Loading [a11y]/accessibility-menu.js
Certification and evaluation: A security economics perspective | IEEE Conference Publication | IEEE Xplore
Scheduled Maintenance: On Monday, 27 January, the IEEE Xplore Author Profile management portal will undergo scheduled maintenance from 9:00-11:00 AM ET (1400-1600 UTC). During this time, access to the portal will be unavailable. We apologize for any inconvenience.

Certification and evaluation: A security economics perspective


Abstract:

There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party...Show More

Abstract:

There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre' designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.
Date of Conference: 22-25 September 2009
Date Added to IEEE Xplore: 04 December 2009
ISBN Information:

ISSN Information:

Conference Location: Palma de Mallorca, Spain

References

References is not available for this document.