skip to main content
10.1145/1595676.1595687acmconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
research-article

Security compliance: the next frontier in security research

Published: 22 September 2008 Publication History

Abstract

Practitioners as well as researchers have repeatedly deplored that IT security research has failed to produce practical solutions to growing security threats. This paper attributes this failure to the fact that IT departments no longer invest in security as an ideal. Rather, money is being spent on technologies that enable compliance with security requirements. Academia has not embraced this shift in perspective and still tries to "sell" security when organizations seek to "buy" compliance. This disconnect has lead to research that fails to improve real-world security because it is not embraced in the market place. The conclusion drawn in this paper is that academia needs to complement current security research by additional research into security compliance. To encourage more work in this relatively new direction, the paper describes the major compliance research challenges that await solutions.

References

[1]
E. Spafford, Solving some of the Wrong Problems, CERIAS Weblogs, 2007.
[2]
N. Eppel, Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security, on http://www.securityabsurdity.com/, 2007.
[3]
B. Schneier, Testimony and Statement for the Record of Bruce Schneier, on http://www.iwar.org.uk, 2001.
[4]
Anonymous, Trusted Computer System Evaluation Criteria, Department of Defense, on http://csrc.nist.gov/publications/history/dod85.pdf, 1985.
[5]
Anonymous, Information Technology Security Evaluation Criteria (ITSEC), Department of Trade and Industry, London, 1991.
[6]
Common Criteria, Part 1-3 on http://www.commoncriteriaportal.org/.
[7]
W. Sturgeon, Jail or compliance? You decide, Directors Told, on http://www.silicon.com, 2005.
[8]
B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, and D. Wright, Towards Operational Measures of Computer Security, Journal of Computer Security, 1993, pages 211--229.
[9]
R. Ortalo, Y. Deswarte, and M. Kaaniche, Experiments with Quantitative Evaluation Tools for Monitoring Operational Security, IEEE Transactions on Software Engineering, 25(5), 1999, pages 633--650.
[10]
E. Jonsson, An Integrated Framework for Security and Dependability, Proceedings of the 1998 Workshop on New security Paradigms, 1998, pages 22--29.
[11]
M. Howard, J. Pincus, and J.M. Wright, Measuring Relative Attack Surfaces, Proceedings of Workshop on Advanced Developments in Software and Systems Security, 2003.
[12]
D.S. Herrmann, Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007.
[13]
NISP SP 800-55, Security Metrics Guide for Information Technology Systems, National Institute of Standards and Technology, 2003.
[14]
The European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, 1995 No L. 281 page 31.
[15]
C. Giblin, A.Y. Liu, S. Mueller, B. Pfitzmann, and X Zhou, Regulations Expressed As Logical Models (REALM), Legal Knowledge and Information Systems, 2005, pages 37--48.
[16]
M. Waidner, Building Trust in Computing -- Enterprise Security Perspective, IST Conference, 2004, The Hague.
[17]
J. Poritz, M. Schunter, E.V. Herreweghen, and M. Waidner, Property Attestation -- Scalable and Privacy-Friendly Security Assessment of Peer Computers, IBM Research Report No. 99559, 2004.
[18]
R. Kanneganti and P. Chodavarapu, SOA Security, Manning, 2008.

Cited By

View all
  • (2024)Cyber Security Control Systems for Operational TechnologyIndustrial Control Systems10.1002/9781119829430.ch13(285-302)Online publication date: 21-Feb-2024
  • (2023)A Mapping Tool for Normative RequirementsProceedings of the 31st International Conference on Information Systems Development10.62036/ISD.2023.4Online publication date: 2023
  • (2023)Cyber Security Control Systems for Operational Technology2023 Second International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS56392.2023.10085345(1-8)Online publication date: 2-Mar-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop
August 2009
144 pages
ISBN:9781605583419
DOI:10.1145/1595676
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 September 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. compliance
  2. economics
  3. security

Qualifiers

  • Research-article

Conference

NSPW '08
Sponsor:
NSPW '08: 2008 New Security Paradigms Workshop
September 22 - 25, 2008
California, Lake Tahoe, USA

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)38
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Cyber Security Control Systems for Operational TechnologyIndustrial Control Systems10.1002/9781119829430.ch13(285-302)Online publication date: 21-Feb-2024
  • (2023)A Mapping Tool for Normative RequirementsProceedings of the 31st International Conference on Information Systems Development10.62036/ISD.2023.4Online publication date: 2023
  • (2023)Cyber Security Control Systems for Operational Technology2023 Second International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS56392.2023.10085345(1-8)Online publication date: 2-Mar-2023
  • (2023)The Current State of Security Governance and Compliance in Large-Scale Agile Development: A Systematic Literature Review and Interview Study2023 IEEE 25th Conference on Business Informatics (CBI)10.1109/CBI58679.2023.10187439(1-10)Online publication date: 21-Jun-2023
  • (2023)Formulating the Compliance ProblemEssays on the Visualisation of Legal Informatics10.1007/978-3-031-27957-7_24(227-240)Online publication date: 19-May-2023
  • (2022)Holding on to Compliance While Adopting DevSecOps: An SLRElectronics10.3390/electronics1122370711:22(3707)Online publication date: 12-Nov-2022
  • (2022)Providing Compliance in Critical Computing SystemsSystem Dependability and Analytics10.1007/978-3-031-02063-6_10(191-206)Online publication date: 26-Jul-2022
  • (2021)Tackling Cybersecurity Regulatory Challenges: A Proposed Research FrameworkThe Role of e-Business during the Time of Grand Challenges10.1007/978-3-030-79454-5_2(12-24)Online publication date: 26-Jun-2021
  • (2018)Continuous Compliance: Experiences, Challenges, and Opportunities2018 IEEE World Congress on Services (SERVICES)10.1109/SERVICES.2018.00029(31-32)Online publication date: Jul-2018
  • (2015)Developing Metrics for Surveillance Impact AssessmentProceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference - Volume 0310.1109/COMPSAC.2015.245(297-302)Online publication date: 1-Jul-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media