A Security Assurance Model to Holistically Assess the Information Security Posture

  • Igli Tashi
  • Solange Ghernaouti-Hélie
Part of the Springer Optimization and Its Applications book series (SOIA, volume 41)


Managing Information Security (InfoSec) within an organization is becoming a very complex task. Currently, InfoSec Assessment is performed by using frameworks, methodologies, or standards which consider separately the elements related to security. Unfortunately, this is not necessarily effective because it does not take into consideration the necessity of having a global and systemic, multidimensional approach to ICT Security evaluation. This is mainly because the overall security level is only as strong as the weakest link. This chapter proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat takes advantage of the weakest link. Then a formalized structure taking into account all security elements is presented. The proposed model is based on, and integrates, a number of security best practices and standards that permit the definition of a reliable InfoSec framework. At this point an assessment process should be undertaken, the result of which will be the assurance that InfoSec is adequately managed within the organization. The added value of this model is that it is simple to implement and responds to concrete needs in terms of reliance upon efficient and dynamic evaluation tools and through a coherent evaluation system.


Information Security Maturity Model Security Requirement Security Level Maturity Level 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. B. Barafort, J.-P. Humbert, and S. Poggi, “Information security management and ISO/IEC 15504: the link opportunity between security and quality,” in Proceedings of The Sixth International Software Process Improvement and Capability Determination (SPICE) Conference, Luxembourg, 2006. Google Scholar
  2. K. Beznosov and P. Kruchten, “Towards agile security assurance,” in Proceedings of the 2004 workshop on New security paradigms, Nova Scotia, Canada, 2004, pp. 47–54. Google Scholar
  3. S. Butler, “Security attribute evaluation method: a cost-benefit approach,” in Proceedings of the 24th International Conference on Software Engineering, Orlando: ACM, 2002. Google Scholar
  4. T. Chamfrault and C. Durand, ITIL et la Gestion des Services—Méthodes, Mise en Oeuvre et Bonnes Pratiques. Paris: Dunod, 2006. Google Scholar
  5. S. Curkovic and M. Pagell, “A critical examination of the ability of ISO 9000 certification to lead to a competitive advantage,” Journal of Quality Management, vol. 4 (1), pp. 51–67, 1999. CrossRefGoogle Scholar
  6. W. DeLone and E. McLean, “Information systems success: the quest for the dependent variable,” Information Systems Research, vol. 3 (1), pp. 60–95, 1992. CrossRefGoogle Scholar
  7. W. DeLone and E. McLean, “The DeLone and McLean model of information system success: a ten-year update,” Journal of Management Information Systems, vol. 19 (4), pp. 9–30, 2003. Google Scholar
  8. Department_of_Defense_(USA), Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), Washington, USA, 1985. Google Scholar
  9. S. Feldman, “Quality assurance: much more than testing,” ACM Queue, vol. 3 (1), pp. 26–29, 2005. CrossRefGoogle Scholar
  10. F. Gallegos, S. Senft, D. Manson, and C. Gonzales, Information Technology Control and Audit. Washington: Auerbach, 2004. Google Scholar
  11. S. G. Herrero, M. A. M. Saldana, M. A. M. d. Campo, and D. Ritzel, “From the traditional concept of safety management to safety integrated with quality” Journal of Safety Research, vol. 33 (1), pp. 1–20, 2002. CrossRefGoogle Scholar
  12. ISACA_&_ITGI, Control Objectives for Information and related Technology (COBIT), Information Systems Audit and Control Association and IT Governance Institute, 2007. [Online] Available at
  13. ISF-std, The Standard of Good Practice for Information Security, Information Security Forum, 2007. Google Scholar
  14. ISM3, “Information Security Management Maturity Model,” ISM3 Consortium, Madrid, Spain 2007. [Online] Available at
  15. ISO-Std. ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management, International Organization for Standardization (ISO), Switzerland, 2005. Google Scholar
  16. ISO-Std. ISO/IEC 27001:2005 (E), Information Technology—Security Techniques—Information Security Management Systems—Requirements, International Organization for Standardization (ISO), Switzerland, 2005. Google Scholar
  17. ISO-Std. 9001:2000, Quality Management Systems—Requirements, International Organization for Standardization (ISO), Switzerland, 2000. Google Scholar
  18. ISO-Std. 9000:2005, Quality Management Systems—Fundamentals and Vocabulary, International Organization for Standardization (ISO), Switzerland, 2005. Google Scholar
  19. ISO-Std. ISO/IEC 15408:2005, Information technology—Security techniques—Evaluation criteria for IT security, Part 1: Introduction and general model, International Organization for Standardization (ISO), Switzerland, 2006a. Google Scholar
  20. ISO-Std. ISO/IEC 15408:2005, Information technology—Security techniques—Evaluation criteria for IT security, Part 2: Security functional components, International Organization for Standardization (ISO), Switzerland, 2006b. Google Scholar
  21. ISO-Std. ISO/IEC 15408:2005, Information technology—Security techniques—Evaluation criteria for IT security, Part 3: Security assurance components, International Organization for Standardization (ISO), Switzerland, 2006c. Google Scholar
  22. ISSEA. Systems Security Engineering Capability Maturity Model (SSE-CMM), International Systems Security Engineering Association (ISSEA), 2003. Google Scholar
  23. G. F. Jelen and J. R. Williams, “A practical approach to measuring assurance,” in Proceedings of 14th Annual Computer Security Applications Conference, 1998, pp. 333–343. Google Scholar
  24. S. Karapetrovic and W. Willborn, “Quality assurance and effectiveness of audit systems,” International Journal of Quality & Reliability Management, vol. 17 (6), pp. 679–703, 2000. CrossRefGoogle Scholar
  25. I. Koskosas, “Goal Setting and Trust in a Security Management Context,” Information Security Journal: A Global Perspective, vol. 17 (3), pp. 151–161, 2008. CrossRefGoogle Scholar
  26. M. Lamnabhi, Evaluer avec CMMI—Etape par Etape, Paris: AFNOR Editions, 2008. Google Scholar
  27. Y. W. Lee, D. M. Strong, B. K. Kahn, and R. Y. Wang, “AIMQ: a methodology for information quality assessment,” Information & Management, vol. 40 (2), pp. 133–146, 2002. CrossRefGoogle Scholar
  28. M. Ludwig-Becker, “Quality management principles as top team performance practices. ISO 9000 re-interpreted,” Team Performance and Management, vol. 5 (7), pp. 207–211, 1999. CrossRefGoogle Scholar
  29. S. Maynard and A. B. Ruighaver, “What makes a good information security policy: a preliminary framework for evaluating security policy quality,” in Proceedings of the 5th Annual Security Conference, Las Vegas, Nevada, USA, 2006. Google Scholar
  30. D. H. McKnight and N. L. Chervany, “What is trust? A conceptual analysis and an interdisciplinary model,” in Proceedings of the 2000 Americas Conference on Information Systems, California, USA, 2000, pp. 827–833. Google Scholar
  31. R. Mercuri, “Standards insecurity,” Communications of the ACM, vol. 46 (12), pp. 21–25, 2003. CrossRefGoogle Scholar
  32. M. Merkow and J. Breithaupt, Computer Security Assurance Using the Common Criteria. New York: Thomson Delmar Learning, 2005. Google Scholar
  33. OECD, “OECD Guidelines for the Security of Information Systems and Networks Towards a Culture of Security,” Organisation for Economic Co-operation and Development, Paris, 2002. [Online] Available at,3343,en_21571361_36139259_15582250_1_1_1_1,00.html
  34. Office_for_Official_Publications_of_the_European_Communities, Information Technology Security Evaluation Criteria (ITSEC), Luxembourg, 1991. Google Scholar
  35. G. J. van der Pijl, G. J. P. Swinkels, and J. G. Verrijdt, “ISO 9000 versus CMM: standardization and certification of IS development,” Information & Management, vol. 32 (6), pp. 267–274, 1997. CrossRefGoogle Scholar
  36. P. Ragozzino, “IS quality—what is it?,” Journal of Systems Management, vol. 41 (11), pp. 15–16, 1990. Google Scholar
  37. A. Q. Scheuing, K. Frühauf, and W. Schwarz, “Maturity model for IT operations (MITO),” in Proceeding of the 2ndWorld Congress on Software Quality, Yokahoma, Japan, 2000. Google Scholar
  38. J. Slay, “IS Security, trust and culture: a theoretical framework for managing IS security in multicultural settings,” Campus-Wide Information Systems, vol. 20 (3), pp. 98–104, 2003. CrossRefGoogle Scholar
  39. I. Tashi and S. Ghernaouti-Hélie, “La certification comme référentiel de classification da la sécurité,” in Proceedings of the AFME Colloque—Association Francophone de Management Electronique, Montréal, Canada, 2006, CD-ROM, Alphabetical list of the communications. Google Scholar
  40. I. Tashi and S. Ghernaouti-Hélie, “ISO security standards as a leverage on IT Security Management,” in Proceedings of 13th Americas Conference on Information Systems (AMCIS), Colorado, USA, 2007, Paper 63. Google Scholar
  41. I. Tashi and S. Ghernaouti-Hélie, “Regulatory Compliance and Information Security Assurance,” in The First International Workshop on Global Information Security for an Inclusive Information Society (GloSec), The International Dependability Conference (ARES), Fukuoka, Japan, 2009, pp. 670–674. Google Scholar
  42. U.S.NRC, “Quality assurance criteria for nuclear power plants and fuel reprocessing plants,” in RC Regulations Title 10, Code of Federal Regulations: Requirements Binding on all Persons and Organizations Who Receive a License from NRC to Use Nuclear Materials or Operate Nuclear Facilities, United.States_Nuclear_Regulatory_Commission, Ed., 2000. Google Scholar
  43. I. Verbauwhede and P. Schaumont, “Design methods for security and trust,” in The Proceedings of the Conference on Design, Automation and Test in Europe, Nice, France, 2007, pp. 672–677. Google Scholar
  44. J. Williams and G. Jelen, “A Framework for Reasoning about Assurance,” NSA, 1998. [Online]. Available at
  45. J. Williams, J. Sachs, D. Landoll, and D. Carpenter, “Assurance is an N-space, where N is hopefully small,” in Proceedings of International Invitational Workshop on Developmental Assurance, 1994. Google Scholar
  46. J. R. Williams and G. F. Jelen, “A practical approach to improving and communicating assurance,” in Proceedings of the 11 th Annual Canadian Information Technology Security Symposium, 1999. Google Scholar
  47. Z. Yan and S. Holtmanns, “Trust modeling and management: from social trust to digital trust,” in Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions, IGI Global, 2007. Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Faculty of Business and EconomicsUniversity of LausanneLausanneSwitzerland

Personalised recommendations