CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Some Problems in Quantified Security

Vilhelm Verendel (Institutionen för data- och informationsteknik (Chalmers))
Göteborg : Chalmers University of Technology, 2010. ISBN: 1652-876X.- 97 s.
[Licentiatavhandling]

This thesis contains work related to quantitative representation and analysis of computer and information security. The ability to accurately describe security using quantitative methods could offer better control and evaluation of security in operational settings. However, a number of challenges remain, generally in modeling but also in validation and usability. In this work, we improve knowledge about two identified challenges: (i) validation of methods and (ii) decision-making using quantified risk. The first part of the thesis critically surveys many of the proposed methods to quantitatively describe security, by focusing on their validity. After defining a taxonomy, we survey assumptions and methods for validation that have been used in a large fraction of previous work on the subject. We find that many methods lack clear validation with respect to operational environments, and how some model assumptions are not empirically well-supported. We also discuss the characteristics of operational security that make modeling and quantification a remaining challenge. Furthermore, we discuss what future efforts could target in validating quantitative methods for operational security. In the second part we consider a specific type of quantified security: quantified risk, an existing proposal to analyze security quantitatively in terms of probabilities and losses of events. We relate this to the usability of quantified information when people make risky decisions, drawing on previous experimental work in behavioral economics. A common assumption in economic and quantitative analysis of security is that correct knowledge about quantified risk leads to rational decision-making. However, previous experimental results show that people are not always handling quantitative information rationally. We hypothesize that this may impact security decision-making using quantified risk, and study this for two security decision-making problems by a combined theoretical and numerical study. This thesis has two main conclusions. First, validity of many current methods in quantified security is unknown, but there is room for improvement. Second, there are potential decision-making problems in using quantified risk for control of operational security.

Nyckelord: quantified security, quantitative models, security metrics, computer security, information security, quantified risk, operational risk, survey, risk behavior, risk perception, decision-making



Denna post skapades 2010-01-25. Senast ändrad 2010-02-03.
CPL Pubid: 110799

 

Institutioner (Chalmers)

Institutionen för data- och informationsteknik (Chalmers)

Ämnesområden

Information Technology

Chalmers infrastruktur

Examination

Datum: 2010-02-23
Tid: 13:15
Lokal: HC3
Opponent: Ketil Stölen

Ingår i serie

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University