Abstract
Information security evaluation of telecommunication or
software intensive systems typically relies heavily on
the experience of the security professionals. Obviously,
automated approaches are needed in this field.
Unfortunately, there is no practical approach to carrying
out security evaluation in a systematic way. Security
evaluation, testing and assessment techniques are needed
to be able find adequate solutions. Seeking evidence of
the actual information security level or performance of
systems still remains an undeveloped field. To make
progress in the field there is a need to focus on the
development of better experimental techniques, better
security metrics and models with practical predictive
power. The goal of defining security requirements for a
system is to map the results of risk and threat analysis
to practical security requirement statements that manage
(cancel, mitigate or maintain) the security risks of the
system under investigation. The requirements guide the
whole process of security evidence collection. For
example, security metrics can be developed based on
requirements: If we want to measure security behavior of
an entity in the system, we can compare it with the
explicit security requirements, which act as a "measuring
rod".
Original language | English |
---|---|
Title of host publication | EU-US Summit Series on Cyber Trust |
Subtitle of host publication | Workshop on System Dependability & Security |
Pages | 43-45 |
Publication status | Published - 2006 |
MoE publication type | B3 Non-refereed article in conference proceedings |
Event | EU-US Summit Series on Cyber Trust: Workshop on System Dependability & Security - Dublin, Ireland Duration: 15 Nov 2006 → 16 Nov 2006 |
Workshop
Workshop | EU-US Summit Series on Cyber Trust |
---|---|
Country/Territory | Ireland |
City | Dublin |
Period | 15/11/06 → 16/11/06 |