Appraisal and reporting of security assurance at operational systems level

In this paper we discuss the issues relating the evaluation and reporting of security assurance of runtime systems. We first highlight the shortcomings of current initiatives in analyzing, evaluating and reporting security assurance information. Then, the paper proposes a set of metrics to help capture and foster a better understanding of the security posture of a system. Our security assurance metric and its reporting depend on whether or not the user of the system has a security background. The evaluation of such metrics is described through the use of theoretical criteria, a tool implementation and an application to a case study based on an insurance company network.

► We investigate security assurance metrics that may help the understanding of a system's security posture.
► Our metrics integrate: the quality of the verification process, the criticality of the context in which the system operates and, the correctness posture of the security mechanism at a given time.
► The security correctness metrics are used for the understanding of users with security exposure.
► A context of use based security assurance level is adopted as an indication for those without a sound knowledge of security.