Abstract
The necessity to management the computer security of an institution implies an evaluation phase and the most common method to carry out this evaluation it consists on the use of a set of metrics. As any system of information needs of an authentication mechanism being the most used one those based on password, in this article we propose a set of metric of password management policies based on the most outstanding factors in this authentication mechanism. Together with the metrics, we propose a quality indicator derived from these metrics that allows us to have a global vision of the quality of the password management policy used and a complete example of calculation of the proposed metric. Finally, we will indicate the future works to be performed to check the validity and usefulness of the proposed metrics.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ACSA (ed.): Proceedings of the Workshop on Information Security System Scoring and Ranking, Williamsburg, Virginia (May 2001)
Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Proceedings of Human Computer Interaction, Bristol, England (August 1997)
Bishop, M.: Comparing authentication techniques. In: Proceedings of the Third Workshop con Computer Incident Handling, August 1991, pp. 1–10 (1991)
Bouvier, P., Longeon, R.: Le tableau de bord de la sécurité du système d’information. Sécurité Informatique, (June 2003)
SSE-CMM Model Description Document, 3rd edn., Carnegie Mellon University, Pittsburgh, Pennsylvania (June 2003)
Chapin, D.A., Akridge, S.: How can security be measured? Information Systems Control Journal 2, 43–47 (2005)
Colado, C., Franco, A.: Métricas de seguridad: una visión actualizada. SIC. Seguridad en Informática y Comunicaciones 57, 64–66 (2003)
Departament of the Air Force. AFI33-205. Information Protection Metrics and Measurements Program (August 1997)
Halderman, A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International World Wide Web Conference, Chiba, Japan, May 2005, pp. 471–479 (2005)
ISO. ISO 7498-2. Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture (1989)
ISO/IEC. ISO/IEC TR 13335-1. Guidelines for the Management of IT Security. Part I: Concepts and Models of IT Security (1996)
ISO/IEC. ISO/IEC 15408. Evaluation Criteria for IT Security (December 1999)
ISO/IEC. ISO/IEC 17799. Code of Practice for Information Security Management (2000)
King, G.: Best security practices: An overview. In: Proceedings of the 23rd National Information Systems Security Conference, Baltimore, Maryland, NIST (October 2000)
Marcelo, J.M.: Seguridad de las Tecnologías de la Información, capítulo Identificación y Evaluación de Entidades en un Método AGR, pp. 69–103. AENOR (2003)
McKnight, W.L.: What is information assurance? CrossTalk. The Journal of Defense Software Engineering, 4–6 (July 2002)
Mercuri, R.T.: Analyzing security costs. CACM 46(6), 15–18 (2003)
Morris, R., Thompson, K.: Password security: A case history. CACM 22(11), 594–597 (1979)
Nielsen, F.: Approaches of security metrics. Technical report, NIST-CSSPAB (June 2000)
NIST. FIPS-112: Password Usage (May 1985)
NIST. FIPS-181: Automated Password Generator (October 1993)
Payne, S.C.: A guide to security metrics. Technical report, SANS Institute (July 2001)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the ACM Computer and Security Conference (CSC 2002), November 2002, pp. 161–170 (2002)
Schuedel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Procedings of the New Security Paradigm Workshop, Ireland, September 2000, pp. 23–30 (2000)
Swanson, M.: Security self-assessment guide for information technology systems. Tech. Report NIST 800-26, National Institute of Standards and Technology (November 2001)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security metrics guide for information technology systems. Technical Report NIST 800-55, National Institute of Standards and Technology (July 2003)
Vaughn Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics – state of practice and proposed taxonomy. In: Proceedings of the 36th Hawaii International Conference on Systems Sciences (2003)
Vaughn Jr., R.B., Siraj, A., Dampier, D.A.: Information security system rating and ranking. CrossTalk. The Journal of Defense Software Engineering, 30–32 (May 2002)
Villarrubia, C., Fernández-Medina, E., Piattini, M.: Towards a classification of security metrics. In: Proceedings of the 2nd international workshop on security in information systems (WOSIS 2004), April 2004, pp. 342–350 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Villarrubia, C., Fernández-Medina, E., Piattini, M. (2006). Metrics of Password Management Policy. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_106
Download citation
DOI: https://doi.org/10.1007/11751595_106
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34075-1
Online ISBN: 978-3-540-34076-8
eBook Packages: Computer ScienceComputer Science (R0)