Measuring Quality of Information Assurance (QoIA)
Abstract
Current information assurance techniques do not allow us to state quantitatively how assured our systems and networks are. As a result, (a) security and assurance measures can only be designed and built into information systems in an ad hoc fashion, (b) it is difficult to characterize the capabilities of security measures, and (c) information systems cannot deliver quality of information assurance (QolA) guarantees. This seedling project had two objectives: (1) to explore an economics theoretic framework for measuring assurance and (2) to explore a theory of QolA management. For each objective, the study defines the problem space, offers some potentially feasible solutions, and creates a technology development roadmap for a 5 to 7 year time horizon. The key idea is to use incentive-based, economic models of attacker intent, objectives and strategies (AIOS) to measure a system's overall assurance capacity. As a result, a preliminary framework for AlOS modeling and inference is developed along with an approach which uses AlOS inferences to measure a system's assurance capacity. Two real-world assurance measuring case studies were conducted. Finally, a preliminary framework for measuring QolA and delivering QolA services in mission critical database systems is proposed.
Document Details
- Document Type
- Technical Report
- Publication Date
- Oct 01, 2003
- Accession Number
- ADA419205
Entities
People
- Peng Liu
Organizations
- Pennsylvania State University