Appraisal and reporting of security assurance at operational systems level

Authors:
Moussa Ouedraogo;Djamel Khadraoui;Haralambos Mouratidis;Eric Dubois
Affiliations:
Public Research Center Henri Tudor, 1855 Kirchberg, Luxembourg and School of Architecture, Computing and Engineering, University of East London, England, UK;Public Research Center Henri Tudor, 1855 Kirchberg, Luxembourg;School of Architecture, Computing and Engineering, University of East London, England, UK;Public Research Center Henri Tudor, 1855 Kirchberg, Luxembourg
Venue:
Journal of Systems and Software
Year:
2012

Citing 28
Cited 1

Handling Obstacles in Goal-Oriented Requirements Engineering

IEEE Transactions on Software Engineering - special section on current trends in exception handling—part II
Hack I.T.: security through penetration testing

Hack I.T.: security through penetration testing
Introduction to Multiagent Systems

Introduction to Multiagent Systems
Valuation of Trust in Open Networks

ESORICS '94 Proceedings of the Third European Symposium on Research in Computer Security
A Practical Approach to Measuring Assurance

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
A CC-based Security Engineering Process Evaluation Model

COMPSAC '03 Proceedings of the 27th Annual International Conference on Computer Software and Applications
Developing Secure Networked Web-Based Systems Using Model-based Risk Assessment and UMLsec

APSEC '03 Proceedings of the Tenth Asia-Pacific Software Engineering Conference Software Engineering Conference
A Quantitative Study of Firewall Configuration Errors

Computer
Scenario graphs and attack graphs

Scenario graphs and attack graphs
Cost-Benefit Trade-Off Analysis Using BBN for Aspect-Oriented Risk-Driven Development

ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
The essential synthesis of problem frames and assurance cases

Proceedings of the 2006 international workshop on Advances and applications of problem frames
A New Evaluation Strategy Based on Combining CC and SSE-CMM for Security Systems and Products

GCC '06 Proceedings of the Fifth International Conference on Grid and Cooperative Computing
Early quality prediction of component-based systems - A generic framework

Journal of Systems and Software
Security Attack Testing (SAT)-testing the security of information systems at design time

Information Systems
A Broad, Quantitative Model for Making Early Requirements Decisions

IEEE Software
A Near Real-Time System for Security Assurance Assessment

ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles

Journal of Systems and Software
On System Security Metrics and the Definition Approaches

SECURWARE '08 Proceedings of the 2008 Second International Conference on Emerging Security Information, Systems and Technologies
A Systems Dynamics View of Security Assurance Issues: "The Curse of Complexity and Avoiding Chaos"

HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences
Security compliance: the next frontier in security research

Proceedings of the 2008 workshop on New security paradigms
On the Operational Security Assurance Evaluation of Networked IT Systems

NEW2AN '09 and ruSMART '09 Proceedings of the 9th International Conference on Smart Spaces and Next Generation Wired/Wireless Networking and Second Conference on Smart Spaces
Multi-agent based security assurance monitoring system for telecommunication infrastructures

CNIS '07 Proceedings of the Fourth IASTED International Conference on Communication, Network and Information Security
Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec

Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
Structured Assurance Case Methodology for Assessing Software Trustworthiness

SSIRI-C '10 Proceedings of the 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion
The irreversible march of technology

Information Security Tech. Report
SP 800-30. Risk Management Guide for Information Technology Systems

SP 800-30. Risk Management Guide for Information Technology Systems
SP 800-33. Underlying Technical Models for Information Technology Security

SP 800-33. Underlying Technical Models for Information Technology Security
A Consensus Support System Model for Group Decision-Making Problems With Multigranular Linguistic Preference Relations

IEEE Transactions on Fuzzy Systems

Taxonomy of quality metrics for assessing assurance of security correctness

Software Quality Control

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we discuss the issues relating the evaluation and reporting of security assurance of runtime systems. We first highlight the shortcomings of current initiatives in analyzing, evaluating and reporting security assurance information. Then, the paper proposes a set of metrics to help capture and foster a better understanding of the security posture of a system. Our security assurance metric and its reporting depend on whether or not the user of the system has a security background. The evaluation of such metrics is described through the use of theoretical criteria, a tool implementation and an application to a case study based on an insurance company network.