Digital convergence and diffusion of Information and Communication Technology (ICT) solutions in more traditional fields such as industrial automation is a major source of information security threats. Obviously, there is a need for automated information security validation, evaluation and testing approaches. Unfortunately, there is no practical approach to carrying out information security evaluation in a systematic way. Information security evaluation of software intensive and telecommunications systems typically relies heavily on the experience of the security professionals. Requirements are in the focus of information security evaluation process. Information security requirements can be based on iterative risk, threat and vulnerability analyses, and technical and architectural information. There is a need for more practical ways to carry out this iterative process. We introduce a framework for security evaluation based on security requirement definition, behavior modeling and evidence collection. The goal of the decision process is to make an assessment and form conclusions on the information security level or performance of the system under investigation.
|Publication status||Published - 2006|
|MoE publication type||Not Eligible|
|Event||International Seminar on Dependable Requirements Engineering of Computerised Systems at Nuclear Power Plants - Halden, Norway|
Duration: 27 Nov 2006 → 29 Nov 2006
|Conference||International Seminar on Dependable Requirements Engineering of Computerised Systems at Nuclear Power Plants|
|Period||27/11/06 → 29/11/06|
Savola, R. (2006). Towards Requirement Driven Evaluation of Information Security. Paper presented at International Seminar on Dependable Requirements Engineering of Computerised Systems at Nuclear Power Plants, Halden, Norway.