Developing Security Assurance Metrics to Support Quantitative Security Assurance Evaluation

Abstract

Security assurance (SA) is a technique that helps organizations to appraise the trust and confidence that a system can be operated correctly and securely. To foster effective SA, there must be systematic techniques to reflect the fact that the system meets its security requirements and, at the same time, is resilient against security vulnerabilities and failures. Quantitative SA evaluation applies computational and mathematical techniques for deriving a set of SA metrics to express the assurance level that a system reaches. Such metrics are intended to quantify the strength and weaknesses of the system that can be used to support improved decision making and strategic planning initiatives. Utilizing metrics to capture and evaluate a system’s security posture has gained attention in recent years. However, scarce work has described how to combine SA evaluation while taking into account both SA metrics modeling and analysis. This paper aims to develop a novel approach for the modeling, calculation, and analysis of SA metrics that could ultimately enhance quantitative SA evaluation.