Visible to the public Coverage-Based Heuristics for Selecting Assessment Items from Security Standards: A Core Set Proposal

TitleCoverage-Based Heuristics for Selecting Assessment Items from Security Standards: A Core Set Proposal
Publication TypeConference Paper
Year of Publication2018
AuthorsRosa, F. De Franco, Jino, M., Bueno, P. Marcos Siqueira, Bonacin, R.
Conference Name2018 Workshop on Metrology for Industry 4.0 and IoT
ISBN Number978-1-5386-2497-5
Keywordsassessment, Assessment Dimension, assessment dimensions, coverage, heuristics, high-coverage assessment designs, IEC standards, Information security, ISO standards, Ontologies, Ontology, Proposals, pubcrawl, resilience, Resiliency, Scalability, security, security aspects, security assessment designs, security assessment heuristics, security characteristics, Security Heuristics, security of data, security property, security standard, Standard, Standards, system security, Systematics

In the realm of Internet of Things (IoT), information security is a critical issue. Security standards, including their assessment items, are essential instruments in the evaluation of systems security. However, a key question remains open: ``Which test cases are most effective for security assessment?'' To create security assessment designs with suitable assessment items, we need to know the security properties and assessment dimensions covered by a standard. We propose an approach for selecting and analyzing security assessment items; its foundations come from a set of assessment heuristics and it aims to increase the coverage of assessment dimensions and security characteristics in assessment designs. The main contribution of this paper is the definition of a core set of security assessment heuristics. We systematize the security assessment process by means of a conceptual formalization of the security assessment area. Our approach can be applied to security standards to select or to prioritize assessment items with respect to 11 security properties and 6 assessment dimensions. The approach is flexible allowing the inclusion of dimensions and properties. Our proposal was applied to a well know security standard (ISO/IEC 27001) and its assessment items were analyzed. The proposal is meant to support: (i) the generation of high-coverage assessment designs, which include security assessment items with assured coverage of the main security characteristics, and (ii) evaluation of security standards with respect to the coverage of security aspects.

Citation Keyrosa_coverage-based_2018