Formal analysis of security metrics and risk

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6633 LNCS, Issue , 2011, Pages 304-319

  Krautsevich, Leanid ^a   Martinelli, Fabio ^b   Yautsiukhin, Artsiom ^b  

^a UNIVERSITY OF PISA   (Italy)

^b Italy   (Italy)

Author keywords

[No Author keywords available]

Indexed keywords

FORMAL ANALYSIS; FORMAL DEFINITION; HARD TASK; SECURITY METRICS;

MOBILE DEVICES; WIRELESS TELECOMMUNICATION SYSTEMS; MOBILE SECURITY; QUALITY CONTROL; RISK ASSESSMENT; SECURE COMMUNICATION;

SECURITY OF DATA;

EID: 79958775085     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-21040-2_22     Document Type: Conference Paper

References (27)

1. Bae, S.J., et al.: Degradation models and implied lifetime distributions. Reliability Engineering & System Safety 92(5), 601-608 (2007)
2. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering (ICSE 2002), pp. 232-240. ACM Press, New York (2002)
3. Casola, V., et al.: A SLA evaluation methodology in Service Oriented Architectures. In: Proceedings of the 1st Workshop on Quality of Protection, Milan, Italy. Springer, Heidelberg (2005)
4. Eloff, M.M., von Solms, S.H.: Information security management: An approach to combine process certification and product evaluation. Computers & Security 19(8), 609-698 (2000)
5. Gordon, L., Loeb, M.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438-457 (2003)
6. Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: a Cost-Benefit Analysis. McGraw-Hill, New York (2006)
7. Herrmann, D.S.: Complete Guide to Security and Privacy Metrics. Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications (2007)
8. ISO/IEC. ISO/IEC 27002:2005 Information technology - Security techniques - Code of Practice for Information Security Management (2005)
9. Jansen, W.: Directions in security metric research. Technical Report NISTIR 7564, National institute of Standards and Technology (2009)
10. Jaquith, A.: Security metrics: replacing fear, uncertainty, and doubt. Addison- Wesley, Reading (2007)
11. Jonsson, E., Olovsson, T.: A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering 23(4), 235-245 (1997)
12. Karjoth, G., et al.: Service-oriented assurance comprehensive security by explicit assurances. In: Proceedings of the 1st Workshop on Quality of Protection, Milan, Italy. Springer, Heidelberg (2005)
13. Krautsevich, L., et al.: Formal approach to security metrics. what does "more secure" mean for you? In: Proceedings of the 1st International Workshop on Measurability of Security in Software Architectures. ACM Press, New York (2010)
14. Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluatin Journal 1-4(56), 167-186 (2004)
15. Manadhata, P., Wing, J.: Measuring a system's attack surface. Technical Report CMU-TR-04-102, Carnegie Mellon University (2004)
16. Manadhata, P., Wing, J.M.: An attack surface metric. Technical Report CMU-CS- 05-155, School of Computer Science. Carnegie Mellon University (2005)
17. Manadhata, P.K., et al.: An approach to measuring a systems attack surface. Technical Report CMU-CS-07-146, School of Computer Science. Carnegie Mellon University (2007)
18. Mullen, R.: The lognormal distribution of software failure rates: application to software reliability growth modeling. In: The Ninth International Symposium on Software Reliability Engineering, pp. 134-142 (November 1998)
19. Ortalo, R., et al.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25(5), 633-650 (1999)
20. Pamula, J., et al.: A weakest-adversary security metric for network configuration security analysis. In: QoP 2006: Proceedings of the 2nd ACMWorkshop on Quality of Protection, pp. 31-38. ACM Press, New York (2006)
21. Schechter, S.E.: How to buy better testing. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 73-87. Springer, Heidelberg (2002)
22. Stewart, A.: On risk: perception and direction. Computers & Security 23(5), 362-370 (2004)
23. Stoneburner, G., et al.: Risk management guide for information technology systems. Technical Report 800-30, National Institute of Standards and Technology (2001)
24. Swanson, M., et al.: Security metrics guide for information technology systems. Technical Report 800-55, National Institute of Standards and Technology (2003)
25. Vaughn, R.B., et al.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (January 2003)
26. Wang, L., et al.: An attack graph-based probabilistic security metric. In: Proceeedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, pp. 283-296. Springer, Heidelberg (2008)
27. Wang, L., et al.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812-3824 (2006)