Prioritization of software security intangible attributes

Authors:
Regina Thienne Colombo;Marcelo Schneck Pessôa;Ana Cervigni Guerra;Amandio Balcão Filho;Célio Caruso Gomes
Affiliations:
São Paulo University (USP) Cidade Universitária, São Paulo, Brasil;São Paulo University (USP) Cidade Universitária, São Paulo, Brasil;Information Technology Center Renato Archer (CTI) Rodovia Dom Pedro I (SP - 65) Km 143,6, Campinas, Brasil;Information Technology Center Renato Archer (CTI) Rodovia Dom Pedro I (SP - 65) Km 143,6, Campinas, Brasil;Technological Institute of Aeronautics (ITA) Praça Marechal Eduardo Gomes, 50 - Vila das Acácias - São José dos Campos, Brasil
Venue:
ACM SIGSOFT Software Engineering Notes
Year:
2012

Citing 6
Cited 0

An evaluation of the paired comparisons method for software sizing

Proceedings of the 22nd international conference on Software engineering
On the Brittleness of Software and the Infeasibility of Security Metrics

IEEE Security and Privacy
A Metrics Framework to Drive Application Security Improvement

IEEE Security and Privacy
Software security metric identification framework (SSM)

Proceedings of the International Conference on Advances in Computing, Communication and Control
Identification of Basic Measurable Security Components for a Distributed Messaging System

SECURWARE '09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies
Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intangible elements, such as value ranges of software security properties (e.g., confidentiality, integrity and availability), can be seen as resources to enforce software security. There are no standard units regarding these properties, turning their measurement into a difficult process. On the other hand, we can measure or estimate priorities for intangible elements from tangible ones, since their priorities are proportional. The priorities of tangible resources can be used to assign values to the priorities of intangible resources through the experience of the involved analysts. In this paper, we present a theoretical process based on mathematical constructs to score the priority and to estimate measures of software security attributes. This process causes the complex systems decomposition into simpler and smaller systems, thus allowing the estimation of properties that will help the understanding and measurement of software security properties. Our results provide a model for access security; the priority score of security attributes is calculated using the AHP methodology. We illustrate the application of our approach in a Web management system for governmental research institutions, presenting results that may support managers in the prioritization, evaluation and management of security requirements related to Web applications.