Fundamentals of software engineering
Fundamentals of software engineering
The art of measurement: theory and practice
The art of measurement: theory and practice
Formal Models for Computer Security
ACM Computing Surveys (CSUR)
Proceedings of the 8th European software engineering conference held jointly with 9th ACM SIGSOFT international symposium on Foundations of software engineering
Web-based interactive courseware for information security
Proceedings of the 6th conference on Information technology education
IT education in the flattening world
Proceedings of the 7th conference on Information technology education
InfoSec technology management of user space and services through security threat gateways
Proceedings of the 4th annual conference on Information security curriculum development
Temporal metrics for software vulnerabilities
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
Security metrics for software systems
Proceedings of the 47th Annual Southeast Regional Conference
Asset priority risk assessment using hidden markov models
Proceedings of the 10th ACM conference on SIG-information technology education
Using security metrics coupled with predictive modeling and simulation to assess security processes
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Formal approach to security metrics.: what does "more secure" mean for you?
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
A comparison of software design security metrics
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
Quantitative software security measurement in an engineering service bus platform
Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement
Addressing misalignment between information security metrics and business-driven security objectives
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Towards legal privacy risk assessment and specification
TrustBus'11 Proceedings of the 8th international conference on Trust, privacy and security in digital business
Evaluation metrics of physical non-invasive security
WISTP'10 Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices
| Hi-index | 0.00 |
Security assessment is largely ad hoc today due to its inherent complexity. The existing methods are typically experimental in nature highly dependent of the assessor's experience, and the security metrics are usually qualitative. We propose to address the dual problems of experimental analysis and qualitative metrics by developing two complementary approaches for security assessment: (1) analytical modeling, and (2) metrics-based assessment. To avoid experimental evaluation, we put forward a formal model that permits the accurate and scientific analysis of different security attributes and security flaws. To avoid qualitative metrics leading to ambiguous conclusions, we put forward a collection of mathematical formulas based on which quantitative metrics can be derived. The vulnerability analysis model responses to the need for a theoretical foundation for modeling information security, and security metrics are the cornerstone of risk analysis and security management. In addition to the security analysis approach, we discuss security testing methods as well. A Relative Complete Coverage (RCC) principle is proposed along with an example of applying the RCC principle. The innovative ideas proposed in this paper include a hierarchical multi-level modeling approach to modeling vulnerability using model composition and refinement techniques, a data-centric, quantitative metrics mechanism, and multidimensional assessment capturing both process and product elements in a formalized framework.