Efficient Security Measurements and Metrics for Risk Assessment

Tashi, Igli; Ghernaouti-Hélie, Solange

doi:10.1109/icimp.2008.34

Cited by 6 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some developed countries which applied security precaution system earlier have achieved desirable results in their studies and practice of performance evaluation [5][6] [7]. For example, the U.S. has developed various simulation models of safety precautions to aid the practice of performance evaluation of security systems targeted for preventing an invasion, some typical simulation models such as [8] [9][10] ASSESS (Analytic System and Software for Evaluating Safeguards and Security) ,FESEM (Forcible Entry Safeguards Effectiveness Model), ISEM (Insider Safeguards Effectiveness Model) , SAFE (Safeguards Automated Facility Evaluation) and etc.…”

Section: Gray System Methodsmentioning

confidence: 97%

Studies on Assessment Methods of Dynamic Protection Capability In Security Systems

Yongjun¹,

Chen²,

Guo

et al. 2010

2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing

View full text Add to dashboard Cite

The assessment of protection capability has become increasingly important with the rapid development of security systems. The assessment of protection capability is mainly composed of the definition of protection capability, the systems of evaluating indicators and assessment methods. In order to assess protection capability, the appropriate definition of it is the priority. Since there are a variety of protection capabilities in security systems which differ in different security systems, multidimensional definitions of protection capability can help to identify the protection capability in special systems more accurately. Then scientific systems of evaluating indicators should be established. The indicators of a certain protection capability differ in different conditions, thus it is necessary to establish systems of adaptive indicators, which may help evaluate the protection capability in certain security systems more exactly. Last, the accurate calculation of assessment should be taken into consideration. The study of quantitative calculation can help assess protection capability in security systems more accurately and gives guidance in the construction of security systems with the establishment of adaptive indicator systems in multidimensional protection capability because qualitative assessment can not fulfill the needs of the rapid development of security systems. The project studies a partial solution to the assessment of protection capability in security system and further meets the security industry's urgent needs for assessment of protection capability.

show abstract

Section: Gray System Methodsmentioning

confidence: 97%

Studies on Assessment Methods of Dynamic Protection Capability In Security Systems

Yongjun¹,

Chen²,

Guo

et al. 2010

2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing

View full text Add to dashboard Cite

show abstract

“…The comparative analysis of some management security standards for information systems was studied by Sipponen and Willison [21], adopting them to validate the market's acceptable practices. At the same time, Tashi and Outi-Hélie [22] sought to analyze the evaluation metrics for security standards following ISO 17799: 2005 and ISO 27001 standards.…”

Section: B Information Security and The Common Criteria Standardmentioning

confidence: 99%

“…The discussion about information security in scientific literature shows a search for the foundation of cybersecurity systems and an effort to develop tools and methodologies for product homologation [12,13,14,18,21,22,23,24,77]. Moreover, national systems and private companies have invested in such an effort as they could and should be expected to do [19,66,61].…”

Section: Summary and Decision About Information Security Standardsmentioning

confidence: 99%

Proposal and Validation of a Standard Protection Profile for Homologation of Commercial Videoconferencing Equipment

2021

View full text Add to dashboard Cite

In the present work, we propose and validate a Common Criteria Standard Protection Profile (sPP) for videoconferencing equipment. The research presents the definition and analysis of the homologation system used to validate the standard protection profile, focusing on its application focused in a large Brazilian financial company. We address the main points to consider in the acquisition and current use of this product: reasonable information security assumptions, technical standards, recommendations, and international best cybersecurity practices. As a result, we have developed a Standard Protection Profile identifying the information security risks involved and the minimum parameters required in those systems acquired and used for Government environments. This paper also presents all tests performed to validate the proposed sPP. As the application is critical, involving sensitive data, our results can also foster less risky conditions in the myriad situations caused by the COVID pandemic.

show abstract

Deriving an information security assurance indicator at the organizational level

Pathari

Sonar²

2013

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose – Measurement of information security assurance (ISA) is an important but difficult task. This paper aims to propose a framework, which helps in refining information security requirements into controls whose effectiveness can be measured. This work also provides aggregation techniques to combine these measurements so as to obtain an indicator for ISA at the organizational level. Design/methodology/approach – A top-down approach of refining security objectives to measurable independent tasks is carried out using assign graph as the model. This captures the various objectives and their interrelationships whose initial values and relative impacts are obtained from experts. Using fuzzy cognitive model (FCM), these initial values are combined together to obtain an indicator for ISA at the firm's level. Findings – The two applications of the framework revealed that interrelationships do exist between the different controls employed in actual security implementations and that these dependencies are seldom accounted for. When those few controls that are to be measured are clearly identified, the security experts can focus their attention on them and ensure their correct implementation and appropriate measurement. The extent of impact of a single control on the overall security picture of the firm can also be found using this approach. Research limitations/implications – While the framework is generic, the assurance values obtained are context-sensitive. This is primarily because of the subjectivity involved in assigning impact measures and initial values. Practical implications – This work helps in answering two difficult questions in information security management: “what to measure?” and “how to quantify the overall security assurance of the organization?” This assists the information security team in identifying and refining those controls that needs to be appropriately emphasized. The proposed framework helps the top management in doing “what-if” analysis, thereby aiding their decision-making for information security investments. Originality/value – The novel framework proposes a top-down approach for security control refinement and a bottom-up approach for combining the confidence values to obtain an indicator for ISA. This work identifies and accommodates the possibilities of having interdependencies between security controls. The proposed aggregation method using FCM is being applied for the first time in information security context and provides convergence even in the presence of cyclic dependencies amongst the controls.

show abstract

Efficient Security Measurements and Metrics for Risk Assessment

Cited by 6 publications

References 7 publications

Studies on Assessment Methods of Dynamic Protection Capability In Security Systems

Studies on Assessment Methods of Dynamic Protection Capability In Security Systems

Proposal and Validation of a Standard Protection Profile for Homologation of Commercial Videoconferencing Equipment

Deriving an information security assurance indicator at the organizational level

Contact Info

Product

Resources

About