Abstract
A modern information technology (IT) system may consist of thousands of servers, software components and other devices. Operational security of such a system is usually measured by the compliance of the system with a group of security policies. However, there is no generally accepted method of assessing the risk-aware compliance of an IT system with a given set of security policies. The current practice is to state the fraction of non-compliant systems, regardless of the varying levels of risk associated with violations of the policies and their exposure time windows. We propose a new metric that takes into account the risk of non-compliance, along with the number and duration of violations. This metric affords a risk-aware compliance posture in a single number. It is used to determine a course of remediation, returning the system to an acceptable level of risk while minimizing the cost of remediation and observing the physical constraints on the system, and the limited human labor available. This metric may also be used in the course of the normal operation of the IT system, alerting the operators to potential security breaches in a timely manner.
Chapter PDF
Similar content being viewed by others
References
Jansen, W.: Directions in security metrics research. National Institute of Standards and Technology, NISTIR 7564 (2010)
Julisch, K.: Security compliance: the next frontier in security research. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 71–74. ACM (2009)
First.org. A Complete Guide to the Common Vulnerability Scoring System Version 2.0 - CVSS, http://www.first.org/cvss/cvss-guide
Pironti, J.P.: Developing Metrics for Effective Information Security Governance. INTEROP, New York (September 2008), http://www.interop.com/newyork/2008/presentations/conference/rc10-pironti.pdf
Savola, R.: Towards a security metrics taxonomy for the information and communication technology industry. In: International Confernce on Software Engineering Advances, ICSEA, Cap Estrel, France (August 2007)
Herrmann, D.S.: Complete guide to security and privacy metrics: measuring regulatory compliance, operational resilience, and ROI. CRC Press (2007)
Levi, E.: Device, Method and Program Product for Prioritizing Security Flaw Mitigation Tasks in a Business Service. U.S. Patent Application 12/361,279, Filed (January 28, 2009)
Taraz, R.: Method and apparatus for rating a compliance level of a computer connecting to a network. U.S. Patent Application 11/289,740, Filed (November 29, 2005)
Cplex, IBM ILOG. 12.5 User’s Manual (2010), ftp://public.dhe.ibm.com/software/websphere/ilog/docs/optimization/cplex/ps_usrmancplex.pdf
Optimization, Gurobi. Gurobi optimizer reference manual (2012), http://www.gurobi.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coffman, D., Agrawal, B., Schaffa, F. (2013). Towards Optimal Risk-Aware Security Compliance of a Large IT System. In: Basu, S., Pautasso, C., Zhang, L., Fu, X. (eds) Service-Oriented Computing. ICSOC 2013. Lecture Notes in Computer Science, vol 8274. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45005-1_55
Download citation
DOI: https://doi.org/10.1007/978-3-642-45005-1_55
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45004-4
Online ISBN: 978-3-642-45005-1
eBook Packages: Computer ScienceComputer Science (R0)