Abstract-In this paper we extend a model-based approach to security management with concepts and methods that provide a possibility for quantitative assessments. For this purpose we introduce security metrics and explain how they are aggregated using the underlying model as a frame. We measure numbers of attack of certain threats and estimate their likelihood of propagation along the dependencies in the underlying model. Using this approach we can identify which threats have the strongest impact on business security objectives and how various security controls might differ with regard to their effect in reducing these threats.
Abstract. In this paper we present the results of an exploratory qualitative study with experts. The aim of the study was the identification of potential rating variables which could be used to calculate a premium for Cyberinsurance coverages. For this purpose we have conducted semistructured qualitative interviews with a sample of 36 experts from the DACH 1 region. The gathered statements have been consolidated and further reduced to a subset of indicators which are available and difficult to manipulate. The reduced set of indicators has been presented again to the 36 experts in order to rank them according to their relative importance. In this paper we describe the results of this exploratory qualitative study and conclude by discussing implications of our findings for both research and practice.
This chapter is devoted to the continuous security analysis of service oriented systems during design and operation. The authors present the ProSecO framework which offers concepts and a process model for the elicitation of security objectives and requirements, evaluation of risks and documentation of security controls. The goal of ProSecO is to provide the analyst at any time during design and operation with information about the security state of the system. Core ideas of ProSecO are interweaved elicitation and documentation of functional and security properties based on system models and the clear separation of business oriented and technical information. The kind of information ProsecO handles is in wide parts informal and non-executable.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.