Scheduled System Maintenance:
Some services will be unavailable Sunday, March 29th through Monday, March 30th. We apologize for the inconvenience.
By Topic

Security Measurements and Metrics (Metrisec), 2011 Third International Workshop on

Date 21-21 Sept. 2011

Filter Results

Displaying Results 1 - 23 of 23
  • [Title page i]

    Publication Year: 2011 , Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (20 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Publication Year: 2011 , Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (68 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2011 , Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (124 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2011 , Page(s): v - vi
    Save to Project icon | Request Permissions | PDF file iconPDF (150 KB)  
    Freely Available from IEEE
  • Steering Committee

    Publication Year: 2011 , Page(s): vii
    Save to Project icon | Request Permissions | PDF file iconPDF (85 KB)  
    Freely Available from IEEE
  • Program Committee

    Publication Year: 2011 , Page(s): viii
    Save to Project icon | Request Permissions | PDF file iconPDF (92 KB)  
    Freely Available from IEEE
  • Reviewers

    Publication Year: 2011 , Page(s): ix
    Save to Project icon | Request Permissions | PDF file iconPDF (77 KB)  
    Freely Available from IEEE
  • Security Risk Management by Qualitative Vulnerability Analysis

    Publication Year: 2011 , Page(s): 1 - 10
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1289 KB) |  | HTML iconHTML  

    Security risk assessment in the requirements phase is challenging because risk factors, such as probability and damage of attacks, are not always numerically measurable or available in the early phases of development. This makes the selection of proper security solutions problematic because mitigating impacts and side-effects of solutions are not often quantifiable. In the early development phases, analysts need to assess risks in the absence of numerical measures or deal with a mixture of quantitative and qualitative data. We propose a risk analysis process which intertwines security requirements engineering with a vulnerability-centric and qualitative risk analysis method. The proposed method is qualitative and vulnerability-centric, in the sense that by identifying and analyzing common vulnerabilities the probability and damage of risks are evaluated qualitatively. We also propose an algorithmic decision analysis method that considers risk factors and alternative security solutions, and helps analysts select the most cost-effective solution. The decision analysis method enables making a decision when some of the available data is qualitative. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An Empirical Study of the Evolution of PHP Web Application Security

    Publication Year: 2011 , Page(s): 11 - 20
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1001 KB) |  | HTML iconHTML  

    Web applications are increasingly subject to mass attacks, with vulnerabilities found easily in both open source and commercial applications as evinced by the fact that approximately half of reported vulnerabilities are found in web applications. In this paper, we perform an empirical investigation of the evolution of vulnerabilities in fourteen of the most widely used open source PHP web applications, finding that vulnerabilities densities declined from 28.12 to 19.96 vulnerabilities per thousand lines of code from 2006 to 2010. We also investigate whether complexity metrics or a security resources indicator (SRI) metric can be used to identify vulnerable web application showing that average cyclomatic complexity is an effective predictor of vulnerability for several applications, especially for those with low SRI scores. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cyber Security Alert Warning System: A Socio-techinal Coordinate System Proposal

    Publication Year: 2011 , Page(s): 21 - 24
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (285 KB) |  | HTML iconHTML  

    In this short paper we outline the problems of developing a cyber security alert warning system. We review some of the current warning systems and examine how they are related to the security metrics area. We then propose a socio-technical coordinate system to scale and classify cyber security warnings along with security posture levels. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An Enhanced Threat Identification Approach for Collusion Threats

    Publication Year: 2011 , Page(s): 25 - 30
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (365 KB) |  | HTML iconHTML  

    Colluding threat agents are a serious and difficult problem to deal with in any organization. Collusion is possible at any level and with any entity inside or outside the organization. Traditional methods cannot effectively deal with legitimate users who abuse their privileges and their familiarity and proximity to the computational environment by colluding with outsiders or other insiders to exploit the organization's critical assets. In this paper, we emphasize the limitation of current approaches to threat identification and, because of the seriousness of collusion involving insider threat agents, we give special attention to the MERIT (Management and Education of the Risk of Insider Threat) model. In response to these limitations, we propose an enhanced approach to threat identification, an approach that explicitly and formally addresses the possibility of colluding threat agents. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Quantifying the Effects of More Timely Certificate Revocation on Lightweight Mobile Devices

    Publication Year: 2011 , Page(s): 31 - 40
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (574 KB) |  | HTML iconHTML  

    Public Key Infrastructure (PKI) is a key infrastructure for secure communications and transactions on the Internet. We revisit the problem of timely certificate revocation and develop a performance analysis framework with more realistic assumptions of when certificates are revoked, a query model differentiating revoked and unrevoked certificates, and realistic cost factors. Our analysis is fine-grained and shows the impact of a revocation scheme on the computation, storage and bandwidth costs particularly on mobile devices as the verifiers. We apply our performance framework to analyze the following schemes: CRL, OCSP, CRS and CREV. Our analysis shows clearly the strengths and weaknesses of each scheme particularly for mobile lightweight verifiers under higher timeliness guarantees. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring Privacy Compliance with Process Specifications

    Publication Year: 2011 , Page(s): 41 - 50
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1630 KB) |  | HTML iconHTML  

    Enforcement relies on the idea that infringements are violations and as such should not be allowed. However, this notion is very restrictive and cannot be applied in unpredictable domains like healthcare. To address this issue, we need conformance metrics for detecting and quantifying infringements of policies and procedures. However, existing metrics usually consider every deviation from specifications equally making them inadequate to measure the severity of infringements. In this paper, we identify a number of factors which can be used to quantify deviations from process specifications. These factors drive the definition of metrics that allow for a more accurate measurement of privacy infringements. We demonstrate how the proposed approach can be adopted to enhance existing conformance metrics through a case study on the provisioning of healthcare treatment. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance Evaluation of Oracle VM Server Virtualization Software 64 Bit Linux Environment

    Publication Year: 2011 , Page(s): 51 - 57
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (880 KB) |  | HTML iconHTML  

    Server virtualization has created some growing problems and disorder, such as unresponsive virtualized system, crashed virtualized server, misconfigured virtual hosting platforms, performance tuning and erratic performance metrics with some benchmark tools. This research analyzed the performance of Oracle VM server virtualization software against that of bare-metal server environment. It also examined scalability offered by Oracle VM and its operation for supporting high volume transactions. Two open suite benchmark tools Swingbench and LMbench were used to measure performance. The Swingbench was also used to measure scalability. 30 and 50 active users were used for the performance evaluation. We discovered from our Swingbench results that Oracle database performance in a single Oracle VM resulted in 4% and 8% overhead for 30 and 50 active users respectively. Performance metrics of 75% and 87% were obtained with 30 and 50 active users correspondingly in dual Oracle VM server; an indication of performance scalability improvement with two virtual machines. Our results also revealed Oracle VM server achieved significant percentages in latency and bandwidth that cannot be neglected, despite some adrift results obtained from LMbench measurement. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A framework for security metrics based on operational system attributes

    Publication Year: 2011 , Page(s): 58 - 65
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (188 KB) |  | HTML iconHTML  

    There exists a large number of suggestions for how to measure security, with different goals and objectives. The application areas range from business management and organizational systems to large software systems. The approaches may be theoretical, technical, administrative or practical. In many cases the goal is to find a single overall metric of security. Given that security is a complex and multi-faceted property, we believe that there are fundamental problems to find such an overall metric. Thus, we suggest a framework for security metrics that is based on a number of system attributes taken from the security and the dependability disciplines. We start out from the traditional decomposition of security into three main aspects ("CIA") and include a set of dependability attributes. The reason for this is that security and dependability largely reflect the same basic system feature and are partly overlapping. We then regroup those attributes according to an existing conceptual system model and propose metrication methods in accordance. We suggest that there should be metrics related to protective attributes, to behavioural attributes and to system correctness. We also discuss the relation between these types of metrics. We are convinced that this approach will facilitate making quantitative assessment of the concept of combined security and dependability and that it would also improve our understanding of these important system properties. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A testbed for the evaluation of web intrusion prevention systems

    Publication Year: 2011 , Page(s): 66 - 75
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (111 KB) |  | HTML iconHTML  

    Web intrusion prevention systems are popular for defending web applications against common attacks, such as SQL injection and cross-site scripting, but a standardized methodology to evaluate and benchmark such systems is not available. We outline several requirements for a testing and evaluation framework for these systems, and we introduce the concept of a benchmarking testbed, which automatically performs the evaluation in a standardized and reproducible way. By allowing benchmarks to draw from a corpus of installable modules which can be based on actual security vulnerabilities, members of the security community can continuously maintain and improve the benchmark, allowing it to be updated as threats and defenses evolve. We developed a prototype of this testbed and determined that the testbed should automate several common web testing tasks on behalf of its modules in order to ease module development. Although our experiences with the prototype suggest that developing such a testbed is viable, we identified several open questions related to benchmark coverage and performance measurement that should be resolved in order for the resulting benchmark to be useful to end users. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Authentication Protocol for Preventing Damage by Loss and Theft of Smartphone

    Publication Year: 2011 , Page(s): 76 - 79
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (383 KB) |  | HTML iconHTML  

    Though security technology that prevents smart phones from being lost and stolen is now available, it is designed to function on the 3G or voice networks only, and does not function when the telephone is switched off, a major drawback at present. This paper addresses the need for further study on this matter, and proposes an authentication protocol that can tell whether a smart phone is lost or stolen on the Wi- Fi environment as well as on the 3G and voice network. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A cause and effect approach towards risk analysis

    Publication Year: 2011 , Page(s): 80 - 83
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (211 KB) |  | HTML iconHTML  

    Risk analysis is critical for IT systems and for organizations and their daily operation. There are various tools and methods to analyse risk. Most approaches take risk assessment as a result of specific factors (such as threats and vulnerabilities) without investigating the impact of various types of system operation. Therefore, we suggest a causal approach toward risk analysis based on an existing security model. We start out from a current risk analysis method and improve it by taking the system operation, causal relation between the impairments, as well as latency effects into account. The approach exhibits the impact of the attack chain of impairments on system risk. We claim that the approach presented in this paper will make it possible to conduct a more refined quantitative assessment of risk. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance Measurement in Cross-Organizational Security Settings

    Publication Year: 2011 , Page(s): 84 - 87
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (252 KB) |  | HTML iconHTML  

    Measuring IT security management performance is different and usually more difficult than other kinds of measurement. Quantifying IT security in general is difficult, additionally IT infrastructures differ strongly from each other, consist of heterogeneous components and change permanently. However, IT security needs the attention not only from specialized IT security staff, but also from general management. The critical point thus is the development of a set of suitable key performance indicators. This paper describes the creation of a set of performance indicators to be used in cross-organizational security settings on the basis of two qualitative empirical studies. Indicators were developed for organizations acting either as service providers or as service consumers. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Experiences from using indicators to validate expert judgments in security risk analysis

    Publication Year: 2011 , Page(s): 88 - 95
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (169 KB) |  | HTML iconHTML  

    Expert judgments are often used to estimate likelihood values in a security risk analysis. These judgments are subjective and their correctness rely on the competence, training, and experience of the experts. Thus, there is a need to validate the correctness of the values obtained from expert judgments. In this paper we investigate to what extent indicators based on historical data may be used to validate likelihood values obtained from expert judgments. We report on experiences from a security risk analysis where indicators were used to validate likelihood values obtained from expert judgments. The experiences build on data collected during the analysis and on semi-structured interviews with the client experts that participated in the analysis. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Are Vulnerability Disclosure Deadlines Justified?

    Publication Year: 2011 , Page(s): 96 - 101
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (504 KB) |  | HTML iconHTML  

    Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products. Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Author Index

    Publication Year: 2011 , Page(s): 102
    Save to Project icon | Request Permissions | PDF file iconPDF (82 KB)  
    Freely Available from IEEE
  • [Publisher's Information]

    Publication Year: 2011 , Page(s): 104
    Save to Project icon | Request Permissions | PDF file iconPDF (160 KB)  
    Freely Available from IEEE