Change search
ReferencesLink to record
Permanent link

Direct link
Security Evaluation of IT Products: Bridging the Gap between Common Criteria (CC) and Real Option Thinking
KTH, School of Information and Communication Technology (ICT), Electronic, Computer and Software Systems, ECS.
KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
KTH, School of Information and Communication Technology (ICT), Electronic, Computer and Software Systems, ECS.ORCID iD: 0000-0003-0565-9376
2008 (English)In: WCECS 2008: WORLD CONGRESS ON ENGINEERING AND COMPUTER SCIENCE, 2008, 530-533 p.Conference paper (Refereed)
Abstract [en]

Information security has long been considered as a key concern for organizations benefiting from the electronic era. Rapid technological developments have been observed in the last decade which has given rise to novel security threats, making IT, an uncertain infrastructure. For this reason, the business organizations have an acute need to evaluate the security aspects of their IT infrastructure. Since many years, CC (Common Criteria) has been widely used and accepted for evaluating the security of IT products. It does not impose predefined security rules that a product should exhibit but a language for security evaluation. CC has certain advantages over ITSEC1, CTCPEC2 and TCSEC3 due to its ability to address all the three dimensions: a) it provides opportunity for users to specify their security requirements, b) an implementation guide for the developers and c) provides comprehensive criteria to evaluate the security requirements. Among the few notable shortcomings of CC is the amount of resources and a lot of time consumption. Another drawback of CC is that the security requirements in this uncertain IT environment must be defined before the project starts. ROA is a well known modern methodology used to make investment decisions for the projects under uncertainty. It is based on options theory that provides not only strategic flexibility but also helps to consider hidden options during uncertainty. ROA comes in two flavors: first for the financial option pricing and second for the more uncertain real world problems where the end results are not deterministic. Information security is one of the core areas under consideration where researchers are employing ROA to take security investment decisions. In this paper, we give a brief introduction of ROA and its use in various domains. We will evaluate the use of Real options based methods to enhance the Common Criteria evaluation methodology to manage the dynamic security requirement specification and reducing required time and resources. We will analyze the possibilities to overcome CC limitations from the perspective of the end user, developer and evaluator. We believe that with the ROA enhanced capabilities will potentially be able to stop and possibly reverse this trend and strengthen the CC usage with a more effective and responsive evaluation methodology.

Place, publisher, year, edition, pages
2008. 530-533 p.
, Lecture Notes in Engineering and Computer Science
Keyword [en]
Common Criteria (CC), IT Security Evaluation, Real Option Analysis (ROA), Return on security Investments (ROSI)
National Category
Computer and Information Science
URN: urn:nbn:se:kth:diva-31258ISI: 000263417100100ISBN: 978-988-98671-0-2OAI: diva2:405508
World Congress on Engineering and Computer Science (WCECS 2008), San Francisco, CA, OCT 22-24, 2008
QC 20110322Available from: 2011-03-22 Created: 2011-03-11 Last updated: 2011-03-22Bibliographically approved

Open Access in DiVA

No full text

Other links

WCECS 2008

Search in DiVA

By author/editor
Abbas, HaiderYngström, LouiseHemani, Ahmed
By organisation
Electronic, Computer and Software Systems, ECSComputer and Systems Sciences, DSV
Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 137 hits
ReferencesLink to record
Permanent link

Direct link