Measuring information security has traditionally been daunting task due to the lack of proper tools. Even more, organizations are concerned about suffering security breaches but, most of the time, justifying security investment is a tough task in the absence of a tangible measurement. In this paper, we propose an approach to quantitatively measure different aspects of information security. The ...

We demonstrate, by a number of examples, that informationflow security properties can be proved at a level of abstraction that describes only the causal structure of a system and local properties of trusted components. We specify these architectural descriptions of systems using a generalization of intransitive noninterference policies that admit the ability to filter information passed between...

This paper discusses the complementary role of software assurance arguments and formal mathematical arguments in justifying the achievement of safety and reliability properties within critical applications. This paper reviews the theoretical foundation of this area and proposes a way forward for combining the use of these two forms of arguments in systems and software engineering.

There are a number of similarities between our work at the Software Assurance Forum for Excellence in Code (SAFECode) and the BSIMM effort. Both SAFECode and the BSIMM are focused on improving software security. Both have published documents1 about software security practices that offer approaches to advancing secure software development. And both the SAFECode and BSIMM papers can be used as pa...

In 2003 a working group established on the initiative of the Centre of Information Technology of Education under the Ministry of Education and Science, has been reviewing regulations for the assessment and certification of educational software. This article analizes the main aspects of the proposed orders. It discusses general structure of quality assurance system, the procedures for the certif...

1 1 This is an updated version of the guidelines presented to the Committee for the Coordination of Statistical Activities (CCSA) at its meeting in September 2009 [CCSA, 2009]. It takes into account comments received from members of the CCSA and as well recent developments on quality. The aim of the document is to further support the work of the CCSA for enhanced quality assurance of statistica...

The DARPA Information Assurance (IA) and Operational Partners in Experimentation (OPX) Programs have conducted over a dozen laboratory-based experiments involving live red teams since April 1999. This paper explores some of the lessons learned from the integrator’s perspective that are common among those experiments.