Combining multiple perspectives in the specification of a security assessment methodology

This dissertation describes a methodology to assess computer system security based on evaluations from three complementary perspectives: requirements and specifications, system attributes, and experimentation. The underlying evaluations lead to the development and modification of Bayesian Belief Network models which incorporate mechanisms to accommodate “out-of-model” breaches in security that may be observed from experience with actual systems.; The three perspectives incorporated in the Multiple Perspective Security Assessment Methodology (MPSAM) were selected because they provide complementary views defining system behavior. The initial system designers view the system as a collection of requirements and specifications and need to be able to perform some early analyses to estimate the expected security. Potential system users may additionally consider attributes describing the environment and context for the system, such as distribution and age, to provide some indication of the expected system security based on historical information provided from similarly classified systems. The assessments made from these initial two perspectives will frequently be refined as a result of experience with the system or from experimentation to emulate the actions of an attacker on actual systems to improve the estimates of either crossing or circumventing the security barriers in the system. MPSAM provides a framework for an integrated assessment of system security and is intended to be open to modification if additional perspectives are identified.