Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação
Resumo
A área conhecida como quantificação de segurança é fundamental para construção de modelos e métricas relevantes para apoiar as decisões que devem ser tomadas para a proteção de sistemas e redes. A investigação proposta nesse trabalho consiste em identificar as razões que envolvem a ausência de validação nos métodos empregados para a quantificação da segurança. Os resultados encontrados ao longo da análise crítica e classificação de 57 trabalhos científicos revelam que grande parte dos modelos para quantificar segurança buscam medir alvos genéricos e complexos, como por exemplo medir a segurança da rede ou a segurança da organização, contudo, as tentativas de validações aparecem com maior frequência nos trabalhos que propõem a quantificação de alvos locais e específicos.
Palavras-chave:
Modelos de quantificação de segurança, Métricas de segurança, Validação
Referências
A. Jaquith. Security metrics: replacing fear, uncertainty, and doubt. Addison-Wesley Professional, 2007.
C. Villarrubia, E. Fern, and M. Piattini. Towards a Classification of Security Metrics. In Proceedings of the 2nd international workshop on security in information systems (WOSIS 2004), pages 342—-350, 2004.
D. Chrun. Model-Based Support for Information Technology Security Decision Making. PhD thesis, University of Maryland, 2011.
D. Geer, K. Hoo, and A. Jaquith. Information security: Why the future belongs to the quants. Security & Privacy, IEEE, 1(4):24–32, 2003.
E. Jonsson and L. Pirzadeh. A Framework for Security Metrics Based on Operational System Attributes. In 2011 Third International Workshop on Security Measurements and Metrics, pages 58–65, Sept. 2011.
G. Kaminsky, S. Lizondo, and C. Reinhart. Leading indicators of currency crises. Staff Papers -I nternational Monetary Fund, 45(1):1–48, 1998.
J. Zhang, R. Berthier, W. Rhee, and M. Bailey. Learning from early attempts to measure information security performance. In Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test, pages 1–10, Bellevue, WA, 2012. USENIX Association.
K. Harrison and G. White. An Empirical Study on the Effectiveness of Common Security Measures. In 2010 43rd Hawaii International Conference on System Sciences, pages 1–7, 2010.
M. A. Khan and M. Hussain. Cyber security quantification model. In Proceedings of the 3rd international conference on Security of information and networks - SIN ’10, page 142, New York, New York, USA, 2010. ACM Press.
M. Rudolph and R. Schwarz. A Critical Survey of Security Indicator Approaches. 2012 Seventh International Conference on Availability, Reliability and Security, pages 291–300, Aug. 2012.
O. Balci. Verification, validation, and accreditation. In Proceedings of the 30th conference on Winter simulation, 1998.
O. Weissmann. A comprehensive and comparative metric for information security. In Proceedings of IFIP International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM 2005), 2005.
P. Trzesniak. Indicadores quantitativos : reflex˜oes que antecedem seu estabelecimento. Ciˆencia da Informa¸c˜ao, 27(2):159–164, 1998.
S. Bhatt, W. Horne, and P. Rao. On Computing Enterprise IT Risk Metrics. pages 271–280, 2011.
S. Goel and I. N. Chengalur-Smith. Metrics for characterizing the form of security policies. The Journal of Strategic Information Systems, 19(4):281–295, Dec. 2010.
S. L. Pfleeger and R. K. Cunningham. Why measuring security is hard. Security & Privacy, IEEE, 8(4):46–54, 2010.
S. Stolfo, S. Bellovin, and D. Evans. Measuring Security. IEEE Security and Privacy, 9(June):60–65, 2011.
V. Verendel. Quantified security is a weak hypothesis. In Proceedings of the 2009 workshop on New security paradigms workshop - NSPW ’09, pages 37–49, 2009.
W. Boyer and M. McQueen. Ideal based cyber security technical metrics for control systems. In Critical Information Infrastructures Security, pages 246–260, 2008.
W. Jansen. Directions in security metrics research. Technical report, National Institute of Standards and Technology (NIST), 2010.
C. Villarrubia, E. Fern, and M. Piattini. Towards a Classification of Security Metrics. In Proceedings of the 2nd international workshop on security in information systems (WOSIS 2004), pages 342—-350, 2004.
D. Chrun. Model-Based Support for Information Technology Security Decision Making. PhD thesis, University of Maryland, 2011.
D. Geer, K. Hoo, and A. Jaquith. Information security: Why the future belongs to the quants. Security & Privacy, IEEE, 1(4):24–32, 2003.
E. Jonsson and L. Pirzadeh. A Framework for Security Metrics Based on Operational System Attributes. In 2011 Third International Workshop on Security Measurements and Metrics, pages 58–65, Sept. 2011.
G. Kaminsky, S. Lizondo, and C. Reinhart. Leading indicators of currency crises. Staff Papers -I nternational Monetary Fund, 45(1):1–48, 1998.
J. Zhang, R. Berthier, W. Rhee, and M. Bailey. Learning from early attempts to measure information security performance. In Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test, pages 1–10, Bellevue, WA, 2012. USENIX Association.
K. Harrison and G. White. An Empirical Study on the Effectiveness of Common Security Measures. In 2010 43rd Hawaii International Conference on System Sciences, pages 1–7, 2010.
M. A. Khan and M. Hussain. Cyber security quantification model. In Proceedings of the 3rd international conference on Security of information and networks - SIN ’10, page 142, New York, New York, USA, 2010. ACM Press.
M. Rudolph and R. Schwarz. A Critical Survey of Security Indicator Approaches. 2012 Seventh International Conference on Availability, Reliability and Security, pages 291–300, Aug. 2012.
O. Balci. Verification, validation, and accreditation. In Proceedings of the 30th conference on Winter simulation, 1998.
O. Weissmann. A comprehensive and comparative metric for information security. In Proceedings of IFIP International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM 2005), 2005.
P. Trzesniak. Indicadores quantitativos : reflex˜oes que antecedem seu estabelecimento. Ciˆencia da Informa¸c˜ao, 27(2):159–164, 1998.
S. Bhatt, W. Horne, and P. Rao. On Computing Enterprise IT Risk Metrics. pages 271–280, 2011.
S. Goel and I. N. Chengalur-Smith. Metrics for characterizing the form of security policies. The Journal of Strategic Information Systems, 19(4):281–295, Dec. 2010.
S. L. Pfleeger and R. K. Cunningham. Why measuring security is hard. Security & Privacy, IEEE, 8(4):46–54, 2010.
S. Stolfo, S. Bellovin, and D. Evans. Measuring Security. IEEE Security and Privacy, 9(June):60–65, 2011.
V. Verendel. Quantified security is a weak hypothesis. In Proceedings of the 2009 workshop on New security paradigms workshop - NSPW ’09, pages 37–49, 2009.
W. Boyer and M. McQueen. Ideal based cyber security technical metrics for control systems. In Critical Information Infrastructures Security, pages 246–260, 2008.
W. Jansen. Directions in security metrics research. Technical report, National Institute of Standards and Technology (NIST), 2010.
Publicado
26/05/2015
Como Citar
MIANI, Rodrigo; ZARPELÃO, Bruno; MENDES, Leonardo.
Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 11. , 2015, Goiânia.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2015
.
p. 315-322.
DOI: https://doi.org/10.5753/sbsi.2015.5832.
