Term
What is the purpose of security metrics? |
|
Definition
To verify and validate security requirements. They help define measurable attributes that reflect properties of a secure system. |
|
|
Term
What is a security framework? |
|
Definition
A basic conceptual structure of security-related ideas that reinforce the system mission and purpose. |
|
|
Term
What is the basic security engineering methodology? (five steps) |
|
Definition
1. Analyze system mission and purpose in operational context. 2. Define security framework. 3. Design secure architecture 4. Devise security metrics 5. Devise system security engineering methods. |
|
|
Term
What are the important dimensions of system security features do? (four things) |
|
Definition
1. They articulate, maintain, and monitor the system mission or purpose. 2. They maintain service levels with damage to functional components. 3. They maintain integrity of interfaces. 4. Ability to respond to attacks by negating or limiting their effects. |
|
|
Term
What is the conceptual framework for security requirements engineering? |
|
Definition
A "goal" is a security property of an asset that a stakeholder is interested in. Goals get more detailed by transforming them into "requirements". Requirements, in turn, get more concrete with the help of specifications and assumptions (supported by facts). A specification is a property that the machine must satisfy in order to achieve a security requirement. In this process the system resource to which the security property refers becomes less abstract. |
|
|
Term
What is the basic question of the principle of avoidance? |
|
Definition
Are all system functions necessary? E.g., applications on a mobile device do not need data reporting or any bulk data operations. They should be limited to one transaction at a time. |
|
|
Term
What is the basic question of the principle of deterrence? |
|
Definition
Is there anything that can be done to make the system less attractive to the attacker? |
|
|
Term
What is the basic idea of the principle of Conspicuous Factors? |
|
Definition
Unauthorized activity should be sufficiently hard to achieve that it triggers automated intrusion detection capabilities. |
|
|