Term
| What is the purpose of security metrics? |
|
Definition
| To verify and validate security requirements. They help define measurable attributes that reflect properties of a secure system. |
|
|
Term
| What is a security framework? |
|
Definition
| A basic conceptual structure of security-related ideas that reinforce the system mission and purpose. |
|
|
Term
| What is the basic security engineering methodology? (five steps) |
|
Definition
1. Analyze system mission and purpose in operational context.
2. Define security framework.
3. Design secure architecture
4. Devise security metrics
5. Devise system security engineering methods. |
|
|
Term
| What are the important dimensions of system security features do? (four things) |
|
Definition
1. They articulate, maintain, and monitor the system mission or purpose.
2. They maintain service levels with damage to functional components.
3. They maintain integrity of interfaces.
4. Ability to respond to attacks by negating or limiting their effects. |
|
|
Term
| What is the conceptual framework for security requirements engineering? |
|
Definition
| A "goal" is a security property of an asset that a stakeholder is interested in. Goals get more detailed by transforming them into "requirements". Requirements, in turn, get more concrete with the help of specifications and assumptions (supported by facts). A specification is a property that the machine must satisfy in order to achieve a security requirement. In this process the system resource to which the security property refers becomes less abstract. |
|
|
Term
| What is the basic question of the principle of avoidance? |
|
Definition
| Are all system functions necessary? E.g., applications on a mobile device do not need data reporting or any bulk data operations. They should be limited to one transaction at a time. |
|
|
Term
| What is the basic question of the principle of deterrence? |
|
Definition
| Is there anything that can be done to make the system less attractive to the attacker? |
|
|
Term
| What is the basic idea of the principle of Conspicuous Factors? |
|
Definition
| Unauthorized activity should be sufficiently hard to achieve that it triggers automated intrusion detection capabilities. |
|
|
