Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Security Metrics Taxonomization Model for Software-Intensive Systems

  • Published : 2009.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

We introduce a novel high-level security metrics objective taxonomization model for software- intensive systems. The model systematizes and organizes security metrics development activities. It focuses on the security level and security performance of technical systems while taking into account the alignment of metrics objectives with different business and other management goals. The model emphasizes the roles of security-enforcing mechanisms, the overall security quality of the system under investigation, and secure system lifecycle, project and business management. Security correctness, effectiveness and efficiency are seen as the fundamental measurement objectives, determining the directions for more detailed security metrics development. Integration of the proposed model with riskdriven security metrics development approaches is also discussed.

Keywords

References

  1. R. Savola, “A Taxonomical Approach for Information Security Metrics Development” Nordsec '7 Supplemental Booklet of Short Papers, Reykjavík, Iceland, 11 p., Oct., 11-12, 2007.
  2. W. Jansen, “Directions in Security Metrics Research,” NIST, NISTIR 7564, 21 p., Apr., 2009.
  3. R. Savola, “Towards a Taxonomy for Information Security Metrics,”QoP '7, Alexandria, VA, USA, pp.28-30, Oct., 29, 2007
  4. R. Savola, “A Novel Security Metrics Taxonomy for R&D Organizations,”ISSA '8, Johannesburg, South Africa, pp.379-390, Jul., 7-9, 2008.
  5. R. Henning et al., “Proceedings of Workshop on Information Security System, Scoring and Ranking Information System Security Attribute Quantification or Ordering,”ACSA and MITRE, Williamsburg, VA, USA, May, 2001, Publ. 2002.
  6. N. Seddigh, P. Pieda, A. Matrawy, B. Nandy, I. Lambadaris, A. Hatfield, “Current Trenes and Advances in Information Assurance Metrics,”PST '4, Fredericton, NB, Canada, Oct., 2004.
  7. M. Swanson, “ecurity Self-Assessment Guide for Information Technology Systems,”NIST Special Publication 800-26, Nov., 2001
  8. M. Swanson, N. Bartol, J. Sabato, J. Hash, L. Graffo, “ecurity Metrics Guide for Information Technology Systems,”NIST Special Publication 800-55, Jul., 2003.
  9. R. Vaughn, R. Henning, A. Siraj, “Information Assurance Measures and Metrics: State of Practice and Proposed Taxonomy,”HICSS '3, Hawaii, USA, 2003.
  10. R. Savola, H. Abie, “Identification of Basic Measurable Security Components for a Distributed Messaging System,”SECURWARE '9, Athens/Glyfada, Greece, pp. 121~128, Jun., 18-23, 2009
  11. N. Bartol, B. Bates, K. M. Goertzel, T. Winograd, “Measuring Cyber Security and Information Assurance: a State-of-the-Art Report,”Information Assurance Technology Analysis Center (IATAC), May, 2009.
  12. A. Jaquith, “Security Metrics: Replacing Fear, Uncertainty and Doubt,”Addison-Wesley, 2007
  13. D. S. Herrmann, “Complete Guide to Security and Privacy Metrics –Measuring Regulatory Compliance, Operational Resilience and ROI,”Auerbach Publications, 2007.
  14. D. B. Parker, “Computer Security Management,” Reston Publishing Company, Reston, VA, USA, 1981.
  15. ITU-T Recommendation X.805, “Security Architecture for Systems Providing End-to-End Communications,” 2003.
  16. D. Longley, M. Shain, “Data and Computer Security:Dictionary of Standards, Concepts and Terms,”Macmillan, 1987.
  17. D. Gollmann, “Computer Security,”John Wiley & Sons, 1999.
  18. R. C. Summers, “Secure Computing, Threats and Safeguards,”McGraw-Hill, 1997
  19. A. Aviženis, J.-C. Laprie, B. Randell, C. Landwehr, ”Basic Concepts and Taxonomy of Dependable and Secure Computing,”IEEE Tr. on Dependable and Secure Computing, Vol. 1, No.1, pp.11-33, Jan./Mar. 2004 https://doi.org/10.1109/TDSC.2004.2
  20. B. S. Yee, “Security Metrology and the Monty Hall Problem,”Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, USA, May 2001, Publ. 2002
  21. Practical Software & Systems Measurement Safety and Security Technical Working Group, “Security Measurement –White Paper,”Vers. 3.0, 67 p., Jan., 2007.
  22. M. Howard, J. Pincus, J. M. Wing, “Measuring Relative Attack Surfaces,”Workshop on Advanced Developments in Software and Systems Security, 2003.
  23. P. K. Manadhata, D. K. Kaynar, J. M. Wing, “A Formal Model for a System' Attack Surface,”Technical Report CMU-CS-07-144, Jul., 2007.
  24. ISO/IEC 21827:2003, “Information Technology Systems Security Engineering –Capability MaturityModel (SSE-CMM),”ISO/IEC, 2003
  25. R. Kailar, V. D. Gligor, L. Gong, ”On the Security Effectiveness of Cryptographic Protocols,”4th IFIP Working Conf. on Dependable Computing for Critical Applications, Vol.9, 1994.
  26. C. Wang, W. A. Wulf, “Towards a Framework for Security Measurement,”20th National Information Systems Security Conference, Baltimore, MD, USA, pp.522-533, Oct., 1997.
  27. M. Schiffman, G. Eschelbeck, D. Ahmad, A. Wright, S. Romanosky, “CVSS: a Common Vulnerability Scoring System,”U.S. National Infrastructure Advisory Council (NIAC), 2004
  28. R. A. Martin, “Managing Vulnerabilities in Networked Systems,”IEEE Computer Society Computer Magazine, Vol.34, No.11, Nov., 2001. https://doi.org/10.1109/2.963441
  29. M. Barrett, C. Johnson, P. Mell, S. Quinn, K. Scarfone, ”Guide to Adopting and Using the Security Content Automation Protocol (SCAP),”NIST Special Publication 800-117 (Draft), NIST, 2009
  30. B. Schneier, “ttack Trees,”Dr. Dobb's Journal, Vol.24, No.12, 1999.
  31. S. E. Schechter, “Computer Security Strength & Risk: a Quantitative Approach,”Ph.D Thesis, Harvard University, Cambridge, MA, USA, 2004.
  32. S. S. Stevens, “On the Theory of Scales of Measurement,” Science, Vol. 103, Issue 2684, pp.677-680, Jun., 7, 1946. https://doi.org/10.1126/science.103.2684.677
  33. R. Savola, “Requirement Centric Security Evaluation of Software Intensive Systems,”DepCOSRELCOMEX' 7, Szklarska Poreba, Poland, pp.135-142, Jun., 14-16, 2007.
  34. R. Savola, “Development of Security Metrics for a Distributed Messaging System,”AICT '9, Baku, Azerbaijan, 6 p., Oct., 14-16, 2009.
  35. R. Savola, “A Security Metrics Development Method for Software Intensive Systems,”ISA '9, Seoul, Korea, Jun., 25-27, 2009, Springer CCIS 36, pp.11-16, 2009.
  36. J. McHugh, “Quantitative Measures of Assurance:Prophecy, Process or Pipedream?”Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, VA, USA, May, 2001, Publ. 2002.
  37. D. McCallam, “The Case Against Numerical Measures of Information Assurance,”Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, VA, USA, May, 2001, Publ. 2002.
  38. S. M. Bellovin, “On the Brittleness of Software and the Infeasibility of Security Metrics,”IEEE Security & Privacy, p. 96, Jul./Aug., 2006
  39. P. Burris, C. King, “A Few Good Security Metrics,” METAGroup Inc., Oct., 2000

Cited by

  1. Quality of security metrics and measurements vol.37, 2013, https://doi.org/10.1016/j.cose.2013.05.002
  2. Towards Measurement of Security Effectiveness Enabling Factors in Software Intensive Systems 2014, https://doi.org/10.7763/LNSE.2014.V2.104
  3. Security Risk Visualization with Semantic Risk Model vol.83, 2016, https://doi.org/10.1016/j.procs.2016.04.247