Quality Of Protection Security Measurements and Metrics

Quality of Protection: Security Measurements and Metrics is an edited volume based on the Quality of Protection Workshop in Milano, Italy (September 2005). This volume discusses how security research can progress towards quality of protection in security comparable to quality of service in networking and software measurements, and metrics in empirical software engineering. Information security in the business setting has matured in the last few decades. Standards such as IS017799, the Common Criteria (ISO15408), and a number of industry certifications and risk analysis methodologies have raised the bar for good security solutions from a business perspective.

Designed for a professional audience composed of researchers and practitioners in industry, Quality of Protection: Security Measurements and Metrics is also suitable for advanced-level students in computer science.

Motivations.- Why to adopt a security metric? A brief survey.- Service-oriented Assurance — Comprehensive Security by Explicit Assurances.- Measurements: Reliability vs Security.- Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models.- A Discrete Lognormal Model for Software Defects Affecting Quality of Protection.- Time-to-Compromise Model for Cyber Risk Reduction Estimation.- Assessing the risk of using vulnerable components.- Collection and analysis of attack data based on honeypots deployed on the Internet.- Quantitative Security Models.- Multilevel Security and Quality of Protection.- A Conceptual Model for Service Availability.- A SLA evaluation methodology in Service Oriented Architectures.- Towards a Notion of Quantitative Security Analysis.- Metrics for Anonymity and Confidentiality.- The Lower Bound of Attacks on Anonymity Systems — A Unicity Distance Approach.- Intersection Attacks on Web-Mixes: Bringing the Theory into Praxis.- Using Guesswork as a Measure for Confidentiality of Selectively Encrypted Messages.- Measuring Inference Exposure in Outsourced Encrypted Databases.