skip to main content
10.1145/1167253.1167295acmconferencesArticle/Chapter ViewAbstractPublication Pagesacm-seConference Proceedingsconference-collections
Article

Information security models and metrics

Published: 18 March 2005 Publication History

Abstract

Security assessment is largely ad hoc today due to its inherent complexity. The existing methods are typically experimental in nature highly dependent of the assessor's experience, and the security metrics are usually qualitative. We propose to address the dual problems of experimental analysis and qualitative metrics by developing two complementary approaches for security assessment: (1) analytical modeling, and (2) metrics-based assessment. To avoid experimental evaluation, we put forward a formal model that permits the accurate and scientific analysis of different security attributes and security flaws. To avoid qualitative metrics leading to ambiguous conclusions, we put forward a collection of mathematical formulas based on which quantitative metrics can be derived. The vulnerability analysis model responses to the need for a theoretical foundation for modeling information security, and security metrics are the cornerstone of risk analysis and security management. In addition to the security analysis approach, we discuss security testing methods as well. A Relative Complete Coverage (RCC) principle is proposed along with an example of applying the RCC principle. The innovative ideas proposed in this paper include a hierarchical multi-level modeling approach to modeling vulnerability using model composition and refinement techniques, a data-centric, quantitative metrics mechanism, and multidimensional assessment capturing both process and product elements in a formalized framework.

References

[1]
{ALF 04} Luca de Alfaro, Marco Faella, Thomas A. Henzinger, Rupak Majumdar, and Marielle Stoelinga. "Model checking discounted temporal properties". Proceedings of the 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Lecture Notes in Computer Science 2988, Springer-Verlag, 2004, pp. 77--92.
[2]
{ALF 01} Luca de Alfaro and Thomas A. Henzinger. "Interface automata". Proceedings of the Ninth Annual Symposium on Foundations of Software Engineering (FSE), ACM Press, 2001, pp. 109--120.
[3]
{BIS 03} Matt Bishop, "Computer Security: Art and Science", Addison Wesley, 2003. ISBN: 0-201-44099-7.
[4]
{CC 199} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part I: Introduction and General Model", Version 2.1, CCIMB-99-031, August 1999.
[5]
{CC2 99} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part II: Security Function Requirements", Version 2.1, CCIMB-99-031, August 1999.
[6]
{CC3 99} National Institute of Standards and Technology, "Common Criteria for Information Technology Security Evaluation, Part III: Security Assurance Requirements", Version 2.1, CCIMB-99-031, August 1999.
[7]
{CEC 91} Commission of the European Communities, "Information Technology Security Evaluation Criteria", Version 1.2, 1991.
[8]
{DOD 85} Department of Defense, "Trusted Computer System Evaluation Criteria", DOD 5200.28-STD, December 1985.
[9]
{GHE 91} Carlo Ghezzi, Mehdi Jazayeri, and Dino Mandrioli, Fundamentals of Software Engineering, Prentice Hall, 1991.
[10]
{HMU 01} John E. Hopcroft, Rajeev Motwani, and Jeffery D. Ullman, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, 2001.
[11]
{Land 81} C. E. Landwehr, "Formal Models for Computer Security", ACM Computing Surveys, Vol. 13, No. 3, 1981. pp. 247--278.
[12]
{NIST 01} National Institute of Standards and Technology, "Security Requirements for Cryptographic Modules", PIPS PUB 140-2, May 2001.
[13]
{NIST 03} Marianne Swanson, Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo, "Security Metrics Guide for Information Technology Systems", NIST Special Publication 800-55, National Institute of Standards and Technology, http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf. July 2003.
[14]
{POT 00} Ronald W. Potter, "The Art of Measurement, Theory and Practice", Printice Hall PTR, Upper Saddle River, New Jersey, 2000. ISBN 0-13-026174-2.
[15]
{Wang 02} J. A. Wang, "Algebra for Components", in Proceedings of The 6th World Multiconference on Systemics, Cybernetics and Informatics, V. 5, Computer Science I, eds. Nagib Callaos, Tau Leng, and Belkis Sanchez. ISBN: 980-07-8150-1, July 2002, pp. 213--218.
[16]
{Wang 04} J. A. Wang, Security Testing in Software Engineering Courses, Proceedings of Frontiers in Education Conference, Session F1C, IEEE Catalog Number 04CH37579C, ISBN: 0-7803-8553-5. October 2004, Savannah, Georgia.

Cited By

View all
  • (2024)Assessing the Vulnerability of Information Security Models to Malware in Networked Applications2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531391(1-6)Online publication date: 15-Mar-2024
  • (2023)Examining the Influence of Knowledge, Social Influence, Trust and Behaviour Factors on Digital Advertisement Based on Information Security Model2023 International Conference on Information Management and Technology (ICIMTech)10.1109/ICIMTech59029.2023.10278012(585-590)Online publication date: 24-Aug-2023
  • (2022)Review of Works Content Analyzer for Information Leakage Detection and Prevention in Android Smart DevicesABUAD International Journal of Natural and Applied Sciences10.53982/aijnas.2022.0201.02-j2:1(12-28)Online publication date: 30-Mar-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ACMSE '05 vol 2: Proceedings of the 43rd annual ACM Southeast Conference - Volume 2
March 2005
430 pages
ISBN:1595930590
DOI:10.1145/1167253
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. information security
  2. measurement
  3. modeling
  4. policy and mechanisms
  5. validation
  6. verification

Qualifiers

  • Article

Conference

ACM SE05
Sponsor:
ACM SE05: ACM Southeast Regional Conference 2005
March 18 - 20, 2005
Georgia, Kennesaw

Acceptance Rates

Overall Acceptance Rate 502 of 1,023 submissions, 49%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)91
  • Downloads (Last 6 weeks)9
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Assessing the Vulnerability of Information Security Models to Malware in Networked Applications2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531391(1-6)Online publication date: 15-Mar-2024
  • (2023)Examining the Influence of Knowledge, Social Influence, Trust and Behaviour Factors on Digital Advertisement Based on Information Security Model2023 International Conference on Information Management and Technology (ICIMTech)10.1109/ICIMTech59029.2023.10278012(585-590)Online publication date: 24-Aug-2023
  • (2022)Review of Works Content Analyzer for Information Leakage Detection and Prevention in Android Smart DevicesABUAD International Journal of Natural and Applied Sciences10.53982/aijnas.2022.0201.02-j2:1(12-28)Online publication date: 30-Mar-2022
  • (2020)Evaluating mean time to security failure based on continuous-time Markov chainsMathematical Structures and Modeling10.24147/2222-8772.2020.4.112-125(112-125)Online publication date: 18-Dec-2020
  • (2020)Using a Markov cyberattack model for evaluation of security metricsMathematical Structures and Modeling10.24147/2222-8772.2020.2.129-144(129-144)Online publication date: 5-Oct-2020
  • (2020)Information Security Awareness of Students on Academic Information System Using Kruger Approach2020 8th International Conference on Cyber and IT Service Management (CITSM)10.1109/CITSM50537.2020.9268795(1-7)Online publication date: 23-Oct-2020
  • (2019)Review of Innovative Cyberspace Security Research Inspired by Bionics Computing Methods2019 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI)10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00268(1486-1493)Online publication date: Aug-2019
  • (2019)On the Impact of Generative Policies on Security Metrics2019 IEEE International Conference on Smart Computing (SMARTCOMP)10.1109/SMARTCOMP.2019.00037(104-109)Online publication date: Jun-2019
  • (2019)ROSploit: Cybersecurity Tool for ROS2019 Third IEEE International Conference on Robotic Computing (IRC)10.1109/IRC.2019.00077(415-416)Online publication date: Feb-2019
  • (2018)Load balancing of renewable energy: a cyber security analysisEnergy Informatics10.1186/s42162-018-0010-x1:1Online publication date: 26-Jul-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media