Title :
Risk: A Good System Security Measure
Author :
Saydjari, O. Sami
Author_Institution :
Cyber Defense Agency, Wisconsin Rapids, WI
Abstract :
What gets measured gets done. Security engineering as a discipline is still in its infancy. The field is hampered by its lack of adequate measures of goodness. Without such a measure, it is difficult to judge progress and it is particularly difficult to make engineering trade-off decisions when designing systems. The qualities of a good metric include that it: (1) measures the right thing, (2) is quantitatively measurable, (3) can be measured accurately, (4) can be validated against ground truth, and (5) be repeatable. By "measures the right thing", the author means that it measures some set of attributes that directly correlates to closeness to meeting some stated goal. For system security, the author sees the right goal as "freedom from the possibility of suffering damage or loss from malicious attack." Damage or loss applies to the mission effectiveness of the information infrastructure of a system. The mission can be maximizing profits while making quality cars or it could be defending an entire nation against foreign incursion
Keywords :
security of data; software metrics; software quality; systems analysis; engineering trade-off decisions; security engineering; software metrics; system design; system security measure; Computer security; Costs; Design engineering; Hazards; History; Information security; Information systems; Natural languages; Particle measurements; Probability;
Conference_Titel :
Computer Software and Applications Conference, 2006. COMPSAC '06. 30th Annual International
Conference_Location :
Chicago, IL
Print_ISBN :
0-7695-2655-1
DOI :
10.1109/COMPSAC.2006.74
