Validating cyber security requirements: A case study

Robert K. Abercrombie, Frederick T. Sheldon, Ali Mili

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Vulnerabilities in a system may have widely varying impacts on system security. In practice, security should not be defined as the absence of vulnerabilities. In practice, security should not be quantified by the number of vulnerabilities. Security should be managed by pursuing a policy that leads us first to the highest impact vulnerabilities. In light of these observations, we argue in favor of shifting our focus from vulnerability avoidance/removal to measurable security attributes. To this effect, we recommend a logic be used for system security, which captures/represents security properties in quantifiable, verifiable, measurable terms - so that it is possible to reason about security in terms of its observable/perceptible effects rather than its hypothesized causes. This approach is orthogonal to existing techniques for vulnerability avoidance, removal, detection, and recovery, in the sense that it provides a means to assess, quantify, and combine these techniques.

Original languageEnglish (US)
Title of host publicationProceedings of the 44th Annual Hawaii International Conference on System Sciences, HICSS-44 2010
DOIs
StatePublished - Mar 28 2011
Event44th Hawaii International Conference on System Sciences, HICSS-44 2010 - Koloa, Kauai, HI, United States
Duration: Jan 4 2011Jan 7 2011

Publication series

NameProceedings of the Annual Hawaii International Conference on System Sciences
ISSN (Print)1530-1605

Other

Other44th Hawaii International Conference on System Sciences, HICSS-44 2010
CountryUnited States
CityKoloa, Kauai, HI
Period1/4/111/7/11

All Science Journal Classification (ASJC) codes

  • Engineering(all)

Fingerprint Dive into the research topics of 'Validating cyber security requirements: A case study'. Together they form a unique fingerprint.

Cite this