research-article

Quantified security is a weak hypothesis: a critical survey of results and assumptions

Author:
Vilhelm Verendel

Chalmers University

Chalmers University
View Profile

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshopSeptember 2009Pages 37–50https://doi.org/10.1145/1719030.1719036

Published:08 September 2009Publication History

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop

Pages 37–50

ABSTRACT

This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work between 1981 and 2008 with respect to security perspective, target of quantification, underlying assumptions and type of validation. The result shows how the validity of most methods is still strikingly unclear. Despite applying a number of techniques from fields such as computer science, economics and reliability theory to the problem it is unclear what valid results exist with respect to operational security. Quantified security is thus a weak hypothesis because a lack of validation and comparison between such methods against empirical data. Furthermore, many assumptions in formal treatments are not empirically well-supported in operational security and have been adopted from other fields. A number of risks are present with depending on quantitative methods with limited or no validation.

References

Marco D. Aime, Andrea Atzeni, and Paolo C. Pomi. Ambra: automated model-based risk analysis. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 43--48, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
T. Alpcan and T. Basar. A game theoretic approach to decision and analysis in network intrusion detection. In Decision and Control, 2003. Proceedings. 42nd IEEE Conference on, volume 3, pages 2595--2600 Vol.3, 2003.Google ScholarCross Ref
Christopher Alberts, Audrey Dorofee, James Stevens, and Carol Woody. Introduction to the octave approach. Technical report, Carneigie Mellon Software Engineering Institute/US Department of Defense, August 2003.Google Scholar
Jim Alves-Foss and Salvador Barbosa. Assessing computer security vulnerability. SIGOPS Oper. Syst. Rev., 29(3):3--13, July 1995. Google ScholarDigital Library
A. Arora, D. Hall, C.A. Piato, D. Ramsey, and R. Telang. Measuring the risk-based value of it security solutions. IT Professional, 6(6):35--42, 2004. Google ScholarDigital Library
Andrea Atzeni and Antonio Lioy. Why to adopt a security metric? A brief survey. In Quality of Protection, 2005.Google Scholar
Ross Anderson and Tyler Moore. The economics of information security: A survey and open questions. In Fourth bi-annual Conference on the Economics of the Software and Internet Industries, January 2007.Google Scholar
O.H. Alhazmi and Y.K. Malaiya. Application of vulnerability discovery models to major operating systems. Reliability, IEEE Transactions on, 57(1):14--22, 2008.Google Scholar
R. Anderson. Why information security is hard - an economic perspective. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual, pages 358--365, 2001. Google ScholarDigital Library
American National Standards Institute (ANSI) / Internet Security Alliance (ISA). The Financial Impact of Cyber Risk, 2008.Google Scholar
Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186--205, 2000. Google ScholarDigital Library
Rainer Böhme. Validation of predictions with measurements. In Dependability Metrics, pages 14--18. Springer-Verlag, 2008.Google Scholar
H.K. Browne, W.A. Arbaugh, J. Mchugh, and W.L. Fithen. A trend analysis of exploitations. In Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pages 214--229, 2001. Google ScholarDigital Library
Stefano Bistarelli, DallaglioMarco, and Pamela Peretti. Strategic games on defense trees. In Formal Aspects in Security and Trust, pages 1--15. Springer-Verlag Berlin Heidelberg, 2007. Google ScholarDigital Library
Rainer Böhme and Felix Freiling. On metrics and measurements. In Dependability Metrics, pages 7--13. Springer-Verlag, 2008.Google Scholar
Stefano Bistarelli, Fabio Fioravanti, and Pamela Peretti. Defense trees for economic evaluation of security investments. In ARES '06: Proceedings of the First International Conference on Availability, Reliability and Security, pages 416--423, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
V. Bier. Should the model for security be game theory rather than reliability theory? In Communications of the Fourth International Conference on Mathematical Methods in Reliability, 2004.Google Scholar
Vicki Bier. Game-theoretic and reliability methods in counterterrorism and security. In Statistical Methods in Counterterrorism, pages 23--40. Springer-Verlag New York, 2006.Google ScholarCross Ref
Ahto Buldas, Peeter Laud, Jaan Priisalu, Märt Saarepera, and Jan Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, pages 235--248. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
Wayne Boyer and Miles Mcqueen. Ideal based cyber security technical metrics for control systems. In 2nd International Workshop on Critical Information Infrastructures Security, 2007. Google ScholarDigital Library
Bob Blakley, Ellen Mcdermott, and Dan Geer. Information security is information risk management. In NSPW '01: Proceedings of the 2001 workshop on New security paradigms, pages 97--104, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
Vicki Bier, Santiago Oliveros, and Larry Samuelson. Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9(4):563--587, August 2007.Google ScholarCross Ref
Shawn A. Butler. Security attribute evaluation method: a cost-benefit approach. In ICSE '02: Proceedings of the 24th International Conference on Software Engineering, pages 232--240, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
Ping-Teng Chang and Kuo-Chen Hung. Applying the fuzzy-weighted-average approach to evaluate network security systems. Computers & Mathematics with Applications, 49(11-12):1797--1814, June 2005. Google ScholarDigital Library
Michael J. Cerullo and Fred A. Shelton. Analyzing the cost-effectiveness of computer controls and security. The internal auditor, pages 30--37, October 1981.Google Scholar
Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson. Nist performance measurement guide for information security (draft). Technical report, NIST, September 2007.Google Scholar
M. Dacier, Y. Deswarte, and M. Kaaniche. Quantitative assessment of operational security: Models and tools, 1996.Google Scholar
R. Dantu, K. Loper, and P. Kolan. Risk management using behavior based attack graphs. In Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on, volume 1, pages 445--449 Vol.1, 2004. Google ScholarDigital Library
Zaid Dwaikat and Francesco Parisi-Presicce. Risky trust: risk-based analysis of software systems. SIGSOFT Softw. Eng. Notes, 30(4):1--7, July 2005. Google ScholarDigital Library
Boaz Golany, Edward H. Kaplan, Abraham Marmur, and Uriel G. Rothblum. Nature plays with dice - terrorists do not: Allocating resources to counter strategic versus probabilistic risks. European Journal of Operational Research, In Press, Corrected Proof, 2007.Google Scholar
Tony H. Grubesic, Timothy C. Matisziw, Alan T. Murray, and Diane Snediker. Comparative approaches for assessing network vulnerability. International Regional Science Review, 31(1):88--112, January 2008.Google ScholarCross Ref
Christopher Griffin, Bharat Madan, and Kishor Trivedi. State space approach to security quantification. In COMPSAC '05: Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC'05) Volume 2, pages 83--88, Washington, DC, USA, 2005. IEEE Computer Society.Google ScholarCross Ref
Kjell Hausken. Protecting complex infrastructures against strategic attackers. Technical report, Faculty of Social Sciences, University of Stavanger, 2007.Google Scholar
Jonas Hallberg, Niklas Hallberg, and Amund Hunstad. Crossroads and XMASS: Framework and method for system it security assessment. Technical report, FOI, Swedish Defence Research Agency, 2006.Google Scholar
John Hauser and Gerald Katz. Metrics: you are what you measure! European Management Journal, 16(5):517--528, October 1998.Google Scholar
S.N. Hamilton, W.N. Miller, A. Ott, and O.S. Saydjari. The role of game theory in information warfare. In 4th Information survivability workshop, (ISW-2001/2002), 2002.Google Scholar
M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.Google Scholar
T. Heyman, R. Scandariato, C. Huygens, and W. Joosen. Using security patterns to combine security metrics. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 1156--1163, 2008. Google ScholarDigital Library
Rolf Hulthén. Communicating the economic value of security investments; value at security risk. In Workshop on the Economics of Information Security, 2008.Google Scholar
Erland Jonsson and Tomas Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, Vol. 23, No. 4, April, 1997. Google ScholarDigital Library
Aivo Jürgenson and Jan Willemson. Processing multi-parameter attacktrees with estimated parameter values. In Advances in Information and Computer Security, pages 308--319. Springer-Verlag Berlin Heidelberg, 2007. Google ScholarDigital Library
Daniel Kahneman. Choices, Values, and Frames. Cambridge University Press, September 2000.Google Scholar
Mohamed Kaaniche, Y. Deswarte, Eric Alata, Marc Dacier, and Vincent Nicomette. Empirical analysis and statistical modeling of attack processes based on honeypots, Apr 2007.Google Scholar
Howard Kunreuther and Geoffrey Heal. Interdependent security. Journal of Risk and Uncertainty, 26(2):231--249, March 2003.Google ScholarCross Ref
Jinyoo Kim, Yashwant K. Malaiya, and Indrakshi Ray. Vulnerability discovery in multi-version software systems. In High Assurance Systems Engineering Symposium, 2007. HASE '07. 10th IEEE, pages 141--148, 2007. Google ScholarDigital Library
Bilge Karabacak and Ibrahim Sogukpinar. ISRAM: information security risk analysis method. Computers and Security, 24(2):147--159, 2005.Google ScholarDigital Library
Igor Kotenko and Mihail Stepashkin. Analyzing vulnerabilities and measuring security level at design and exploitation stages of computer network life cycle. In Computer Network Security, pages 311--324. Springer-Verlag Berlin Heidelberg, 2005. Google ScholarDigital Library
Igor Kotenko and Mikhail Stepashkin. Attack graph based evaluation of network security. In Communications and Multimedia Security, pages 216--227. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
Daniel Kahneman, Paul Slovic, and Amos Tversky. Judgment under Uncertainty : Heuristics and Biases. Cambridge University Press, April 1982.Google ScholarCross Ref
Daniel Kahneman, Paul Slovic, and Amos Tversky. Heuristics and Biases: The psychology of intuitive judgement. Cambridge University Press, 2002.Google Scholar
B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. Mcdermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2:211--229, 1993.Google ScholarDigital Library
D.J. Leversage and E. James. Estimating a system's mean time-to-compromise. Security & Privacy, IEEE, 6(1):52--60, 2008. Google ScholarDigital Library
John Lowry. An initial foray into understanding adversary planning and courses of action. DARPA Information Survivability Conference and Exposition,, 1:0123, 2001.Google ScholarCross Ref
Vincent C.S. Lee and Linyi Shao. Estimating potential it security losses: An alternative quantitative approach. Security & Privacy, IEEE, 4(6):44--52, 2006. Google ScholarDigital Library
Kong-Wei Lye and Jeannette M. Wing. Game strategies in network security. International Journal of Information Security, 4(1):71--86, February 2005.Google ScholarDigital Library
Peng Liu, Wanyu Zang, and Meng Yu. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur., 8(1):78--118, February 2005. Google ScholarDigital Library
M.A. Mcqueen, W.F. Boyer, M.A. Flynn, and G.A. Beitel. Time-to-compromise model for cyber risk reduction estimation. In Quality of Protection, 2005.Google Scholar
Miles A. Mcqueen, Wayne F. Boyer, Mark A. Flynn, and George A. Beitel. Quantitative cyber risk reduction estimation methodology for a small SCADA control system. In HICSS '06: Proceedings of the 39th Annual Hawaii International Conference on System Sciences, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
J. Mcdermott. Attack-potential-based survivability modeling for high-consequence systems. In Information Assurance, 2005. Proceedings. Third IEEE International Workshop on, pages 119--130, 2005. Google ScholarDigital Library
James W. Meritt. A method for quantitative risk analysis. In Proceedings of the 22nd National Information Systems Security Conference, 1999.Google Scholar
B.B. Madan, K. Gogeva-Popstojanova, K. Vaidyanathan, and K.S. Trivedi. Modeling and quantification of security attributes of software systems. In Proceedings of the International Conference on Dependable Systems and Networks, pages 505--514, 2002. Google ScholarDigital Library
Bharat B. Madan, Katerina Goseva-Popstojanova, Kalyanaraman Vaidyanathan, and Kishor S. Trivedi. A method for modeling and quantifying the security attributes of intrusion tolerant systems. Perform. Eval., 56(1-4):167--186, 2004. Google ScholarDigital Library
J. Mcdermott, A. Kim, and J. Froscher. Merging paradigms of survivability and security: stochastic faults and designed faults. In NSPW '03: Proceedings of the 2003 workshop on New security paradigms, pages 19--25, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
P.K. Manadhata, D.K. Kaynar, and J.M. Wing. A formal model for a systems attack surface. Technical report, Carnegie Mellon University, 2007.Google Scholar
Peter Mell, Karen Scarfone, and Sasha Romanosky. CVSS: A Complete Guide to the Common Vulnerability Scoring Systems Version 2.0. FIRST: Forum of Incident Response and Security Teams, June 2007.Google Scholar
B.B. Madan and K.S. Trivedi. Security modeling and quantification of intrusion tolerant systems using attack-response graph. J. High Speed Netw., 13(4):297--308, October 2004. Google ScholarDigital Library
P.K. Manadhata, K.M.C. Tan, R.A. Maxion, and J.M. Wing. An approach to measuring a systems attack surface. Technical report, School of Computer Science, Carnegie Mellon University, 2007.Google Scholar
P. Manadhata and J.M. Wing. Measuring a system's attack surface. Technical report, Carnegie Mellon University, 2004.Google Scholar
P. Manadhata and J. Wing. An attack surface metric. Technical report, Carnegie Mellon University, 2005.Google Scholar
Dapeng Man, Wu Yang, Yongtian Yang, Wei Wang, and Lejun Zhang. A quantitative evaluation model for network security. In Computational Intelligence and Security, 2007 International Conference on, pages 773--777, 2007. Google ScholarDigital Library
D.M. Nicol. Modeling and simulation in security evaluation. Security & Privacy, IEEE, 3(5):71--74, 2005. Google ScholarDigital Library
Syed Naqvi and Michel Riguidel. Quantifiable security metrics for large scale heterogeneous systems. In Carnahan Conferences Security Technology, Proceedings 2006 40th Annual IEEE International, pages 209--215, 2006.Google ScholarCross Ref
D.M. Nicol, W.H. Sanders, and K.S. Trivedi. Model-based evaluation: from dependability to security. Dependable and Secure Computing, IEEE Transactions on, 1(1):48--65, 2004. Google ScholarDigital Library
Rodolphe Ortalo, Yves Deswarte, and Mohamed Kaâniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng., 25(5):633--650, September 1999. Google ScholarDigital Library
Bank of International Settlements. Basel II: International convergence of capital measurement and capital standards: a revised framework. Online publication, June 2006.Google Scholar
Andy Ozment. Software security growth modeling: Examining vulnerabilities with reliability growth models. In Quality of Protection, 2005.Google Scholar
Andy Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 6--11, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
S.C. Payne. A guide to security metrics. Technical report, SANS Institute, 2006.Google Scholar
Joseph Pamula, Sushil Jajodia, Paul Ammann, and Vipin Swarup. A weakest-adversary security metric for network configuration security analysis. In QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, pages 31--38, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
Karl R. Popper. The Logic of Scientific Discovery. Springer, 1959.Google ScholarCross Ref
Victor-Valeriu Patriciu, Iustin Priescu, and Sebastian Nicolaescu. Security metrics for enterprise information systems. Journal of Applied Quantitative Methods, pages 151--159, 2006.Google Scholar
P.A.S. Ralston, J.H. Graham, and J.L. Hieb. Cyber security risk assessment for SCADA and DCS networks. ISA Transactions, 46(4):583--594, October 2007.Google ScholarCross Ref
Marianne Swanson, Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo. Security metrics guide for information technology systems. Technical report, NIST, 2003.Google Scholar
Bruce Schneier. Attack trees. Dr. Dobb's Journal, 1999.Google Scholar
Stuart Schechter. Quantitatively differentiating system security. In Workshop on the Economics of Information Security, 2002.Google Scholar
S.E. Schechter. Toward econometric models of the security risk from remote attacks. Security & Privacy, IEEE, 3(1):40--44, 2004. Google ScholarDigital Library
Bruce Schneier. The psychology of security, 2007.Google Scholar
Dan Shen, Genshe Chen, Leonard Haynes, and Erik Blasch. Strategies comparison for game theoretic cyber situational awareness and impact assessment. In Information Fusion, 2007 10th International Conference on, pages 1--8, 2007.Google ScholarCross Ref
Ketil Stolen, Folker den Braber, Rune Fredriken, Bjorn Axel Gran, Siv-Hilde Houmb, Mass Soldal Lund, Yahhis C. Stamatio, and Jan Oyvind Aagedal. Model-based risk assessment - the coras approach. In Proc. Norsk Informatikkkonferanse (NIK'2002), pages 239--249, 2002.Google Scholar
Gary Stoneburner, Alice Goguen, and Alexis Feringa. Risk management guide for information technology systems. Technical report, Information Technology Laboratory, National Institute of Standards and Technology, 2002. Google ScholarDigital Library
Kevin J. Soo Hoo. How Much Is Enough? A Risk-Management Approach to Computer Security. Technical report, Consortium for Research on Information Security and Policy (CRISP), 2000.Google Scholar
Kevin J. Soo Hoo. How Much Is Enough? A Risk Management Approach to Computer Security. In Workshop on the Economics of Information Security, 2002.Google Scholar
Bomil Suh and Ingoo Han. The is risk analysis based on a business model. Inf. Manage., 41(2):149--158, 2003. Google ScholarDigital Library
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of 2002 IEEE Symposium on Security and Privacy, pages 273--284, 2002. Google ScholarDigital Library
Karin Sallhammar, Bjarne E. Helvik, and Sven J. Knapskog. A game-theoretic approach to stochastic security and dependability evaluation. In Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on, pages 61--68, 2006. Google ScholarDigital Library
Karin Sallhammar, Bjarne E. Helvik, and Svein J. Knapskog. A framework for predicting security and dependability measures in real-time. International Journal of Computer Science and Network Security, 7(3):169--183, 2007.Google Scholar
Herbert A. Simon. A behavioral model of rational choice. The Quarterly Journal of Economics, 69(1):99--118, 1955.Google ScholarCross Ref
K. Sallhammar, S.J. Knapskog, and B.E. Helvik. Using stochastic game theory to compute the expected behavior of attackers. In Applications and the Internet Workshops, 2005. Saint Workshops 2005. The 2005 Symposium on, pages 102--105, 2005. Google ScholarDigital Library
Sankalp Singh, James Lyons, and David M. Nicol. Fast model-based penetration testing. In WSC '04: Proceedings of the 36th conference on Winter simulation, pages 309--317. Winter Simulation Conference, 2004. Google ScholarDigital Library
Laura Painton Swiler, Cynthia Philips, and Philips Gaylor. A graph-based network-vulnerability analysis system. Technical report, SANDIA, 1998.Google Scholar
Detmar W. Straub. Effective is security: An empirical study. Information Systems research, 1(3):255--276, September 1990.Google ScholarDigital Library
Gregg Schudel and Bradley Wood. Adversary work factor as a metric for information assurance. In NSPW '00: Proceedings of the 2000 workshop on New security paradigms, pages 23--30, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
Vilhelm Verendel. A prospect theory approach to security. Technical report, Department of Computer Science and Engineering, Chalmers University of Technology, 2008.Google Scholar
J. Voas, A. Ghosh, G. Mcgraw, F. Charron, and K. Miller. Defining an adaptive software security metric from a dynamic software failure tolerance measure. In Computer Assurance, 1996. COMPASS '96, 'Systems Integrity. Software Safety. Process Security'. Proceedings of the Eleventh Annual Conference on, pages 250--263, 1996.Google ScholarCross Ref
Carlos Villarrubia, Eduardo F. Medina, and Mario Piattini. Towards a classification of security metrics. In WOSIS, pages 342--350, 2004.Google Scholar
Dariusz Wawrzyniak. Information security risk assessment model for risk management. Trust and Privacy in Digital Business, pages 21--30, 2006. Google ScholarDigital Library
Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. An attack graph-based probabilistic security metric. In Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security, pages 283--296. Springer-Verlag Berlin Heidelberg, 2008. Google ScholarDigital Library
Lingyu Wang, Anoop Singhal, and Sushil Jajodia. Toward measuring network security using attack graphs. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 49--54, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
Max Walter and Carsten Trinitis. Quantifying the security of composed systems. Parallel Processing and Applied Mathematics, pages 1026--1033, 2006. Google ScholarDigital Library
C. Wang and W. Wulf. Towards a framework for security measurement. In NISSC, 1997.Google Scholar
Fu-Hong Yang, Chi-Hung Chi, and Lin Liu. A risk assessment model for enterprise network security. In Autonomic and Trusted Computing, pages 293--301. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
A. Yautsiukhin, R. Scandariato, T. Heyman, F. Massacci, and W. Joosen. Towards a quantitative assessment of security in software architectures. In Proceedings of the 13th Nordic Workshop on Secure IT Systems, 2008.Google Scholar
Guosheng Zhao, Huiqiang Wang, and Jian Wang. A novel quantitative analysis method for network survivability. In Computer and Computational Sciences, 2006. IMSCCS '06. First International Multi-Symposiums on, volume 2, pages 30--33, 2006. Google ScholarDigital Library

Index Terms

Quantified security is a weak hypothesis: a critical survey of results and assumptions

Recommendations

A Survey on Systems Security Metrics

Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of system vulnerabilities, ...
Read More
Security metrics for source code structures
SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systems

Software security metrics are measurements to assess security related imperfections (or perfections) introduced during software development. A number of security metrics have been proposed. However, all the perspectives of a software system have not ...
Read More
An Investigation About the Absence of Validation on Security Quantification Methods
SBSI '15: Proceedings of the annual conference on Brazilian Symposium on Information Systems: Information Systems: A Computer Socio-Technical Perspective - Volume 1

To understand the actions that lead to successful attacks and also how they can be mitigated, researchers should identify and measure the factors that influence both attackers and victims. Quantifying security is particularly important to construct ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop
September 2009
156 pages
ISBN:9781605588452
DOI:10.1145/1719030
Program Chairs:
Anil Somayaji
Carleton University
,
Richard Ford
Florida Institute of Technology
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 September 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
quantitative security models
security metrics
validation
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate62of170submissions,36%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 123
  Total Citations
  View Citations
- 1,856
  Total Downloads
- Downloads (Last 12 months)59
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Survey on Systems Security Metrics

Security metrics for source code structures

An Investigation About the Absence of Validation on Security Quantification Methods

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Survey on Systems Security Metrics

Security metrics for source code structures

An Investigation About the Absence of Validation on Security Quantification Methods

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media