Visible to the public Biblio

Filters: Author is Yee, George O. M.  [Clear All Filters]
2023-01-13
Yee, George O. M..  2022.  Improving the Derivation of Sound Security Metrics. 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC). :1804—1809.
We continue to tackle the problem of poorly defined security metrics by building on and improving our previous work on designing sound security metrics. We reformulate the previous method into a set of conditions that are clearer and more widely applicable for deriving sound security metrics. We also modify and enhance some concepts that led to an unforeseen weakness in the previous method that was subsequently found by users, thereby eliminating this weakness from the conditions. We present examples showing how the conditions can be used to obtain sound security metrics. To demonstrate the conditions' versatility, we apply them to show that an aggregate security metric made up of sound security metrics is also sound. This is useful where the use of an aggregate measure may be preferred, to more easily understand the security of a system.
2020-08-28
Yee, George O. M..  2019.  Attack Surface Identification and Reduction Model Applied in Scrum. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). :1—8.

Today's software is full of security vulnerabilities that invite attack. Attackers are especially drawn to software systems containing sensitive data. For such systems, this paper presents a modeling approach especially suited for Serum or other forms of agile development to identify and reduce the attack surface. The latter arises due to the locations containing sensitive data within the software system that are reachable by attackers. The approach reduces the attack surface by changing the design so that the number of such locations is reduced. The approach performs these changes on a visual model of the software system. The changes are then considered for application to the actual system to improve its security.

2020-02-17
Yee, George O. M..  2019.  Designing Good Security Metrics. 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). 2:580–585.

This paper begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The paper then discusses what makes a good security metric and proposes a rigorous step-by-step method that can be applied to design good security metrics, and to test existing security metrics to see if they are good metrics. Application examples are included to illustrate the method.