Abstract
Information security evaluation of software-intensive systems typically relies heavily on the experience of the security professionals. Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security evaluation in a systematic way. We introduce a general-level holistic framework for security evaluation based on security behaviour modelling and security evidence collection, and discuss its applicability to the design of security evaluation experimentation set-ups in real-world systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)
Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On Measurement on Operational Security. IEEE AES Systems Magazine, 7–15 (October 1994)
Firesmith, D.G.: Analyzing the Security Significance of System Requirements. In: Symposium on Requirements Engineering for Information Security (SREIS), Paris, August 25 (2005)
Greenwald, M., Gunter, C., Knutsson, B., Seedrov, A., Smith, J., Zdancewic, S.: Computer Security is not a Science (but it should be). In: Large-Scale Network Security Workshop, Landsdowne, VA, March 13-14 (2003)
Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Using Trust Assumptions in Security Requirements Engineering. In: 2nd International iTrust Workshop on Trust Management in Dynamic Open Systems, September 15-17, Imperial College, London, UK (2003)
Haley, C.B., Laney, R.C., Nuseibeh, B.: Deriving Security Requirements from Crosscutting Threat Descriptions. In: AOSD 2004, March, Lancaster, UK (2004)
ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation, Version 2.2 (2004)
ISO/IEC 21827: Information Technology – Systems Security Engineering – Capability Maturity Model (SSE-CMM) (2002)
Jonsson, E.: Dependability and Security Modelling and Metrics, Lecture Slides, Chalmers University of Technology, Sweden (2003)
Jürjens, J.: UMLSec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Kajava, J., Savola, R.: Weak Signals in Information Security Management. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 508–517. Springer, Heidelberg (2005)
McDermid, J.A., Shi, Q.: A Formal Approach for Security Evaluation. In: Proceedings of the 7th Annual Conference on Computer Assurance, Systems Integrity, Software Safety, Process Security, pp. 47–55 (1992)
Nicol, D., Sanders, W.H., Trivedi, K.S.: Model-Based Evaluation: From Dependability to Security. IEEE Transactions on Dependable and Secure Computing 1(1), 48–65 (2004)
Priebe, T., Fernandez, E.B., Mehlau, J.I., Pernul: A Pattern System for Access Control. In: 18th Annual IFIP WG 11.3 Conf. on Data and Applications Security, Sitges, Spain, pp. 235–249 (2004)
Schneier, B.: Attack Trees. Doctor Dobb’s Journal, 21–29 (December 1999)
Schumacher, M., Roedig, U.: Security Engineering with Patterns. In: Pattern Languages of Programs, September 11-15, Monticello, Illinois (2001)
Trusted Computer System Evaluation Criteria, “Orange Book”, U.S. Department of Defense Standard, DoD 5200.28-std (1985)
Voas, J.: Why is it so Hard to Predict Software System Trustworthiness from Sofware Component Trustworthiness? In: Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems (2001)
Voas, J., Ghosh, A., McGraw, G., Charron, F., Miller, K.: Defining an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure. In: Proceedings of the 11th Annual Conference on Computer Assurance, Systems Integrity, Software Safety, Process Security (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Savola, R. (2006). A Requirement Centric Framework for Information Security Evaluation. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds) Advances in Information and Computer Security. IWSEC 2006. Lecture Notes in Computer Science, vol 4266. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11908739_4
Download citation
DOI: https://doi.org/10.1007/11908739_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47699-3
Online ISBN: 978-3-540-47700-6
eBook Packages: Computer ScienceComputer Science (R0)