Research On Security Assessment Method Based On Technical Debt Quantification

To enterprises that live in the information age, sound information systems have become a key point to survive. Every enterprise depends on a variety of software systems and services to strengthen management adapt to the market and increase competitiveness. Due to the openness of the Internet and other internal and external factors, information systems face a variety of security threats, such as the spread of Trojans and virus, theft and malicious modification to internal information and so on. Enterprises will face fatal consequences if the information systems suffer destruction. The destruction may not only bring direct economic losses, but also affect the enterprises’ reputation, and then lost their competitive advantage in the marketplace. Therefore, Security managers and architects often have trouble on how to choose suitable security technologies to protect the security of information systems.The mainly way to develop security solution of existing information security decision-making methods are from technical point of view, without taking into account the costs and benefits of security solutions. Therefore, it is difficult for enterprise decision-making level to make intuitive judgments on the pros and cons of investment in information security, which often leads under or over engineering on security configuration. The term technical debt (TD) is used to metaphor the consequence which makes trade-off between short-term requirements (such as software release schedule, budget, etc.) and the quality of software or solutions. Using TD to measure the costs and benefits of a variety of security solutions can convert the cost and benefit of security solutions from professional parameters to monetary value, so that the enterprise decision-making level can use the traditional economic theory on security solutions management and analysis.Based on the study of existing information security risk assessment and decision-making methods, this dissertation extend an existing cost-benefit method-Security Attribute Evaluation Method (SAEM), And presents a cost-benefit method combined with the concept technical debt for quantifying TD caused by different security deployment solutions, in order to help security managers and enterprise decision-makers to make suitable decisions according to requirements, and manage TD. This method uses TD to make costs and benefits of security decisions into monetary units of measure, making the decision more scientific and comprehensive.A case study for an educational institution shows that, compared to other methods, this method can not only let decision makers to have an intuitive understanding and comparison of the short-term and long-term gains of different deployment solutions then maintain a better balance between costs and benefits, but also make project managers control and manage principal, interest, growth and other indicators of TD using traditional economic theory, then take advantage of mature economic debt theory to provide support and guidance for security decisions.