ABSTRACT
Measurement of any complex, operational system is challenging due to the continuous independent evolution of the components. Security risks introduce another dimension of dynamicity, reflected to risk management and security assurance activities. The availability of different measurements and their properties will vary during the overall system lifecycle. To be useful, a measurement framework in this context needs to be able to adapt to both the changes in the target of measurement and in the available measurement infrastructure. In this study, we introduce a taxonomy-based approach for relating the available and attainable measurements to the measurement requirements of security assurance plans by providing an Abstraction Layer that makes it easier to manage these dynamic features. The introduced approach is investigated in terms of a security assurance case example of firewall functionality in a Push E-mail service system.
- BUGYO Beyond CELTIC Eureka Project. Website available: www.celtic-initiative.org/Projects/BUGYO-BEYOND/default.asp {July 20, 2010}.Google Scholar
- Zuccato, A., Marquet, B., Papillon, S., Aldén, M. 2006. "Service oriented modeling of communication infrastructure for assurance," Proc. of IEEE Workshop on Information Assurance, United States Military Academy, West Point, N.Y., USA.Google Scholar
- Marquet, B., Dubus, S., Blad, C. 2010. "Security assurance profile for large and heterogeneous telecom and IT infrastructures," Proc. of the 7th International Symposium on Risk Management and Cyber-Informatics (RMCI '10), Orlando, Florida, USA.Google Scholar
- ISO/IEC 15408-1:2005. 2005. "Common Criteria for information technology security evaluation -- Part 1: Introduction and general model," ISO/IEC.Google Scholar
- Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Medina, E., Toval, A., and Piattini, M. 2008. "A systematic review and comparison of security ontologies," ARES '08, pp. 813--820. Google ScholarDigital Library
- Evesti, A., Ovaska, E., and Savola, R. 2009. "From security modeling to run-time security monitoring," European Workshop on Security in Model Driven Architecture (SEC-MDA '09), CTIT Centre for Telematics and Information Technology, pp. 33--41.Google Scholar
- Savolainen, P., Niemelä, E., and Savola, R. 2007. "A taxonomy of information security for service centric systems," Proceedings of the 33rd EUROMICRO Conference on Software Engineering and Advanced Applications, SEAA '07, pp. 5--12. Google ScholarDigital Library
- Vaughn, R. B., Henning, R., and Siraj, A. 2003. "Information assurance measures and metrics -- state of practice and proposed taxonomy," Proc. of Hawaii International Conference on System Sciences. Google ScholarDigital Library
- Kim, A., Luo, J., and Kang, M. 2005. "Security ontology for annotating resources," OTM Confederated International Conferences, CoopIS, DOA, and ODBASE 2005 -- On the Move to Meaningful Internet Systems 2005. (Agia Napa, 31 Oct. -- 4 Nov. 2005), pp. 1483--1499. Google ScholarDigital Library
- Herzog, A., Shahmehri, N., and Duma, C. 2007. "An ontology of information security," International Journal of Information Security and Privacy, Vol. 1, No. 4, pp. 1--23.Google ScholarCross Ref
- Savola, R. 2009. "A security metrics taxonomization model for software-intensive systems," Journal of Information Processing Systems, 5(4), 197--206.Google ScholarCross Ref
- Abie, H., Dattani, I., Novkovic, M., Bigham, J., Topham, S., and Savola, R. 2008. "GEMOM -- Significant and measurable progress beyond the state of the art," ICSNC '08. Google ScholarDigital Library
- Savola, R., Abie, H., Bigham, J., and Rotondi, D. 2010. "Innovations and advances in adaptive secure message oriented middleware -- the GEMOM project," RDCS '10. Google ScholarDigital Library
- Savola, R. and Heinonen, P. 2010. "Security-measurability-enhancing mechanisms for a distributed adaptive security monitoring system," SECURWARE '10. Google ScholarDigital Library
- Savola, R. and Abie, H. 2010. "Development of measurable security for a distributed messaging system," International Journal on Advances in Security, 2(4), 358--380, Publ. 2010.Google Scholar
- Blasi, L., Savola, R., Abie, H., and Rotondi, D. 2010. "Applicability of security metrics for adaptive security management in a universal banking hub system," MeSSa '10. Google ScholarDigital Library
- Vogel, C. 1998. "Cognitive engineering," Masson, Paris, France.Google Scholar
- Savola, R., Pentikäinen, H., Ouedraogo, M. 2010. "Towards security effectiveness measurement utilizing risk-based security assurance," ISSA '10.Google Scholar
- ISO/IEC 27004:2009. 2009. "Information Technology --- Security Techniques --- Information Security Management --- Measurement," ISO/IEC.Google Scholar
- Institute of Electrical and Electronics Engineers (IEEE). "SNMP MIBs," Available: www.ieee802.org {July 20, 2010}.Google Scholar
- Distributed Management Taskforce. 1999. "Common information model (CIM) specification," Version 2.2.Google Scholar
Index Terms
- Towards an abstraction layer for security assurance measurements: (invited paper)
Recommendations
Landscape of IoT security
AbstractThe last two decades have experienced a steady rise in the production and deployment of sensing-and-connectivity-enabled electronic devices, replacing “regular” physical objects. The resulting Internet-of-Things (IoT) will soon become ...
Defining measurements for analyzing information security risk reports in the telecommunications sector
SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied ComputingIt is clearly acknowledged that to consider an Information System (IS) as fully secure, although desirable, this is not achievable. In this context, risk management is becoming both a key aspect and the main trust vector which is particularly included ...
Appraisal and reporting of security assurance at operational systems level
In this paper we discuss the issues relating the evaluation and reporting of security assurance of runtime systems. We first highlight the shortcomings of current initiatives in analyzing, evaluating and reporting security assurance information. Then, ...
Comments