NSPW '95 Proceedings of the 1995 workshop on New security paradigms
Hack I.T.: security through penetration testing
Hack I.T.: security through penetration testing
Software Metrics: A Rigorous and Practical Approach
Software Metrics: A Rigorous and Practical Approach
Towards a Framework for Software Measurement Validation
IEEE Transactions on Software Engineering
A Practical Approach to Measuring Assurance
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Information Assurance Measures and Metrics " State of Practice and Proposed Taxonomy
HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
A CC-based Security Engineering Process Evaluation Model
COMPSAC '03 Proceedings of the 27th Annual International Conference on Computer Software and Applications
Scenario graphs and attack graphs
Scenario graphs and attack graphs
On the Brittleness of Software and the Infeasibility of Security Metrics
IEEE Security and Privacy
A New Evaluation Strategy Based on Combining CC and SSE-CMM for Security Systems and Products
GCC '06 Proceedings of the Fifth International Conference on Grid and Cooperative Computing
Requirements Engineering
Number of Faults per Line of Code
IEEE Transactions on Software Engineering
Towards a taxonomy for information security metrics
Proceedings of the 2007 ACM workshop on Quality of protection
A Near Real-Time System for Security Assurance Assessment
ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
Journal of Systems and Software
On the effectiveness of early life cycle defect prediction with Bayesian Nets
Empirical Software Engineering
Security compliance: the next frontier in security research
Proceedings of the 2008 workshop on New security paradigms
On the Operational Security Assurance Evaluation of Networked IT Systems
NEW2AN '09 and ruSMART '09 Proceedings of the 9th International Conference on Smart Spaces and Next Generation Wired/Wireless Networking and Second Conference on Smart Spaces
Multi-agent based security assurance monitoring system for telecommunication infrastructures
CNIS '07 Proceedings of the Fourth IASTED International Conference on Communication, Network and Information Security
Secure Systems Development with UML
Secure Systems Development with UML
Structured Assurance Case Methodology for Assessing Software Trustworthiness
SSIRI-C '10 Proceedings of the 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion
The irreversible march of technology
Information Security Tech. Report
IEEE Transactions on Software Engineering
Assessing the maintainability of software product line feature models using structural metrics
Software Quality Control
Appraisal and reporting of security assurance at operational systems level
Journal of Systems and Software
Hi-index | 0.00 |
Assurance is commonly considered as "something said or done to inspire confidence" (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.