Skip to main content
SpringerLink
Log in

A Requirement Centric Framework for Information Security Evaluation

  • Conference paper
Advances in Information and Computer Security (IWSEC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4266))

Included in the following conference series:

Abstract

Information security evaluation of software-intensive systems typically relies heavily on the experience of the security professionals. Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security evaluation in a systematic way. We introduce a general-level holistic framework for security evaluation based on security behaviour modelling and security evidence collection, and discuss its applicability to the design of security evaluation experimentation set-ups in real-world systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)

    Article  Google Scholar 

  2. Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On Measurement on Operational Security. IEEE AES Systems Magazine, 7–15 (October 1994)

    Google Scholar 

  3. Firesmith, D.G.: Analyzing the Security Significance of System Requirements. In: Symposium on Requirements Engineering for Information Security (SREIS), Paris, August 25 (2005)

    Google Scholar 

  4. Greenwald, M., Gunter, C., Knutsson, B., Seedrov, A., Smith, J., Zdancewic, S.: Computer Security is not a Science (but it should be). In: Large-Scale Network Security Workshop, Landsdowne, VA, March 13-14 (2003)

    Google Scholar 

  5. Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Using Trust Assumptions in Security Requirements Engineering. In: 2nd International iTrust Workshop on Trust Management in Dynamic Open Systems, September 15-17, Imperial College, London, UK (2003)

    Google Scholar 

  6. Haley, C.B., Laney, R.C., Nuseibeh, B.: Deriving Security Requirements from Crosscutting Threat Descriptions. In: AOSD 2004, March, Lancaster, UK (2004)

    Google Scholar 

  7. ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation, Version 2.2 (2004)

    Google Scholar 

  8. ISO/IEC 21827: Information Technology – Systems Security Engineering – Capability Maturity Model (SSE-CMM) (2002)

    Google Scholar 

  9. Jonsson, E.: Dependability and Security Modelling and Metrics, Lecture Slides, Chalmers University of Technology, Sweden (2003)

    Google Scholar 

  10. Jürjens, J.: UMLSec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)

    Google Scholar 

  11. Kajava, J., Savola, R.: Weak Signals in Information Security Management. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 508–517. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  12. McDermid, J.A., Shi, Q.: A Formal Approach for Security Evaluation. In: Proceedings of the 7th Annual Conference on Computer Assurance, Systems Integrity, Software Safety, Process Security, pp. 47–55 (1992)

    Google Scholar 

  13. Nicol, D., Sanders, W.H., Trivedi, K.S.: Model-Based Evaluation: From Dependability to Security. IEEE Transactions on Dependable and Secure Computing 1(1), 48–65 (2004)

    Article  Google Scholar 

  14. Priebe, T., Fernandez, E.B., Mehlau, J.I., Pernul: A Pattern System for Access Control. In: 18th Annual IFIP WG 11.3 Conf. on Data and Applications Security, Sitges, Spain, pp. 235–249 (2004)

    Google Scholar 

  15. Schneier, B.: Attack Trees. Doctor Dobb’s Journal, 21–29 (December 1999)

    Google Scholar 

  16. Schumacher, M., Roedig, U.: Security Engineering with Patterns. In: Pattern Languages of Programs, September 11-15, Monticello, Illinois (2001)

    Google Scholar 

  17. Trusted Computer System Evaluation Criteria, “Orange Book”, U.S. Department of Defense Standard, DoD 5200.28-std (1985)

    Google Scholar 

  18. Voas, J.: Why is it so Hard to Predict Software System Trustworthiness from Sofware Component Trustworthiness? In: Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems (2001)

    Google Scholar 

  19. Voas, J., Ghosh, A., McGraw, G., Charron, F., Miller, K.: Defining an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure. In: Proceedings of the 11th Annual Conference on Computer Assurance, Systems Integrity, Software Safety, Process Security (1996)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. VTT Technical Research Centre of Finland, Kaitoväylä 1, 90570, Oulu, Finland

    Reijo Savola

Authors
  1. Reijo Savola
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Electro-Communication, The University of Electro-Communications, 1-5-1, Chofugaoka, P.O. Box, 182-8585, Chofu, Japan

    Hiroshi Yoshiura

  2. Department of Computer Science, Communication Engineering, Kyushu University, 812-0053, Fukuoka, Japan

    Kouichi Sakurai

  3. Institute of Business Informatics, Goethe University Frankfurt, Frankfurt/Main, Germany

    Kai Rannenberg

  4. Faculty of Software and Information Science, Iwate Prefectural University, 152-52 Sugo, Takizawa, Takizawa-mura, 020-0193, Iwate, Japan

    Yuko Murayama

  5. Toshiba Corporation, 1, Komukai Toshiba-cho, Saiwai-ku, P.O. Box, 212-8582, Kawasaki, Japan

    Shinichi Kawamura

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Savola, R. (2006). A Requirement Centric Framework for Information Security Evaluation. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds) Advances in Information and Computer Security. IWSEC 2006. Lecture Notes in Computer Science, vol 4266. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11908739_4

Download citation

  • DOI: https://doi.org/10.1007/11908739_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-47699-3

  • Online ISBN: 978-3-540-47700-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation