, International Conference on Autonomic Computing, 2004. Proceedings..