论文信息 - Strategies for cost efficient security evaluations

Strategies for cost efficient security evaluations

Evaluating the security of IT products is costly and complex and in order to remain competitive, organizations engaging in security evaluations must aim at cost efficient evaluations. A criteria is established and used to assess the suitability of various strategies for cost efficient security evaluations. The results suggest, not surprisingly, a dependency between strategic role of security engineering and assurance and the suitability of cost efficiency strategies. While some strategies may result in immature security engineering process, they may be most cost efficient if evaluations are not in the core of the long term product engineering strategies. On the other hand, strategic importance of assurance and security evaluations suggests that the costs of a repeatable security engineering process can be justified by long term benefits.

J. Leiwo | D.C. Maskell

[1] William M. Daley,et al. Security Requirements for Cryptographic Modules , 1999 .

[2] Jan H. P. Eloff,et al. A common criteria framework for the evaluation of information technology systems security , 1997, SEC.

[3] Jussipekka Leiwo. A Mechanism for Deriving Specifications of Security Functions in the CC Framework , 1999, DEXA.

[4] Rossouw von Solms,et al. From Trusted Information Security Controls to a Trusted Information Security Environment , 2000, SEC.

[5] Peter G. Neumann,et al. Principled assuredly trustworthy composable architectures , 2003 .

[6] Richard E. Smith. Cost profile of a highly assured, secure operating system , 2001, TSEC.

[7] Lawrence A. Gordon,et al. The economics of information security investment , 2002, TSEC.