Risk Management and Information Assurance Decision Support
MetadataShow full item record
Department of Defense (DoD) information assurance (IA) certification and accreditation relies on a multi-tier risk framework where security assessment aligns with NIST information assurance control set. The human analyst faces multiple burdens, including resolving dependencies among IA controls, understanding how security requirements apply to a specific context, and integrating expertise from multiple technical areas. In this research, we will investigate new ways to leverage component-based architecture in reducing security threats. These new techniques integrate human security expert judgements with notions of composable security to identify interactions among security requirements that affect overall system assurance levels. The research is based on using the Multi-factor Quality Measurement (MQM) method to collect security ratings from multiple experts with documented expertise in specific technical areas. We will share results from collecting and analyzing data from security experts with an average of 10 years of experience. The results of this evaluation will improve DoD acquisition by providing reliable ways to express and evaluate cybersecurity mitigations that are commensurate with changing security risks. These evaluations will be semi- automated, focusing expert evaluations on relevant details in an IT scenario. In addition, the MQM framework can be extended and reused for security, privacy, and even outside of security for domain where composable requirements exist. This research will yield important public benefits to private sector companies who supply and consume the dual-purpose information technology (IT) used by the DoD and who are frequently subject to security threats from organized crime, foreign governments and stateless hackers. This work helps IT by providing companies new means for security risk assessment that collects multiple experts input in a feasible approach without the hassle of hiring more experts. The ratings provided by experts can support companies with their security risk assessment and related security decisions. The experts can also provide further suggestions through the tool which can help companies identify unforeseen dependencies and/or missing requirements.?
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
NPS Report NumberCMU-IT-18-227
Showing items related by title, author, creator and subject.
Naval Postgraduate School Center for Homeland Defense and Security (CHDS) (Monterey, California. Naval Postgraduate SchoolCenter for Homeland Defense and Security, 2010-05);May 2010. Academic homeland security programs have proliferated in the past eight years, with more than 270 colleges and universities in the United States offering certificates and degrees in homeland security and related ...
Brodhun, Carl Phillip. (Monterey, California. Naval Postgraduate School, 2001-12);Classical risk analysis is a static process that does not account for rapid evolutionary or generational changes in technology and technological solutions. This thesis defines a process that expands classical risk analysis ...
Segell, Glen (Naval Postgraduate School (U.S.)Program for Culture and Conflict Studies, 2010-04-01);"Blair's evidence shows that there will be many evaluations on how and why politicians made a decision to go to war in Iraq over weapons of mass destruction (WMD). This article will do so by piecing together Blair's evidence ...