Evaluating Security Assurance Case Adaptation

Jahan, Sharmin
Marshall, Allen
Gamble, Rose
Journal Title
Journal ISSN
Volume Title
Security certification processes for information systems involve expressing security controls as functional and non-functional requirements, monitoring deployed mechanisms that satisfy the requirements, and measuring the degree of confidence in system compliance. With the potential for systems to perform runtime self-adaptation, functional changes to remedy system performance may impact security control compliance. This impact can extend throughout a network of related controls causing significant degradation to the system’s overall compliance status. We represent security controls as security assurance cases and implement them in XML for management and evaluation. The approach maps security controls to softgoals, introducing achievement weights to the assurance case structure as the foundation for determining security softgoal satisficing levels. Potential adaptations adjust the achievement weights to produce different satisficing levels. We show how the levels can be propagated within the network of related controls to assess the overall security control compliance of a potential adaptation.
Cybersecurity and Software Assurance, Software Technology, Self-adaptation, security control, security certification, assurance case, softgoal, achievement weight, satisficing
Access Rights
Email libraryada-l@lists.hawaii.edu if you need this content in ADA-compliant format.