Appraisal and reporting of security assurance at operational systems level

Journal of Systems and Software

Volumn 85, Issue 1, 2012, Pages 193-208

  Ouedraogo, Moussa ^a,b   Khadraoui, Djamel ^a   Mouratidis, Haralambos ^b   Dubois, Eric ^a  

^a LUXEMBOURG INSTITUTE OF SCIENCE AND TECHNOLOGY   (Luxembourg)

^b UNIVERSITY OF EAST LONDON   (United Kingdom)

Author keywords

Measurement; Metrics specification; Probes; Risk; Security assurance; Security mechanisms; Verification of security; Verification process quality

Indexed keywords

INSURANCE COMPANIES; METRICS SPECIFICATION; OPERATIONAL SYSTEMS; RUNTIME SYSTEMS; SECURITY ASSURANCE; SECURITY MECHANISM; VERIFICATION PROCESS QUALITY;

INSURANCE;

EID: 80755140556     PISSN: 01641212     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.jss.2011.08.013     Document Type: Article

References (54)

1. T. Beth, M. Borcherding, and B. Klein Valuation of trust in open networks Proceedings of the European Symposium on Research in Computer Security Brighton, UK 1994
2. Y. Benchaïb, and A. Hecker VIRCONEL: a new emulation environment for experiments with networked IT systems Proceedings of High Performance Computing & Simulation Conference 2008 Nicosia, Cyprus 2008
3. D. Bodeau Information assurance assessment: lessons-learned and challenges Proceedings of WISSSR, 2001 Williamsburg, VA 2001
4. E. Bulut, D. Khadraoui, and B. Marquet Multi-agent based security assurance monitoring system for telecommunication infrastructures Proceedings to the Communication, Network, and Information Security Conference Berkely/California 2007
5. Common Criteria Sponsoring Organizations Common Criteria for information Technology, Part 1-3, Version 3.1 2006 Geneva Switzerland
6. D.L. Evans, P.J. Bond, and A.L. Bement Standards for Security Categorization of Federal Information and Information Systems 2004 NIST Gaithersburg MD
7. M. Feather, S.L. Cornford, K.A. Hicks, J.D. Kiper, and T. Menzies T. A Broad Quantitative Model for Making Requirements Decisions IEEE Software 25 2 2008 49 56 (Pubitemid 351404575)
8. E. Fong, M. Kass, T. Rhodes, and F. Boland Structured assurance case methodology for assessing software trustworthiness Proceedings of the Fourth International Conference on Secure Software. Integration and Reliability Improvement 2010 IEEE Computer Society Singapore 32 33
9. Furnell, S.M.; 2009. The irreversible march of technology, Information Security Technical Report 14(4), 176-180, Elsevier.
10. L. Grunske Early quality prediction of component-based systems - a generic framework Journal of Systems and Software 80 5 2007 p.678 p.686 (Pubitemid 46367889)
11. L. Grunske, and D. Joyce Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles Journal of Systems and Software 81 8 2008 1327 1345
12. A. Hecker On system security metrics and the definition approaches Proceedings of the Second International Conference on Emerging Security Information, Systems and Technologies Cap Esterel 2008 412 419
13. A. Hecker, and M. Riguidel On the operational security assurance evaluation of networked IT systems Lecture Notes in Computer Science 2009 266 278 5764/2009
14. E. Herrera-Viedma, L. Martinez, F. Mata, and F. Chiclana A consensus support system model for group decision-making problems with multi-granular linguistic preference relations IEEE Transactions on Fuzzy Systems 13 5 2005 644 658 (Pubitemid 41555591)
15. D.K. Holstein A systems dynamics view of security assurance issues - The curse of complexity and avoiding chaos Proceedings of the 42nd Hawaii International Conference on System Sciences Hawaii, USA 2009
16. S.H. Houmb, and J. Jürjens Developing secure networked web-based systems using model-based risk assessment and UMLsec Proceedings of the 10th Asia-Pacific Software Engineering Conference (APSEC 2003) Chiang mai, Thailand 2003
17. S.H. Houmb, G. Georg, R.B. France, J.M. Bieman, and J. Jürjens Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development Proceedings of ICECCS 2005 2005
18. S.H. Houmb, S. Islam, E. Knauss, J. Jürjens, and K. Schneider Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec Requirements Engineering Journal (REJ) 15 1 2010 63 93
19. ISO/IEC, 2007. Systems and Software Engineering - Measurement Process. ISO/IEC15939, Geneva, Switzerland.
20. ISO/IEC, 2009. Information Technology - Security Techniques - Information Security Management Measurements. ISO/IEC27004, Geneva, Switzerland.
21. ISO/IEC, 2008. Information Technology - Security Techniques - Information Security Risk Management. ISO/IEC27005, Geneva, Switzerland.
22. Jansen W.; 2009. Directions in Security Metrics Research. National Institute of Standards and Technology, Special publication #NISTIR 7564, NIST, Gaithersburg, MD.
23. G.F. Jelen, and J.R. Williams A practical approach to measuring assurance Proceedings of the 14th Annual Computer Security Applications Conference (ACSAC 98) 1998 333
24. N.R. Jennings An agent-based software engineering Proceedings of the 9th European workshop on Modelling Autonomous Agents in a Multi-Agent World: Multi-Agent System Engineering (MAAMAW-99), Spain 1999
25. K. Julisch Security compliance: the next frontier in security research Proceedings of the New Security Paradigms Workshop, 71-74.ACM 2008
26. J. Jürjens Secure Systems Development with UML 2005 Springer Berlin
27. T.J. Klevinsky, S.A. Laliberte, and A. Gupta Hack I.T - Security Through Penetration Testing 2002 Addison-Wesley Boston, Massachusetts, USA
28. J. Lee, J. Lee, S. Lee, and B. Choi A CC-based security engineering process evaluation model Proceedings of the 27th Annual International Computer Software and Applications Conference Dallas, Texas 2003
29. T. Liang, and Z. Ming-Tian A new evaluation strategy based on combining CC and SSE-CMM for security systems and products Proceedings of the fifth International Conference on Grid and Cooperative Computing Hunan, China 2006 395 403 (Pubitemid 351165011)
30. B. Marquet, S. Dubus, and C. Blad Security assurance profile for large and heterogeneous telecom and IT infrastructures Proceedings of the Seventh International Symposium on Risk Management and Cyber-Informatics Orlando, Florida, USA 2010
31. H. Mouratidis, and P. Giorgini Secure Tropos: a security-oriented extension of the Tropos methodology International Journal of Software Engineering and Knowledge Engineering 17 2 2007 285 309 (Pubitemid 46782074)
32. H. Mouratidis, and P. Giorgini Security Attack Testing (SAT) - testing the security of information systems at design time Information System 32 8 2007 1166 1183 (Pubitemid 47379495)
33. National Vulnerability Database (NVD). http://nvd.nist.gov/ (accessed 10.11.10).
34. OLF Guideline No. 123: Classification of Process Control, Safety and Support ICT Systems Based on Criticality, Norway, 2009.
35. M. Ouedraogo, D. Khadraoui, B. De Rémont, E. Dubois, and H. Mouratidis Deployment of a security assurance monitoring framework for telecommunication service infrastructures on a VoIP system Proceedings of the Second International Conference on New Technologies, Mobility and Security, Tangier, Morocco 2008 98 102
36. Ouedraogo, M.; 2011. Valuation and reporting of security assurance at operational systems level, PhD thesis School of Architecture, Computing and Engineering, University of East London, England, UK.
37. J.A. Pavlich-Mariscal, S.A. Demurjian, D. Laurent, and L.D. Michel A framework for security assurance of access control enforcement code Computers & Security 29 7 2010
38. M.A. Pervilä Using Nagios to monitor faults in a self-healing environment Seminar on Self-Healing Systems 2007 University of Helsinki
39. N. Pham, L. Baud, P. Bellot, and M. Riguidel A near real-time system for security assurance assessment Proceedings of the third International Conference on Internet Monitoring and Protection Bucharest, Romania 2008 152 160
40. Samhain. http://www.la-samhain.de/samhain/ (accessed 10.11.10).
41. R.M. Savola Towards a taxonomy for information security metrics Proceedings of International Conference on Software Engineering Advances Cap Esterel, France 2007
42. N. Seddigh, P. Pieda, A. Matrawy, B. Nandy, L. Lambadaris, and A. Hatfield Current trends and advances in information assurance metrics Proceedings of Privacy Security and Trust Conference 2004 197 205
43. Sheyner, O.M.; 2004. Scenario Graphs and Attack Graphs. PhD thesis School of Computer Science Carnegie Mellon University.
44. M.J. Skroch, J. McHugh, and J.M. Wiliams Information assurance metrics: prophecy, process, or pipedream? Panel workshop Proceedings of National Information System Security Conference Baltimore, USA 2000
45. SSE-CMM System Security Engineering Capability Maturity Model 1999 ISSEA VA
46. Stoneburner G.; 2000, Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, Special publication #800-33, Gaithersburg, MD.
47. Stoneburner, G.; Goguen, A.; Feringa, A.; 2002. Risk management guide for Information Technology systems, recommendations of the National Institute of Standards and Technology, NIST 800-30, Gaithersburg, MD.
48. E.A. Strunk, and J.C. Knight The essential synthesis of problem frames and assurance cases Proceedings of the Second International Workshop on Applications and Advances in Problem Frames 2006 ACM Press 81 86
49. Swanson, M.; Nadya, B.; Sabato, J.; Hash, J.; Graffo, L.; 2003. Security Metrics Guide for Information Technology Systems, NIST Special publication #800-55, Gaithersburg, MD.
50. A. Van Lamsweerde, and E. Letier Handling obstacles in goal-oriented requirements engineering IEEE Transactions on Software Engineering Special Issue on Exception Handling 26 10 2000 978 1005 (Pubitemid 32031734)
51. R.B. Vaughn, R. Henning, and A. Siraj Information assurance measures and metrics - state of practice and proposed taxonomy Proceedings of the IEEE/HICSS'03 Hawaii 2002
52. WISSSR - Workshop on Information, Security System Scoring and Ranking, 2001. Information System Security Attribute Quantification or Ordering (Commonly but improperly know as security metrics) - Workshop Proceedings, May 21-23, 2001, Williamsburg, VA.
53. A. Wool A quantitative study of firewall configuration errors Computer 37 6 2004 62 67
54. M. Wooldridge An Introduction to Multi-Agent Systems 2002 John Wiley & Sons Ltd. Chichester