Article Preview
Top1. Introduction
The cyber security is defined as the body of policies, emerging measures and strategies designed to protect networks, computers, and programs from threats. The term cyber is a trendy prefix or “fashionable”, it is consecutive to the exponential growth of computing, and more generally to the advent of the “digital revolution”. It examines the security of industry, public administration, commerce, and others to protect them against their online presence.
Regarding the real danger, its complex property and the scale of the system, implementing security is costly, sometimes ineffective but needs a serious necessity. Therefore, security assessment policy, metrics and risk management models are recommended to justify security expenditures, support the technical managers and convincing the no technical decision makers. Security risk assessment toward management leads to answer the question: what roadmap can be proven and built to achieve a secure and safe system? In security risk management practices if we cannot measure, we can neither control nor improve. This process is intend for measuring security, its related features and assess the compromised risk.
Among challenging problem in cyber security and risk assessment field is to face the orthogonal classification of security requirements. In this paper, we intend to answer the question: what taxonomy of security requirements should we use when quantifying security? In such a taxonomy, an orthogonal classification is one in which no item is a member of more than one group, which means that the classifications are mutually exclusive. Although, there are a variety and different models of security requirements taxonomy, every one examines some of the security requirements and neglects others. We intend to develop a novel and holistic security requirements taxonomy to cope with the orthogonal classification problem. This model is applied to the MFC metric in order to optimize the security quantification of e-learning systems. These lead to improve the assessment accuracy and reduce the redundancy in estimating the security requirements values.
The definition of security requirements is primordial; but we usually study the generic and standard one like confidentiality, integrity, availability, authentication, non-repudiation and privacy. Moreover, security standard taxonomy is missed (Travis, 2010) and the literature review has shown that there are different models of security requirements; we need to propose a unified, standard and holistic one.
Our first major focus is to propose the most aggregate security requirements taxonomy based on several models presented in the open literature, our proposed model includes two levels of abstraction, it incorporates 13 basic and standard requirements and then refined in layer into 31 security requirement sub-factors. It forms a standard and unified model of security requirements.
Quantitative security risk management models are primordial to gauge and assess the risk. They aim to present the critical security problems and to provide a good plan for risk mitigation. We focus on the security problems of a given system through a strong quantitative security risk management model, the Mean Failure Cost is a recent cyber security measure. (Aissa et al., 2012; Aissa et al., 2010 ; Rjaibi et al. 2012 a; Ben Arfa Rabai et al., 2012; Rjaibi et al., 2012 b) .
Our second major focus is to use the proposed taxonomy of security requirements to optimize the MFC cybersecurity measure and its quantitative values. This contribution resides on extending the theoretical structure and empirical values of the MFC model in order to evaluate all of the possible extended security requirements of the considered security risk management model. Our finding leads to improve the security assets values; it leads to a structured and complete risk analysis process, to find later security problems related to these entire security requirements. In addition this leads to reduce redundancy of security requirements values presented in the MFC matrix and increasing accuracy in estimating values exigencies.