Coverage-Based Heuristics for Selecting Assessment Items from Security Standards: A Core Set Proposal
Title | Coverage-Based Heuristics for Selecting Assessment Items from Security Standards: A Core Set Proposal |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Rosa, F. De Franco, Jino, M., Bueno, P. Marcos Siqueira, Bonacin, R. |
Conference Name | 2018 Workshop on Metrology for Industry 4.0 and IoT |
ISBN Number | 978-1-5386-2497-5 |
Keywords | assessment, Assessment Dimension, assessment dimensions, coverage, heuristics, high-coverage assessment designs, IEC standards, Information security, ISO standards, Ontologies, Ontology, Proposals, pubcrawl, resilience, Resiliency, Scalability, security, security aspects, security assessment designs, security assessment heuristics, security characteristics, Security Heuristics, security of data, security property, security standard, Standard, Standards, system security, Systematics |
Abstract | In the realm of Internet of Things (IoT), information security is a critical issue. Security standards, including their assessment items, are essential instruments in the evaluation of systems security. However, a key question remains open: ``Which test cases are most effective for security assessment?'' To create security assessment designs with suitable assessment items, we need to know the security properties and assessment dimensions covered by a standard. We propose an approach for selecting and analyzing security assessment items; its foundations come from a set of assessment heuristics and it aims to increase the coverage of assessment dimensions and security characteristics in assessment designs. The main contribution of this paper is the definition of a core set of security assessment heuristics. We systematize the security assessment process by means of a conceptual formalization of the security assessment area. Our approach can be applied to security standards to select or to prioritize assessment items with respect to 11 security properties and 6 assessment dimensions. The approach is flexible allowing the inclusion of dimensions and properties. Our proposal was applied to a well know security standard (ISO/IEC 27001) and its assessment items were analyzed. The proposal is meant to support: (i) the generation of high-coverage assessment designs, which include security assessment items with assured coverage of the main security characteristics, and (ii) evaluation of security standards with respect to the coverage of security aspects. |
URL | https://ieeexplore.ieee.org/document/8428307 |
DOI | 10.1109/METROI4.2018.8428307 |
Citation Key | rosa_coverage-based_2018 |
- Resiliency
- Systematics
- system security
- standards
- Standard
- security standard
- security property
- security of data
- Security Heuristics
- security characteristics
- security assessment heuristics
- security assessment designs
- security aspects
- security
- Scalability
- Assessment
- resilience
- pubcrawl
- Proposals
- Ontology
- Ontologies
- ISO standards
- information security
- IEC standards
- high-coverage assessment designs
- Heuristics
- coverage
- assessment dimensions
- Assessment Dimension