Information assurance measures and metrics - state of practice and proposed taxonomy

Vaughn, Rayford B.; Henning, Ronda R.; Siraj, Ambareen

doi:10.1109/hicss.2003.1174904

Cited by 83 publications

(53 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, our attack surface metric does not cover side channel attacks. The 2001 Workshop on Information-Security-System Rating and Ranking observed that there will be no successful single security metric that can be used to quantify the security of a system and multiple metrics will most certainly be used [34]. The attack surface metric can be used as one of such multiple metrics.…”

Section: Attack Surface Metricmentioning

confidence: 99%

See 1 more Smart Citation

An Approach to Measuring a System's Attack Surface

Manadhata¹,

Tan²,

Maxion³

et al. 2007

View full text Add to dashboard Cite

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. Practical software security measurements and metrics are critical to the improvement of software security. We propose a metric to determine whether one software system is more secure than another similar system with respect to their attack surface. We use a system's attack surface measurement as an indicator of the system's security; the larger the attack surface, the more insecure the system. We measure a system's attack surface in terms of three kinds of resources used in attacks on the system: methods, channels, and data. We demonstrate the use of our attack surface metric by measuring the attack surfaces of two open source IMAP servers and two FTP daemons. We validated the attack surface metric by conducting an expert user survey and by performing statistical analysis of Microsoft Security Bulletins. Our metric can be used as a tool by software developers in the software development process and by software consumers in their decision making process. AbstractPractical software security measurements and metrics are critical to the improvement of software security. We propose a metric to determine whether one software system is more secure than another similar system with respect to their attack surface. We use a system's attack surface measurement as an indicator of the system's security; the larger the attack surface, the more insecure the system. We measure a system's attack surface in terms of three kinds of resources used in attacks on the system: methods, channels, and data. We demonstrate the use of our attack surface metric by measuring the attack surfaces of two open source IMAP servers and two FTP daemons. We validated the attack surface metric by conducting an expert user survey and by performing statistical analysis of Microsoft Security Bulletins. Our metric can be used as a tool by software developers in the software development process and by software consumers in their decision making process.

show abstract

Section: Attack Surface Metricmentioning

confidence: 99%

“…Measurement of security, both qualitatively and quantitatively, has been a long standing challenge to the research community and is of practical import to software industry today [6,23,34]. Software industry has responded to demands for improvement in software security by increasing effort for creating "more secure" products and services.…”

Section: Introductionmentioning

confidence: 99%

An Approach to Measuring a System's Attack Surface

Manadhata¹,

Tan²,

Maxion³

et al. 2007

View full text Add to dashboard Cite

show abstract

“…Vaughn et al [9] propose taxonomy for information assurance metrics consisting of organizational security metrics and metrics for "Technical Target of Assessment". The authors divide the latter metrics into strength and weakness metrics -which are also part of the SMOS model, along with further characteristic dimensions.…”

Section: Related Workmentioning

confidence: 99%

“…Seddigh et al [9] introduce an information assurance metrics taxonomy for IT network assessment in [6]. Their taxonomy divides the metrics space into three categories: security, Quality of Service (QoS) and availability.…”

Section: Related Workmentioning

confidence: 99%

A Security Metrics Taxonomization Model for Software-Intensive Systems

Savola¹

2009

Journal of Information Processing Systems

View full text Add to dashboard Cite

Abstract:We introduce a novel high-level security metrics objective taxonomization model for software-intensive systems. The model systematizes and organizes security metrics development activities. It focuses on the security level and security performance of technical systems while taking into account the alignment of metrics objectives with different business and other management goals. The model emphasizes the roles of security-enforcing mechanisms, the overall security quality of the system under investigation, and secure system lifecycle, project and business management. Security correctness, effectiveness and efficiency are seen as the fundamental measurement objectives, determining the directions for more detailed security metrics development. Integration of the proposed model with riskdriven security metrics development approaches is also discussed.

show abstract

“…We identified two perspectives on such metrics: The first perspective is aligned to the objects the metrics refer to. [36] propose a taxonomy for information assurance metrics consisting of organizational security metrics and metrics for "Technical Target of Assessment". [29] suggest a high-level information security metrics taxonomy that divides business-level security metrics into five categories: (1) trust metrics for business collaboration, (2) security metrics for business-level risk management, (3) security metrics for information security management in the organization, (4) security metrics for cost-benefit analysis, and (5) security, dependability and trust metrics for ICT products, systems and services.…”

Section: Related Workmentioning

confidence: 99%

A formal approach towards measuring trust in distributed systems

Schryen

Volkamer

Ries

et al. 2011

Proceedings of the 2011 ACM Symposium on Applied Computing

View full text Add to dashboard Cite

Emerging digital environments and infrastructures, such as distributed security services and distributed computing services, have generated new options of communication, information sharing, and resource utilization in past years. However, when distributed services are used, the question arises of to what extent we can trust service providers to not violate security requirements, whether in isolation or jointly. Answering this question is crucial for designing trustworthy distributed systems and selecting trustworthy service providers. This paper presents a novel trust measurement method for distributed systems, and makes use of propositional logic and probability theory. The results of the qualitative part include the specification of a formal trust language and the representation of its terms by means of propositional logic formulas. Based on these formulas, the quantitative part returns trust metrics for the determination of trustworthiness with which given distributed systems are assumed to fulfill a particular security requirement.

show abstract

Information assurance measures and metrics - state of practice and proposed taxonomy

Cited by 83 publications

References 3 publications

An Approach to Measuring a System's Attack Surface

An Approach to Measuring a System's Attack Surface

A Security Metrics Taxonomization Model for Software-Intensive Systems

A formal approach towards measuring trust in distributed systems

Contact Info

Product

Resources

About