Taxonomy of quality metrics for assessing assurance of security correctness
Identifieur interne : 002625 ( Main/Exploration ); précédent : 002624; suivant : 002626Taxonomy of quality metrics for assessing assurance of security correctness
Auteurs : Moussa Ouedraogo [Luxembourg (pays), Royaume-Uni] ; Reijo M. Savola [Finlande] ; Haralambos Mouratidis [Royaume-Uni] ; David Preston [Royaume-Uni] ; Djamel Khadraoui [Luxembourg (pays)] ; Eric Dubois [Luxembourg (pays)]Source :
- Software Quality Journal [ 0963-9314 ] ; 2013-03-01.
English descriptors
- KwdEn :
Abstract
Abstract: Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.
Url:
DOI: 10.1007/s11219-011-9169-0
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream Istex, to step Corpus: 000407
- to stream Istex, to step Curation: 000405
- to stream Istex, to step Checkpoint: 000525
- to stream Main, to step Merge: 002667
- to stream Main, to step Curation: 002625
Le document en format XML
<record><TEI wicri:istexFullTextTei="biblStruct"><teiHeader><fileDesc><titleStmt><title xml:lang="en">Taxonomy of quality metrics for assessing assurance of security correctness</title><author><name sortKey="Ouedraogo, Moussa" sort="Ouedraogo, Moussa" uniqKey="Ouedraogo M" first="Moussa" last="Ouedraogo">Moussa Ouedraogo</name></author><author><name sortKey="Savola, Reijo M" sort="Savola, Reijo M" uniqKey="Savola R" first="Reijo M." last="Savola">Reijo M. Savola</name></author><author><name sortKey="Mouratidis, Haralambos" sort="Mouratidis, Haralambos" uniqKey="Mouratidis H" first="Haralambos" last="Mouratidis">Haralambos Mouratidis</name></author><author><name sortKey="Preston, David" sort="Preston, David" uniqKey="Preston D" first="David" last="Preston">David Preston</name></author><author><name sortKey="Khadraoui, Djamel" sort="Khadraoui, Djamel" uniqKey="Khadraoui D" first="Djamel" last="Khadraoui">Djamel Khadraoui</name></author><author><name sortKey="Dubois, Eric" sort="Dubois, Eric" uniqKey="Dubois E" first="Eric" last="Dubois">Eric Dubois</name></author></titleStmt><publicationStmt><idno type="wicri:source">ISTEX</idno><idno type="RBID">ISTEX:12410B0AD1BC00D72B5866ED5D25B5E190E69A5D</idno><date when="2011" year="2011">2011</date><idno type="doi">10.1007/s11219-011-9169-0</idno><idno type="url">https://api.istex.fr/ark:/67375/VQC-X9P1NRH5-2/fulltext.pdf</idno><idno type="wicri:Area/Istex/Corpus">000407</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Corpus" wicri:corpus="ISTEX">000407</idno><idno type="wicri:Area/Istex/Curation">000405</idno><idno type="wicri:Area/Istex/Checkpoint">000525</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Checkpoint">000525</idno><idno type="wicri:doubleKey">0963-9314:2011:Ouedraogo M:taxonomy:of:quality</idno><idno type="wicri:Area/Main/Merge">002667</idno><idno type="wicri:Area/Main/Curation">002625</idno><idno type="wicri:Area/Main/Exploration">002625</idno></publicationStmt><sourceDesc><biblStruct><analytic><title level="a" type="main" xml:lang="en">Taxonomy of quality metrics for assessing assurance of security correctness</title><author><name sortKey="Ouedraogo, Moussa" sort="Ouedraogo, Moussa" uniqKey="Ouedraogo M" first="Moussa" last="Ouedraogo">Moussa Ouedraogo</name><affiliation wicri:level="1"><country xml:lang="fr">Luxembourg (pays)</country><wicri:regionArea>Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, 1855, Kirchberg</wicri:regionArea><wicri:noRegion>Kirchberg</wicri:noRegion></affiliation><affiliation wicri:level="3"><country xml:lang="fr">Royaume-Uni</country><wicri:regionArea>School of Architecture, Computing and Engineering, University of East London, London</wicri:regionArea><placeName><settlement type="city">Londres</settlement><region type="country">Angleterre</region><region type="région" nuts="1">Grand Londres</region></placeName></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Luxembourg (pays)</country></affiliation></author><author><name sortKey="Savola, Reijo M" sort="Savola, Reijo M" uniqKey="Savola R" first="Reijo M." last="Savola">Reijo M. Savola</name><affiliation wicri:level="1"><country xml:lang="fr">Finlande</country><wicri:regionArea>VTT Technical Research Centre of Finland, Oulu</wicri:regionArea><wicri:noRegion>Oulu</wicri:noRegion></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Finlande</country></affiliation></author><author><name sortKey="Mouratidis, Haralambos" sort="Mouratidis, Haralambos" uniqKey="Mouratidis H" first="Haralambos" last="Mouratidis">Haralambos Mouratidis</name><affiliation wicri:level="3"><country xml:lang="fr">Royaume-Uni</country><wicri:regionArea>School of Architecture, Computing and Engineering, University of East London, London</wicri:regionArea><placeName><settlement type="city">Londres</settlement><region type="country">Angleterre</region><region type="région" nuts="1">Grand Londres</region></placeName></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Royaume-Uni</country></affiliation></author><author><name sortKey="Preston, David" sort="Preston, David" uniqKey="Preston D" first="David" last="Preston">David Preston</name><affiliation wicri:level="3"><country xml:lang="fr">Royaume-Uni</country><wicri:regionArea>School of Architecture, Computing and Engineering, University of East London, London</wicri:regionArea><placeName><settlement type="city">Londres</settlement><region type="country">Angleterre</region><region type="région" nuts="1">Grand Londres</region></placeName></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Royaume-Uni</country></affiliation></author><author><name sortKey="Khadraoui, Djamel" sort="Khadraoui, Djamel" uniqKey="Khadraoui D" first="Djamel" last="Khadraoui">Djamel Khadraoui</name><affiliation wicri:level="1"><country xml:lang="fr">Luxembourg (pays)</country><wicri:regionArea>Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, 1855, Kirchberg</wicri:regionArea><wicri:noRegion>Kirchberg</wicri:noRegion></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Luxembourg (pays)</country></affiliation></author><author><name sortKey="Dubois, Eric" sort="Dubois, Eric" uniqKey="Dubois E" first="Eric" last="Dubois">Eric Dubois</name><affiliation wicri:level="1"><country xml:lang="fr">Luxembourg (pays)</country><wicri:regionArea>Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, 1855, Kirchberg</wicri:regionArea><wicri:noRegion>Kirchberg</wicri:noRegion></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Luxembourg (pays)</country></affiliation></author></analytic><monogr></monogr><series><title level="j">Software Quality Journal</title><title level="j" type="abbrev">Software Qual J</title><idno type="ISSN">0963-9314</idno><idno type="eISSN">1573-1367</idno><imprint><publisher>Springer US; http://www.springer-ny.com</publisher><pubPlace>Boston</pubPlace><date type="published" when="2013-03-01">2013-03-01</date><biblScope unit="volume">21</biblScope><biblScope unit="issue">1</biblScope><biblScope unit="page" from="67">67</biblScope><biblScope unit="page" to="97">97</biblScope></imprint><idno type="ISSN">0963-9314</idno></series></biblStruct></sourceDesc><seriesStmt><idno type="ISSN">0963-9314</idno></seriesStmt></fileDesc><profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Correctness measurement</term><term>Metrics</term><term>Security Assurance</term><term>Security verification process</term><term>Software probe quality</term><term>Verification quality</term></keywords></textClass><langUsage><language ident="en">en</language></langUsage></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">Abstract: Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.</div></front></TEI><affiliations><list><country><li>Finlande</li><li>Luxembourg (pays)</li><li>Royaume-Uni</li></country><region><li>Angleterre</li><li>Grand Londres</li></region><settlement><li>Londres</li></settlement></list><tree><country name="Luxembourg (pays)"><noRegion><name sortKey="Ouedraogo, Moussa" sort="Ouedraogo, Moussa" uniqKey="Ouedraogo M" first="Moussa" last="Ouedraogo">Moussa Ouedraogo</name></noRegion><name sortKey="Dubois, Eric" sort="Dubois, Eric" uniqKey="Dubois E" first="Eric" last="Dubois">Eric Dubois</name><name sortKey="Dubois, Eric" sort="Dubois, Eric" uniqKey="Dubois E" first="Eric" last="Dubois">Eric Dubois</name><name sortKey="Khadraoui, Djamel" sort="Khadraoui, Djamel" uniqKey="Khadraoui D" first="Djamel" last="Khadraoui">Djamel Khadraoui</name><name sortKey="Khadraoui, Djamel" sort="Khadraoui, Djamel" uniqKey="Khadraoui D" first="Djamel" last="Khadraoui">Djamel Khadraoui</name><name sortKey="Ouedraogo, Moussa" sort="Ouedraogo, Moussa" uniqKey="Ouedraogo M" first="Moussa" last="Ouedraogo">Moussa Ouedraogo</name></country><country name="Royaume-Uni"><region name="Angleterre"><name sortKey="Ouedraogo, Moussa" sort="Ouedraogo, Moussa" uniqKey="Ouedraogo M" first="Moussa" last="Ouedraogo">Moussa Ouedraogo</name></region><name sortKey="Mouratidis, Haralambos" sort="Mouratidis, Haralambos" uniqKey="Mouratidis H" first="Haralambos" last="Mouratidis">Haralambos Mouratidis</name><name sortKey="Mouratidis, Haralambos" sort="Mouratidis, Haralambos" uniqKey="Mouratidis H" first="Haralambos" last="Mouratidis">Haralambos Mouratidis</name><name sortKey="Preston, David" sort="Preston, David" uniqKey="Preston D" first="David" last="Preston">David Preston</name><name sortKey="Preston, David" sort="Preston, David" uniqKey="Preston D" first="David" last="Preston">David Preston</name></country><country name="Finlande"><noRegion><name sortKey="Savola, Reijo M" sort="Savola, Reijo M" uniqKey="Savola R" first="Reijo M." last="Savola">Reijo M. Savola</name></noRegion><name sortKey="Savola, Reijo M" sort="Savola, Reijo M" uniqKey="Savola R" first="Reijo M." last="Savola">Reijo M. Savola</name></country></tree></affiliations></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 002625 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 002625 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Wicri/Lorraine
|area= InforLorV4
|flux= Main
|étape= Exploration
|type= RBID
|clé= ISTEX:12410B0AD1BC00D72B5866ED5D25B5E190E69A5D
|texte= Taxonomy of quality metrics for assessing assurance of security correctness
}}
| This area was generated with Dilib version V0.6.33. |  |