An Autocorrelation Methodology for the Assessment of Security Assurance

An Autocorrelation Methodology for the Assessment of Security Assurance

Richard T. Gordon (Bridging The Gap, Inc., USA) and Allison S. Gehrke (University of Colorado, Denver, USA)
DOI: 10.4018/978-1-60566-326-5.ch004
OnDemand PDF Download:


This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this methodology is to determine the relatedness of effects on security operations from independent security events; determine the relatedness of effects on security operations from security event categories; identify opportunities for increased efficiency in the security infrastructure yielding time savings in the security operations; and identification of combinations of security events which compromise the security infrastructure. We focus on evaluating and describing a novel security assurance measure that governments and corporations can use to evaluate the strength and readiness of their security infrastructure. An additional use is as a before and after measure in a security services engagement to quantify infrastructure improvement that can serve as a basis for continuous security assurance.
Chapter Preview


This chapter presents a novel security assurance methodology organizations can use to quantify their global security posture across the enterprise. The information security industry is addressing many challenges; specifically, how to collect data, often from heterogeneous, non-automated and non-standard sources, and how to properly analyze and act on the data. Before the autocorrelation methodology is described, relevant terms are defined to facilitate discussion.

Security assurance has several variations and definitions in the literature but generally refers to the ability of an organization to protect information and system resources with respect to vulnerability, confidentiality, integrity, and authentication. Security assurance is one broad category of security intelligence that security practitioners and managers are keenly interested in measuring and quantifying. Vulnerability is a weakness in the security system that might be exploited to cause loss or harm and an attack is when a person or another system exploits vulnerability (Pfleeger & Pfleeger, 2006). This chapter presents an autocorrelation methodology to evaluate security assurance processes, technologies, applications, and practices through a novel security metric. Security metrics are tools that support decision making (NIST, SP800-100, 2006).

The ability to extract actionable information automatically through security metrics is crucial to the success of any security infrastructure. Information security metrics in general should be defined, developed, analyzed, maintained, and reported within a broader information security program with a stated mission and clear and concise goals. Within such a framework, security metrics can be linked back to specific program goals which can be leveraged for managerial decision making.

Data drives intelligence across all industries and data is generated from events. Events happen all around us as messages (or “events”) that flow across networks in support of commercial, government, and military operations. Event driven is defined as follows:

Event driven means simply that whatever tools and applications are used to automate business and enterprise management processes, those tools and applications rely on receiving events to monitor the progress of a process and issuing events to initiate its next stages. This is becoming universal for all business processing. (Luckham, 2002, pp. 29)

Processing security information is no exception as information security has become an essential business function (NIST, SP800-80, 2006). Within the context of security, the SANS Institute defines an event as “an observable occurrence in a system or network” (see glossary at: It follows that a security event is a single or collection of “observable occurrence(s) in a system or network” that violate the security policy of an organization. Two related concepts are event aggregation and security event management. Event aggregation is defined by Luckham (2002, pp. 17) as “recognizing or detecting a significant group of lower-level events from among all the enterprise event traffic, and creating a single event that summarizes in its data their significance”. Security event management software is “software that imports security event information from multiple data sources, normalizes the data, and correlates events among the data sources” (NIST, 2006, C-3).

For our purposes, we will define a security incident as a specific type of security event; one that has been identified and classified by the organization as of sufficient priority to require the response of security personnel and whose time to resolve will be measured and tracked. The terms security event and incident are often used interchangeably; the distinction becomes important in the Metrics Development and Implementation Approach section which describes how to develop and implement the metric used in the autocorrelation methodology within a security event management framework.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Merrill Warkentin
Kenneth J. Knapp
Kenneth J. Knapp
Chapter 1
Jaziar Radianti, Jose J. Gonzalez
This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult... Sample PDF
Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Chapter 2
Somak Bhattacharya, Samresh Malhotra, S. K. Ghosh
As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical... Sample PDF
An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Chapter 3
Robert F. Mills, Gilbert L. Peterson, Michael R. Grimaila
The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted... Sample PDF
Insider Threat Prevention, Detection and Mitigation
Chapter 4
Richard T. Gordon, Allison S. Gehrke
This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this... Sample PDF
An Autocorrelation Methodology for the Assessment of Security Assurance
Chapter 5
Ken Webb
This chapter results from a qualitative research study finding that a heightened risk for management has emerged from a new security environment... Sample PDF
Security Implications for Management from the Onset of Information Terrorism
Chapter 6
Yves Barlette, Vladislav V. Fomin
This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A... Sample PDF
The Adoption of Information Security Management Standards: A Literature Review
Chapter 7
Peter R. Marksteiner
Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a... Sample PDF
Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Chapter 8
John W. Bagby
The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. These expectations... Sample PDF
Balancing the Public Policy Drivers in the Tension between Privacy and Security
Chapter 9
Indira R. Guzman, Kathryn Stam, Shaveta Hans, Carole Angolano
The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT)... Sample PDF
Human Factors in Security: The Role of Information Security Professionals within Organizations
Chapter 10
Nikolaos Bekatoros HN, Jack L. Koons III, Mark E. Nissen
The US Government is moving apace to develop doctrines and capabilities that will allow the Department of Defense (DoD) to exploit Cyberspace for... Sample PDF
Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
Chapter 11
Rodger Jamieson, Stephen Smith, Greg Stephens, Donald Winchester
This chapter outlines components of a strategy for government and a conceptual identity fraud enterprise management framework for organizations to... Sample PDF
An Approach to Managing Identity Fraud
Chapter 12
Alanah Davis, Gert-Jan de Vreede, Leah R. Pietron
This chapter presents a repeatable collaboration process as an approach for developing a comprehensive Incident Response Plan for an organization or... Sample PDF
A Repeatable Collaboration Process for Incident Response Planning
Chapter 13
Dean A. Jones, Linda K Nozick, Mark A. Turnquist, William J. Sawaya
A pandemic influenza outbreak could cause serious disruption to operations of several critical infrastructures as a result of worker absenteeism.... Sample PDF
Pandemic Influenza, Worker Absenteeism and Impacts on Critical Infrastructures: Freight Transportation as an Illustration
Chapter 14
Preeti Singh, Pranav Singh, Insu Park, JinKyu Lee
We live in a digital era where the global community relies on Information Systems to conduct all kinds of operations, including averting or... Sample PDF
Information Sharing: A Study of Information Attributes and their Relative Significance During Catastrophic Events
Chapter 15
Gregory B. White, Mark L. Huson
The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government... Sample PDF
An Overview of the Community Cyber Security Maturity Model
Chapter 16
Doug White, Alan Rea
In this chapter the authors present essential server security components and develop a set of logical steps to build hardened servers. The authors... Sample PDF
Server Hardening Model Development: A Methodology-Based Approach to Increased System Security
Chapter 17
Jeff Teo
Computer attacks of all sorts are commonplace in today’s interconnected, globalized society. A computer worm, written and released in one part of... Sample PDF
Trusted Computing: Evolution and Direction
Chapter 18
Miguel Jose Hernandez y Lopez, Carlos Francisco Lerma Resendez
This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and... Sample PDF
Introduction, Classification and Implementation of Honeypots
About the Contributors