TY - GEN
T1 - Validating cyber security requirements
T2 - 44th Hawaii International Conference on System Sciences, HICSS-44 2010
AU - Abercrombie, Robert K.
AU - Sheldon, Frederick T.
AU - Mili, Ali
PY - 2011
Y1 - 2011
N2 - Vulnerabilities in a system may have widely varying impacts on system security. In practice, security should not be defined as the absence of vulnerabilities. In practice, security should not be quantified by the number of vulnerabilities. Security should be managed by pursuing a policy that leads us first to the highest impact vulnerabilities. In light of these observations, we argue in favor of shifting our focus from vulnerability avoidance/removal to measurable security attributes. To this effect, we recommend a logic be used for system security, which captures/represents security properties in quantifiable, verifiable, measurable terms - so that it is possible to reason about security in terms of its observable/perceptible effects rather than its hypothesized causes. This approach is orthogonal to existing techniques for vulnerability avoidance, removal, detection, and recovery, in the sense that it provides a means to assess, quantify, and combine these techniques.
AB - Vulnerabilities in a system may have widely varying impacts on system security. In practice, security should not be defined as the absence of vulnerabilities. In practice, security should not be quantified by the number of vulnerabilities. Security should be managed by pursuing a policy that leads us first to the highest impact vulnerabilities. In light of these observations, we argue in favor of shifting our focus from vulnerability avoidance/removal to measurable security attributes. To this effect, we recommend a logic be used for system security, which captures/represents security properties in quantifiable, verifiable, measurable terms - so that it is possible to reason about security in terms of its observable/perceptible effects rather than its hypothesized causes. This approach is orthogonal to existing techniques for vulnerability avoidance, removal, detection, and recovery, in the sense that it provides a means to assess, quantify, and combine these techniques.
UR - http://www.scopus.com/inward/record.url?scp=79952905805&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79952905805&partnerID=8YFLogxK
U2 - 10.1109/HICSS.2011.480
DO - 10.1109/HICSS.2011.480
M3 - Conference contribution
AN - SCOPUS:79952905805
SN - 9780769542829
T3 - Proceedings of the Annual Hawaii International Conference on System Sciences
BT - Proceedings of the 44th Annual Hawaii International Conference on System Sciences, HICSS-44 2010
Y2 - 4 January 2011 through 7 January 2011
ER -