By Topic

2011 Third International Workshop on Security Measurements and Metrics

Date 21-21 Sept. 2011

Filter Results

Displaying Results 1 - 23 of 23
  • [Title page i]

    Publication Year: 2011, Page(s): i
    Request permission for commercial reuse | PDF file iconPDF (20 KB)
    Freely Available from IEEE
  • [Title page iii]

    Publication Year: 2011, Page(s): iii
    Request permission for commercial reuse | PDF file iconPDF (68 KB)
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2011, Page(s): iv
    Request permission for commercial reuse | PDF file iconPDF (124 KB)
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2011, Page(s):v - vi
    Request permission for commercial reuse | PDF file iconPDF (150 KB)
    Freely Available from IEEE
  • Steering Committee

    Publication Year: 2011, Page(s): vii
    Request permission for commercial reuse | PDF file iconPDF (85 KB)
    Freely Available from IEEE
  • Program Committee

    Publication Year: 2011, Page(s): viii
    Request permission for commercial reuse | PDF file iconPDF (92 KB)
    Freely Available from IEEE
  • Reviewers

    Publication Year: 2011, Page(s): ix
    Request permission for commercial reuse | PDF file iconPDF (77 KB)
    Freely Available from IEEE
  • Security Risk Management by Qualitative Vulnerability Analysis

    Publication Year: 2011, Page(s):1 - 10
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1289 KB) | HTML iconHTML

    Security risk assessment in the requirements phase is challenging because risk factors, such as probability and damage of attacks, are not always numerically measurable or available in the early phases of development. This makes the selection of proper security solutions problematic because mitigating impacts and side-effects of solutions are not often quantifiable. In the early development phases... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An Empirical Study of the Evolution of PHP Web Application Security

    Publication Year: 2011, Page(s):11 - 20
    Cited by:  Papers (3)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1001 KB) | HTML iconHTML

    Web applications are increasingly subject to mass attacks, with vulnerabilities found easily in both open source and commercial applications as evinced by the fact that approximately half of reported vulnerabilities are found in web applications. In this paper, we perform an empirical investigation of the evolution of vulnerabilities in fourteen of the most widely used open source PHP web applicat... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cyber Security Alert Warning System: A Socio-techinal Coordinate System Proposal

    Publication Year: 2011, Page(s):21 - 24
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (285 KB) | HTML iconHTML

    In this short paper we outline the problems of developing a cyber security alert warning system. We review some of the current warning systems and examine how they are related to the security metrics area. We then propose a socio-technical coordinate system to scale and classify cyber security warnings along with security posture levels. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An Enhanced Threat Identification Approach for Collusion Threats

    Publication Year: 2011, Page(s):25 - 30
    Cited by:  Papers (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (365 KB) | HTML iconHTML

    Colluding threat agents are a serious and difficult problem to deal with in any organization. Collusion is possible at any level and with any entity inside or outside the organization. Traditional methods cannot effectively deal with legitimate users who abuse their privileges and their familiarity and proximity to the computational environment by colluding with outsiders or other insiders to expl... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Quantifying the Effects of More Timely Certificate Revocation on Lightweight Mobile Devices

    Publication Year: 2011, Page(s):31 - 40
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (574 KB) | HTML iconHTML

    Public Key Infrastructure (PKI) is a key infrastructure for secure communications and transactions on the Internet. We revisit the problem of timely certificate revocation and develop a performance analysis framework with more realistic assumptions of when certificates are revoked, a query model differentiating revoked and unrevoked certificates, and realistic cost factors. Our analysis is fine-gr... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring Privacy Compliance with Process Specifications

    Publication Year: 2011, Page(s):41 - 50
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1630 KB) | HTML iconHTML

    Enforcement relies on the idea that infringements are violations and as such should not be allowed. However, this notion is very restrictive and cannot be applied in unpredictable domains like healthcare. To address this issue, we need conformance metrics for detecting and quantifying infringements of policies and procedures. However, existing metrics usually consider every deviation from specific... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance Evaluation of Oracle VM Server Virtualization Software 64 Bit Linux Environment

    Publication Year: 2011, Page(s):51 - 57
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (880 KB) | HTML iconHTML

    Server virtualization has created some growing problems and disorder, such as unresponsive virtualized system, crashed virtualized server, misconfigured virtual hosting platforms, performance tuning and erratic performance metrics with some benchmark tools. This research analyzed the performance of Oracle VM server virtualization software against that of bare-metal server environment. It also exam... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A framework for security metrics based on operational system attributes

    Publication Year: 2011, Page(s):58 - 65
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (188 KB) | HTML iconHTML

    There exists a large number of suggestions for how to measure security, with different goals and objectives. The application areas range from business management and organizational systems to large software systems. The approaches may be theoretical, technical, administrative or practical. In many cases the goal is to find a single overall metric of security. Given that security is a complex and m... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A testbed for the evaluation of web intrusion prevention systems

    Publication Year: 2011, Page(s):66 - 75
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (111 KB) | HTML iconHTML

    Web intrusion prevention systems are popular for defending web applications against common attacks, such as SQL injection and cross-site scripting, but a standardized methodology to evaluate and benchmark such systems is not available. We outline several requirements for a testing and evaluation framework for these systems, and we introduce the concept of a benchmarking testbed, which automaticall... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Authentication Protocol for Preventing Damage by Loss and Theft of Smartphone

    Publication Year: 2011, Page(s):76 - 79
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (383 KB) | HTML iconHTML

    Though security technology that prevents smart phones from being lost and stolen is now available, it is designed to function on the 3G or voice networks only, and does not function when the telephone is switched off, a major drawback at present. This paper addresses the need for further study on this matter, and proposes an authentication protocol that can tell whether a smart phone is lost or st... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A cause and effect approach towards risk analysis

    Publication Year: 2011, Page(s):80 - 83
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (211 KB) | HTML iconHTML

    Risk analysis is critical for IT systems and for organizations and their daily operation. There are various tools and methods to analyse risk. Most approaches take risk assessment as a result of specific factors (such as threats and vulnerabilities) without investigating the impact of various types of system operation. Therefore, we suggest a causal approach toward risk analysis based on an existi... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance Measurement in Cross-Organizational Security Settings

    Publication Year: 2011, Page(s):84 - 87
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (252 KB) | HTML iconHTML

    Measuring IT security management performance is different and usually more difficult than other kinds of measurement. Quantifying IT security in general is difficult, additionally IT infrastructures differ strongly from each other, consist of heterogeneous components and change permanently. However, IT security needs the attention not only from specialized IT security staff, but also from general ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Experiences from using indicators to validate expert judgments in security risk analysis

    Publication Year: 2011, Page(s):88 - 95
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (169 KB) | HTML iconHTML

    Expert judgments are often used to estimate likelihood values in a security risk analysis. These judgments are subjective and their correctness rely on the competence, training, and experience of the experts. Thus, there is a need to validate the correctness of the values obtained from expert judgments. In this paper we investigate to what extent indicators based on historical data may be used to ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Are Vulnerability Disclosure Deadlines Justified?

    Publication Year: 2011, Page(s):96 - 101
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (504 KB) | HTML iconHTML

    Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Author Index

    Publication Year: 2011, Page(s): 102
    Request permission for commercial reuse | PDF file iconPDF (82 KB)
    Freely Available from IEEE
  • [Publisher's Information]

    Publication Year: 2011, Page(s): 104
    Request permission for commercial reuse | PDF file iconPDF (160 KB)
    Freely Available from IEEE