Keeping an Eye on Your Security Through Assurance Indicators

Moussa Ouedraogo, Chien-Ting Kuo, Simon Tjoa, David Preston, Eric Dubois, Paulo Simoes, Tiago Cruz


Despite the incommensurable effort made from across computer sciences disciplines to provide more secure systems, compromising the security of a system has now become a very common and stark reality for organizations of all sizes and from a variety of sectors. The lax in the technology has often been cited as the salient cause of systems insecurity. In this paper we advocate the need for a Security Assurance (SA) system to be embedded within current IT systems. Such a system has the potential to address one facet of cyber insecurity, which is the exploit of lax within the deployed security and its underlining policy. We discuss the challenges associated to such an SA assessment and present the flavor of its evaluation and monitoring through an initial prototype. By providing indicators on the status of a security matter that is more and more devolved to the provider as it is the case in the cloud, the SA tool can be used as a means of fostering better security transparency between a cloud provider and client.


  1. Arbaugh W.A. and Frincke, D.A, 2011. Living with insecurity.” IEEE Security & Privacy, vol. 9, no. 6, pp. 12-13.
  2. Chew, E, Swanson, M ,Stine, K., Bartol, N., Brown A., and Robinson, W, 2008. Security metrics guide for information technology systems rev.1, Nist special publication 800-55: National Institute of Standards and Technology, Tech. Rep., 2008.
  3. Contreras J. L, DeNardis, L. and Teplinsky, M, 2013. Mapping today's cybersecurity landscape,” American University Law Review, vol. 62, no. 5, p. 1117.
  4. DHS, 2014. National cyber security awareness month. [Online]. Available: awareness-month
  5. ENISA, 2014. European cyber security month. [Online]. Available:
  6. ISO/IEC (2009 ), ISO/IEC 15408-1:2009, International Organization for Standardization and the International Electrotechnical Commission, Geneva.
  7. Furnell S.M. (2009) 'The irreversible march of technology', Information Security Technical Report 14(4)pp.176-180, Elsevier.
  8. Hecker A. and Riguidel, M. 2009. On the operational security assurance evaluation of networked it systems,” in Smart Spaces and Next Generation Wired/Wireless Networking. Springer, pp. 266-278.
  9. Kanstren, T., Savola R. , Evesti, A., Pentikäinen, H., Hecker, A., Ouedraogo, M. , Hatonen, K., Halonen P., Blad, C., Lopez O. 2010. Towards an abstraction layer for security assurance measurements, in Proceedings of the Fourth European Conference on Software Architecture: Companion Volume. ACM, 2010, pp. 189-196.
  10. Loske A, Widjaja T, and Buxmann, P. 2013. Cloud computing providers' unrealistic optimism regarding it security risks: A threat to users?” in Thirty Fourth International Conference on Information Systems (ICIS), [Online]. Available: cgi/viewcontent.cgi?article=1200&context=icis2013
  11. Manadhata P.K. and Wing, J.M., 2008. An attack surface metric, IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371-386, 2011.
  12. Martinez-Moyano, I, J, Samsa, M,E, Burke, J, F, Akcam B. K. 2008. Toward a generic model of security in an organizational context: Exploring insider threats to information infrastructure, in Hawaii International Conference on System Sciences (HICSS).
  13. Ouedraogo, M, Khadraoui,D., Mouratidis H., and Dubois, E. 2012, “Appraisal and reporting of security assurance at operational systems level”, Journal of Systems and Software, vol. 85, no. 1, pp. 193-208.
  14. Ouedraogo, M, Savola, R, M, Mouratidis, H. Preston, D. Khadraoui, D and Dubois, E, 2013. Taxonomy of quality metrics for assessing assurance of security correctness, Software Quality Journal, vol. 21, no. 1, pp.67-97.
  15. Payne, S, 2006. A guide to security metrics,” SANS Institute, InfoSec Reading Room.
  16. Savola R.M, Pentikainen, H and Ouedraogo, M. 2010. Towards security effectiveness measurement utilizing risk-based security assurance”, in Information Security for South Africa (ISSA), IEEE.
  17. Skroch, M. McHugh, J. and Williams, J. 2000. Information assurance metrics: Prophecy, process r pipedream,” in Panel Workshop, National Information Systems Security Conference (NISSC 2000), Baltimore.
  18. Vaughn R. B., Henning, R. and Siraj, A. 2003. Information assurance measures and metrics-state of practice and proposed taxonomy,” in System Sciences. Proceedings of the 36th Annual Hawaii International Conference on. IEEE.
  19. Waltermire, D. Quinn, S. Scarfone, K. Halbardier, A. 2009. The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2., Special Publication 800-126, NIST.

Paper Citation

in Harvard Style

Ouedraogo M., Kuo C., Tjoa S., Preston D., Dubois E., Simoes P. and Cruz T. (2014). Keeping an Eye on Your Security Through Assurance Indicators . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 476-483. DOI: 10.5220/0005118504760483

in Bibtex Style

author={Moussa Ouedraogo and Chien-Ting Kuo and Simon Tjoa and David Preston and Eric Dubois and Paulo Simoes and Tiago Cruz},
title={Keeping an Eye on Your Security Through Assurance Indicators},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},

in EndNote Style

JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - Keeping an Eye on Your Security Through Assurance Indicators
SN - 978-989-758-045-1
AU - Ouedraogo M.
AU - Kuo C.
AU - Tjoa S.
AU - Preston D.
AU - Dubois E.
AU - Simoes P.
AU - Cruz T.
PY - 2014
SP - 476
EP - 483
DO - 10.5220/0005118504760483