Security Metrics and Evaluation of Information Systems Security

The evaluation of information systems security is a process in which the evidence for assurance is identified, gathered, and analysed against criteria for security functionality and assurance level. This can result in a measure of trust that indicates how well the system meets particular security target. However, as the information systems complexity increases, it becomes increasingly hard to address security targets and the concept of perfect security proves to be unachievable goal for computer systems developer, testers and users. In this paper a framework for developing security requirements of information systems is examined. In this process qualitative metrics are used to yield quantifiable information that can be used to improve the evaluation process especially risk assessment, vulnerability assessment, protection profiles, and test coverage which are important aspects of systems specification. This work is based on the Common Criteria (CC) and the Systems Security Engineering Capability maturity Model (SSE-CMM). These are useful established methods for security functions identification, assurance levels classification and security processes and organisations maturity levels classification. The security requirements are developed based on security functionality of the system and policy. In this research other aspects of systems security are taken into account. These include ethics and social aspects. In all aspects security metrics facilitate improved understanding of various security process, performance, and informed decision making of various security mechanisms and procedures implementation. Moreover, security metrics are useful for indication and determination of critical and non-critical security parameters, measuring test coverage and effort direction when evaluating a system and security processes. In this research it is expected that the out put will be a system specification framework that takes into account not only the technical aspect but which includes the social and technical issues. Systems specification in CC is referred to as Protection Profiles (PPs). This study is conducted in the developing world and x.509 certificates using application will be used as case study.