Towards Optimal Risk-Aware Security Compliance of a Large IT System

  • Daniel Coffman
  • Bhavna Agrawal
  • Frank Schaffa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8274)


A modern information technology (IT) system may consist of thousands of servers, software components and other devices. Operational security of such a system is usually measured by the compliance of the system with a group of security policies. However, there is no generally accepted method of assessing the risk-aware compliance of an IT system with a given set of security policies. The current practice is to state the fraction of non-compliant systems, regardless of the varying levels of risk associated with violations of the policies and their exposure time windows. We propose a new metric that takes into account the risk of non-compliance, along with the number and duration of violations. This metric affords a risk-aware compliance posture in a single number. It is used to determine a course of remediation, returning the system to an acceptable level of risk while minimizing the cost of remediation and observing the physical constraints on the system, and the limited human labor available. This metric may also be used in the course of the normal operation of the IT system, alerting the operators to potential security breaches in a timely manner.


Risk-aware compliance cloud computing compliance metrics compliance optimization 


  1. 1.
    Jansen, W.: Directions in security metrics research. National Institute of Standards and Technology, NISTIR 7564 (2010)Google Scholar
  2. 2.
    Julisch, K.: Security compliance: the next frontier in security research. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 71–74. ACM (2009)Google Scholar
  3. 3. A Complete Guide to the Common Vulnerability Scoring System Version 2.0 - CVSS,
  4. 4.
    Pironti, J.P.: Developing Metrics for Effective Information Security Governance. INTEROP, New York (September 2008),
  5. 5.
    Savola, R.: Towards a security metrics taxonomy for the information and communication technology industry. In: International Confernce on Software Engineering Advances, ICSEA, Cap Estrel, France (August 2007)Google Scholar
  6. 6.
    Herrmann, D.S.: Complete guide to security and privacy metrics: measuring regulatory compliance, operational resilience, and ROI. CRC Press (2007)Google Scholar
  7. 7.
    Levi, E.: Device, Method and Program Product for Prioritizing Security Flaw Mitigation Tasks in a Business Service. U.S. Patent Application 12/361,279, Filed (January 28, 2009)Google Scholar
  8. 8.
    Taraz, R.: Method and apparatus for rating a compliance level of a computer connecting to a network. U.S. Patent Application 11/289,740, Filed (November 29, 2005)Google Scholar
  9. 9.
  10. 10.
    Optimization, Gurobi. Gurobi optimizer reference manual (2012),

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Daniel Coffman
    • 1
  • Bhavna Agrawal
    • 2
  • Frank Schaffa
    • 2
  1. 1.Walker Digital LLCStamfordUSA
  2. 2.IBM T. J. Watson Research CenterUSA

Personalised recommendations