Using Common Criteria Methodology to Express Informal Security Requirements

Abstract

Often, security requirements for complex systems are hard to discern because it is difficult to determine which requirements must be allocated to the system and which pertain to the system environment. In the Common Criteria framework, threat analysis results in a set of objectives that can be subdivided into two major categories: those allocated to the system itself, and the remainder to the environment. By differentiating between these two types of objectives, it is possible to avoid inappropriate requirements specification. Moving beyond systems intended to undergo evaluation, we show that the Common Criteria methodology is effective in requirements analysis for informally specified systems. As a demonstration, a worked example using a Common Criteria-based process for a requirements analysis of an on-line dissemination system is presented.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 01, 2006
Accession Number
ADA580026

Entities

People

  • Cynthia E. Irvine
  • Douglas R. Kane Jr.
  • Thuy D. Nguyen

Organizations

  • Naval Postgraduate School

Tags

DTIC Thesaurus Topics

  • Authentication
  • Computer Access Control
  • Computer Programs
  • Computers
  • Configuration Management
  • Databases
  • Engineering
  • Environment
  • Materials
  • Operating Systems
  • Physical Security
  • Security
  • Software Development
  • Specifications
  • Standards
  • Test And Evaluation
  • Web Applications

Fields of Study

  • Computer science

Readers

  • Systems Analysis and Design