Taxonomy of quality metrics for assessing assurance of security correctness

M. Ouedraogo (Corresponding Author), Reijo Savola, H. Mouratidis, D. Preston, D. Khadraoui, E. Dubois

Research output: Contribution to journalArticleScientificpeer-review

9 Citations (Scopus)

Abstract

Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.
Original languageEnglish
Pages (from-to)67-97
Number of pages31
JournalSoftware Quality Journal
Volume21
Issue number1
DOIs
Publication statusPublished - 2013
MoE publication typeA1 Journal article-refereed

Fingerprint

Taxonomies
Information technology
Glossaries
Security systems
Access control

Keywords

  • security verification process
  • verfication quality
  • metrics
  • software probe quality
  • security assurance
  • correctness measurement

Cite this

Ouedraogo, M. ; Savola, Reijo ; Mouratidis, H. ; Preston, D. ; Khadraoui, D. ; Dubois, E. / Taxonomy of quality metrics for assessing assurance of security correctness. In: Software Quality Journal. 2013 ; Vol. 21, No. 1. pp. 67-97.
@article{025d528856ad4952ad135e085ee4a9aa,
title = "Taxonomy of quality metrics for assessing assurance of security correctness",
abstract = "Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.",
keywords = "security verification process, verfication quality, metrics, software probe quality, security assurance, correctness measurement",
author = "M. Ouedraogo and Reijo Savola and H. Mouratidis and D. Preston and D. Khadraoui and E. Dubois",
year = "2013",
doi = "10.1007/s11219-011-9169-0",
language = "English",
volume = "21",
pages = "67--97",
journal = "Software Quality Journal",
issn = "0963-9314",
publisher = "Springer",
number = "1",

}

Ouedraogo, M, Savola, R, Mouratidis, H, Preston, D, Khadraoui, D & Dubois, E 2013, 'Taxonomy of quality metrics for assessing assurance of security correctness', Software Quality Journal, vol. 21, no. 1, pp. 67-97. https://doi.org/10.1007/s11219-011-9169-0

Taxonomy of quality metrics for assessing assurance of security correctness. / Ouedraogo, M. (Corresponding Author); Savola, Reijo; Mouratidis, H.; Preston, D.; Khadraoui, D.; Dubois, E.

In: Software Quality Journal, Vol. 21, No. 1, 2013, p. 67-97.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Taxonomy of quality metrics for assessing assurance of security correctness

AU - Ouedraogo, M.

AU - Savola, Reijo

AU - Mouratidis, H.

AU - Preston, D.

AU - Khadraoui, D.

AU - Dubois, E.

PY - 2013

Y1 - 2013

N2 - Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.

AB - Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.

KW - security verification process

KW - verfication quality

KW - metrics

KW - software probe quality

KW - security assurance

KW - correctness measurement

U2 - 10.1007/s11219-011-9169-0

DO - 10.1007/s11219-011-9169-0

M3 - Article

VL - 21

SP - 67

EP - 97

JO - Software Quality Journal

JF - Software Quality Journal

SN - 0963-9314

IS - 1

ER -