Expansion and Practical Implementation of the MFC Cybersecurity Model via a Novel Security Requirements Taxonomy

Expansion and Practical Implementation of the MFC Cybersecurity Model via a Novel Security Requirements Taxonomy

Neila Rjaibi (Institut Supérieur de Gestion, Tunis, Tunisia) and Latifa Ben Arfa Rabai (Institut Supérieur de Gestion, Tunis, Tunisia)
Copyright: © 2015 |Pages: 20
DOI: 10.4018/IJSSE.2015100102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

In security risk management practices if we cannot measure, we can neither control nor improve. A challenging issue in the context of cyber security is to deal with the orthogonal classification of security requirements. A literature review has shown that there are different models of security requirements. Everyone examines some requirements and neglects others. In this paper, the authors intend to answer the question: what taxonomy of security requirements should we use in a security quantification process? It is thus imperative to build a standard, unified and hierarchical taxonomy which incorporates 13 security requirements and then refined in layer into 31 sub-factors referring to the variety of the proposed models based on previous works. The Mean Failure Cost model (MFC) is a recent, strong and structural risk management model. It is a cascade of linear models to quantify security threats in term of loss that results from system's vulnerabilities. It computes for each system's stakeholders his loss of operation ($/H) while taking account of its respective users, security requirements, system's components and the complete list of security threats. The proposed taxonomy is used to optimize quantification using the MFC metric by reducing the redundancy in estimating the security requirements values, and increasing accuracy in estimation. The authors applied the expansion of the MFC model to the context of e-learning platforms.
Article Preview

1. Introduction

The cyber security is defined as the body of policies, emerging measures and strategies designed to protect networks, computers, and programs from threats. The term cyber is a trendy prefix or “fashionable”, it is consecutive to the exponential growth of computing, and more generally to the advent of the “digital revolution”. It examines the security of industry, public administration, commerce, and others to protect them against their online presence.

Regarding the real danger, its complex property and the scale of the system, implementing security is costly, sometimes ineffective but needs a serious necessity. Therefore, security assessment policy, metrics and risk management models are recommended to justify security expenditures, support the technical managers and convincing the no technical decision makers. Security risk assessment toward management leads to answer the question: what roadmap can be proven and built to achieve a secure and safe system? In security risk management practices if we cannot measure, we can neither control nor improve. This process is intend for measuring security, its related features and assess the compromised risk.

Among challenging problem in cyber security and risk assessment field is to face the orthogonal classification of security requirements. In this paper, we intend to answer the question: what taxonomy of security requirements should we use when quantifying security? In such a taxonomy, an orthogonal classification is one in which no item is a member of more than one group, which means that the classifications are mutually exclusive. Although, there are a variety and different models of security requirements taxonomy, every one examines some of the security requirements and neglects others. We intend to develop a novel and holistic security requirements taxonomy to cope with the orthogonal classification problem. This model is applied to the MFC metric in order to optimize the security quantification of e-learning systems. These lead to improve the assessment accuracy and reduce the redundancy in estimating the security requirements values.

The definition of security requirements is primordial; but we usually study the generic and standard one like confidentiality, integrity, availability, authentication, non-repudiation and privacy. Moreover, security standard taxonomy is missed (Travis, 2010) and the literature review has shown that there are different models of security requirements; we need to propose a unified, standard and holistic one.

Our first major focus is to propose the most aggregate security requirements taxonomy based on several models presented in the open literature, our proposed model includes two levels of abstraction, it incorporates 13 basic and standard requirements and then refined in layer into 31 security requirement sub-factors. It forms a standard and unified model of security requirements.

Quantitative security risk management models are primordial to gauge and assess the risk. They aim to present the critical security problems and to provide a good plan for risk mitigation. We focus on the security problems of a given system through a strong quantitative security risk management model, the Mean Failure Cost is a recent cyber security measure. (Aissa et al., 2012; Aissa et al., 2010 ; Rjaibi et al. 2012 a; Ben Arfa Rabai et al., 2012; Rjaibi et al., 2012 b) .

Our second major focus is to use the proposed taxonomy of security requirements to optimize the MFC cybersecurity measure and its quantitative values. This contribution resides on extending the theoretical structure and empirical values of the MFC model in order to evaluate all of the possible extended security requirements of the considered security risk management model. Our finding leads to improve the security assets values; it leads to a structured and complete risk analysis process, to find later security problems related to these entire security requirements. In addition this leads to reduce redundancy of security requirements values presented in the MFC matrix and increasing accuracy in estimating values exigencies.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing