Security Evaluation of IT Products: Bridging the Gap between Common Criteria (CC) and Real Option Thinking
2008 (English)In: WCECS 2008: WORLD CONGRESS ON ENGINEERING AND COMPUTER SCIENCE, 2008, 530-533 p.Conference paper (Refereed)
Information security has long been considered as a key concern for organizations benefiting from the electronic era. Rapid technological developments have been observed in the last decade which has given rise to novel security threats, making IT, an uncertain infrastructure. For this reason, the business organizations have an acute need to evaluate the security aspects of their IT infrastructure. Since many years, CC (Common Criteria) has been widely used and accepted for evaluating the security of IT products. It does not impose predefined security rules that a product should exhibit but a language for security evaluation. CC has certain advantages over ITSEC1, CTCPEC2 and TCSEC3 due to its ability to address all the three dimensions: a) it provides opportunity for users to specify their security requirements, b) an implementation guide for the developers and c) provides comprehensive criteria to evaluate the security requirements. Among the few notable shortcomings of CC is the amount of resources and a lot of time consumption. Another drawback of CC is that the security requirements in this uncertain IT environment must be defined before the project starts. ROA is a well known modern methodology used to make investment decisions for the projects under uncertainty. It is based on options theory that provides not only strategic flexibility but also helps to consider hidden options during uncertainty. ROA comes in two flavors: first for the financial option pricing and second for the more uncertain real world problems where the end results are not deterministic. Information security is one of the core areas under consideration where researchers are employing ROA to take security investment decisions. In this paper, we give a brief introduction of ROA and its use in various domains. We will evaluate the use of Real options based methods to enhance the Common Criteria evaluation methodology to manage the dynamic security requirement specification and reducing required time and resources. We will analyze the possibilities to overcome CC limitations from the perspective of the end user, developer and evaluator. We believe that with the ROA enhanced capabilities will potentially be able to stop and possibly reverse this trend and strengthen the CC usage with a more effective and responsive evaluation methodology.
Place, publisher, year, edition, pages
2008. 530-533 p.
, Lecture Notes in Engineering and Computer Science
Common Criteria (CC), IT Security Evaluation, Real Option Analysis (ROA), Return on security Investments (ROSI)
Computer and Information Science
IdentifiersURN: urn:nbn:se:kth:diva-31258ISI: 000263417100100ISBN: 978-988-98671-0-2OAI: oai:DiVA.org:kth-31258DiVA: diva2:405508
World Congress on Engineering and Computer Science (WCECS 2008), San Francisco, CA, OCT 22-24, 2008
QC 201103222011-03-222011-03-112011-03-22Bibliographically approved