Towards requirement centric security evaluation and testing: Position paper

Reijo Savola

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific


Information security evaluation of telecommunication or software intensive systems typically relies heavily on the experience of the security professionals. Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security evaluation in a systematic way. Security evaluation, testing and assessment techniques are needed to be able find adequate solutions. Seeking evidence of the actual information security level or performance of systems still remains an undeveloped field. To make progress in the field there is a need to focus on the development of better experimental techniques, better security metrics and models with practical predictive power. The goal of defining security requirements for a system is to map the results of risk and threat analysis to practical security requirement statements that manage (cancel, mitigate or maintain) the security risks of the system under investigation. The requirements guide the whole process of security evidence collection. For example, security metrics can be developed based on requirements: If we want to measure security behavior of an entity in the system, we can compare it with the explicit security requirements, which act as a "measuring rod".
Original languageEnglish
Title of host publicationEU-US Summit Series on Cyber Trust
Subtitle of host publicationWorkshop on System Dependability & Security
Publication statusPublished - 2006
MoE publication typeB3 Non-refereed article in conference proceedings
EventEU-US Summit Series on Cyber Trust: Workshop on System Dependability & Security - Dublin, Ireland
Duration: 15 Nov 200616 Nov 2006


WorkshopEU-US Summit Series on Cyber Trust


Dive into the research topics of 'Towards requirement centric security evaluation and testing: Position paper'. Together they form a unique fingerprint.

Cite this