Information Systems Security Criticality and Assurance Evaluation

  • Moussa Ouedraogo
  • Haralambos Mouratidis
  • Eric Dubois
  • Djamel Khadraoui
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6059)


A prerequisite to implement effective and efficient Information Systems security measures is to have a clear understanding of both, the business that the system will support and the importance of the system in the operating environment. Similarly, the evaluation of one’s confidence in the deployed safeguarding measures, to adequately protect system assets, requires a better understanding of the security criticality of the system within its context of use (i.e. where is the system used and what for?). This paper proposes metrics as well as a methodology for the evaluation of operational systems security assurance. A critical feature of our approach is that assurance level is dependent on the measurement of security correctness and system security criticality. To that extend, we also propose a novel classification scheme for Information Systems based on their security criticality. Our work is illustrated with an application based on the case study of a Domain Name Server (DNS).


Security assurance criticality security verification Multi-agent systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Le Grand, C.H.: Software security assurance: A framework for software vulnerability management and audit. CHL Global Associates and Ounce Labs, Inc. (2005)Google Scholar
  2. 2.
    Jansen, W.: Directions in Security Metrics Research. National Institute of Standards and Technology Special publication# NISTIR 7564 (2009)Google Scholar
  3. 3.
    Vaughn, R.B., Henning, R., Siraj, A.: Information Assurance Measures and Metrics – State of Practice and Proposed Taxonomy. In: Proceedings of the IEEE/HICSS 2003, Hawaii (2002)Google Scholar
  4. 4.
    Seddigh, N., Pieda, P., Matrawy, A., Nandy, B., Lambadaris, L., Hatfield, A.: Current Trends and Advances in Information Assurance Metrics. In: Proc. of PST 2004, pp. 197–205 (2004)Google Scholar
  5. 5.
    Savola, R.M.: Towards a Taxonomy for Information Security Metrics. In: International Conference on Software Engineering Advances (ICSEA 2007), Cap Esterel, France (2007)Google Scholar
  6. 6.
    Common Criteria for information Technology, part 1-3, version 3.1 (September 2006) Google Scholar
  7. 7.
    Stoneburner, G.: Underlying Technical Models for Information Technology Security, National Institute of Standards and technology Special publication #800-33 (2001)Google Scholar
  8. 8.
    Mouratidis, H., Giorgini, P.: Secure Tropos: A Security-Oriented Extension of the Tropos methodology. International Journal of Software Engineering and Knowledge Engineering (IJSEKE) 17(2), 285–309 (2007)CrossRefGoogle Scholar
  9. 9.
    Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2005)zbMATHGoogle Scholar
  10. 10.
    Bulut, E., Khadraoui, D., Marquet, B.: Multi-Agent based security assurance monitoring system for telecommunication infrastructures. In: Proceedings to the Communication, Network, and Information Security conference, Berkely/California (2007)Google Scholar
  11. 11.
    Bugyo project, (accessed: March 8, 2009)
  12. 12.
    Evans, D.L., Bond, P.J., Bement, A.L.: Standards for Security categorization of Federal Information And Information Systems. NIST Gaithersburg, MD 20899-8900 (2004)Google Scholar
  13. 13.
    Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), Carnegie Mellon - Software Engineering Institute (June 1999)Google Scholar
  14. 14.
    CRAMM, CCTA Risk Analysis and Management Method,
  15. 15.
    OLF Guideline No 123: Classification of process control, safety and support ICT systems based on criticality, Norway (2009) Google Scholar
  16. 16.
    Ouedraogo, M., Mouratidis, H., Khadraoui, D., Dubois, E.: A probe capability metric taxonomy for assurance evaluation. In: Proceedings of UEL 5th conference on Advances in Computing and Technology Conference (AC&T), England (2010)Google Scholar
  17. 17.
    Wooldridge, M.: An Introduction to Multi-Agent Systems. John Wiley & Sons, Chichester (2002)Google Scholar
  18. 18.
    Jennings, N.R.: An agent-based software engineering. In: Garijo, F.J., Boman, M. (eds.) MAAMAW 1999. LNCS, vol. 1647. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. 19.
    JADE, (accessed: March 10, 2008)
  20. 20.
    Samhain, (accessed: March 10, 2008)

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Moussa Ouedraogo
    • 1
    • 2
  • Haralambos Mouratidis
    • 2
  • Eric Dubois
    • 1
  • Djamel Khadraoui
    • 1
  1. 1.Public Research Center Henri TudorKirchbergLuxembourg
  2. 2.School of Computing, IT and EngineeringUniversity of East LondonEngland

Personalised recommendations