Saad Saleh Alaboodi
Model-based Evaluation: from Dependability Theory to Security
How to quantify security is a classic question in the security community that has remained until today without a plausible answer. Unfortunately, current security evaluation models are often either quantitative but too specific (i.e., applicability is limited), or comprehensive (i.e., system-level models) but qualitative. Quantifying security is hard, yet its importance cannot be overstated. The complexity of this problem is attributed to many factors: the "physics" of the amount of security is ambiguous; the operational state is defined by two confronting parties; protecting and breaking systems is a cross-disciplinary mechanism; security is achieved by comparable security strength and breakable by the weakest link; the human factor is unavoidable; to say the least. Thus, security engineers are faced with great challenges in defending the principles of information security and privacy. This work is an attempt to address model-based system-level security quantification. This thesis argues that in order to properly address the quantification problem of security we first need a paradigm shift in security modeling, addressing the problem at the abstraction level of what defines a computing system and failure model, before any system-level analysis can be established. Consequently, we present a candidate computing systems abstraction and failure model; we then propose two failure-centric model-based quantification approaches, each of which includes a bounding system model, performance measures, and evaluation techniques. The first approach addresses the problem considering the set of controls. To bound and build the logical network of a security system, we extend our original work on the Information Security Maturity Model (ISMM) with Reliability Block Diagrams (RBDs), state vectors, and structure functions from reliability engineering. We then present two different groups of evaluation methods. The first one mainly addresses binary systems, by extending minimal path sets, minimal cut sets, and reliability analysis based on both random events and random variables. The second group addresses multi-state security systems with multiple performance measures, by extending Multi-state Systems (MSS) representation and the Universal Generating Function (UGF) method, establishing a multi-layer MSS (MLMSS) model. The second approach addresses the quantification problem when the two sets of a computing system, i.e., assets and controls, are considered. We adopt a graph-theoretic approach using Bayesian Networks (BNs) to build an asset-control graph as the candidate bounding system model. To demonstrate its application, we then propose a new risk assessment with various diagnosis and prediction inferences. This work, however, is multidisciplinary, involving foundations from many fields, including security engineering; maturity models; dependability theory, particularly reliability engineering; graph theory, particularly BNs; and probability and stochastic models.