Use this URL to cite or link to this record in EThOS:
Title: Valuation and reporting of security assurance at operational systems level
Author: Ouedraogo, Moussa
ISNI:       0000 0004 2718 4284
Awarding Body: University of East London
Current Institution: University of East London
Date of Award: 2011
Availability of Full Text:
Access from EThOS:
Access from Institution:
Security Assurance is commonly defined as the ground for confidence on the security mechanisms to meet their objectives. Current approaches to evaluating Security Assurance have mainly focused on the software development stage or at the end product software. The few attempts to address Security Assurance at runtime assume a system security model to be static. However most often, it is after the deployment or implementation phase that a system's security may be violated. A cause of security breach that has often been overlooked is the improper deployment/ implementation of the security mechanisms or, generally speaking, their incorrect posture at a given time. Such a security lax may create a false sense of security and lead to negative impacts on the stakeholders. The motivation behind this work stems from the challenges relating: what Security Assurance is and; how it may be appraised and reported for a better understanding of an operational system's security posture. The novelty of this work lies in the provision of the metrics and a methodology that could help address such a challenge. Hence, this thesis provides a contribution towards the improvement of the Security Assurance information required for the understanding of the security situation from a security practitioner perspective, taking into account: the quality of the verification process or software probe used for the verification; the reported correctness status of a security mechanism at a given time; and the estimated effectiveness level for a security mechanism, in case such information is available. Guidance on what tasks may or may not be performed given the security posture of a security mechanism is provided for those users without much understanding of security and is based on the security criticality of the context in which the system operates. The aforementioned metrics are subsequently integrated in an overall methodology which helps compute the Security Assurance level of a component or service through aggregation techniques. Another important feature of the methodology is that it allows the security practitioner to adapt the security model or the metrics in case of newly emerged vulnerabilities. Evaluation of this contribution is described through use of theoretical criteria, tool implementation and application to a case study. Furthermore, Information security professionals have reviewed and evaluated the metrics and methodology proposed by this thesis and provided opinions on their applicability.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available