New Classification of Security Requirements for Quantitative Risk Assessment

New Classification of Security Requirements for Quantitative Risk Assessment

Neila Rjaibi (ISG, Tunisia) and Latifa Ben Arfa Rabai (ISG, Tunisia)
DOI: 10.4018/978-1-5225-6029-6.ch007

Abstract

Objective assessment metrics are continuously recommended and a financial analysis of the risk is required in order to justify the security improvements. It is, thus, critically important to validate the security applications as trustworthy and to generalize this research work to other systems. The chapter addresses firstly the problem of quantifying the security of large scale systems, originally the level of e-learning systems. The risk analysis model considers the variability between the system's stakeholders, the requirements, the components and the security attacks. But, in case of large systems, other security challenges are crucially important to be considered. Indeed, our risk analysis model is strengthened to include the development of new requirements classification.
Chapter Preview
Top

Introduction

We focus on measuring (quantify, assess) the system’s security economically. It refers to the development of security metrics for cost benefit analysis in order to determine the level of risk involved. We offer a quantitative and objective basis for security assurance and report it in practice (Rjaibi and Rabai, 2015a, 2015b).

An economic dynamic model for information security risk analysis and management is developed. It helps in defining the assets, measuring economically the risk, managing the risk toward decisions making. It is illustrated originally to the level of e-Learning systems, more precisely to the popular and current LMS architectures, because it lacks a measurable value and evidence of cyber security. Our model is simple and relies on a few number of inputs which form the system’s security specifications and provide one output which is the average loss per unit of time ($/H) incurred by a stakeholder as a result of security threats. We create an original version of the model using as a basis the Mean Failure Cost metric. Our risk management model serves as an explanation tool of the structural relation between security specifications and cost. It serves as a decision support tool which expands security investments (Rjaibi and Rabai, 2015 a, b).

But being a large-scale system other security measures and challenges are considered. Our model is enhanced and enriched to incorporate the development of important security metrics. Cost effectiveness metrics are enriched with a new hierarchical security requirements classification.

Objective assessment metrics are continuously recommended and a financial analysis of the risk is required in order to justify the security improvements. It is, thus, critically important to validate the security of their applications as trustworthy and to generalize this research work to other systems.

This chapter underscores:

  • The security requirements models

  • The developing of a holistic security requirements taxonomy

  • The illustration of a quantitative risk analysis model using the novel taxonomy

  • The impact of the taxonomy in leading precise evaluation and more efficient decisions

Top

Security Requirements Models

We intend to present a summary of security requirements’ models. They form constraints on the system’s functions into multi levels classification.

The ISO 7498, 1989

This standard model provides a description of security services (ISO 7498-2,1989; Firesmith, 2003; Sekaran, 2007):

  • Authentication (Identification)

  • Authorization: ability to access particular resource

  • Confidentiality (Privacy)

  • Integrity: (Modification of data)

  • Non-Repudiation: (Deny sending)

  • Availability

  • Security auditing

The CIA Triad Model

The confidentiality, integrity and availability model forms a basis in information security. It contains trio requirements and may cover other like: Accountability and Non-Repudiation (Stoneburner et al., 2001).

Complete Chapter List

Search this Book:
Reset