COMMAND: Certifiable Open Measurable Mandates

by   Adam Hastings, et al.

Security mandates today are often in the form of checklists and are generally inflexible and slow to adapt to changing threats. This paper introduces an alternate approach called open mandates, which mandate that vendors must dedicate some amount of resources (e.g. system speed, energy, design cost, etc.) towards security but unlike checklist security does not prescribe specific controls that must be implemented. The goal of open mandates is to provide flexibility to vendors in implementing security controls that they see fit while requiring all vendors to commit to a certain level of security. In this paper, we first demonstrate the usefulness of open security mandates: for instance, we show that mandating 10 defenders losses by 8 mandates can be implemented in practice. Specifically, we solve the problem of identifying a system's overhead due to security, a key problem towards making such an open mandate enforceable in practice. As examples we demonstrate our open mandate system – COMMAND – for two contemporary software hardening techniques and show that our methodology can predict security overheads to a very high degree of accuracy (<1 requirements. We also present experiments that quantify, in terms of dollars, how much end users value the performance lost to security, which help determine the costs of such a program. Taken together – the usefulness of mandates, their enforceability, and their quantifiable costs – make the case for an alternate resource-based mandate.


A Novel Approach to Identify Security Controls in Source Code

Secure by Design has become the mainstream development approach ensuring...

Security level analysis of academic information systems based on standard ISO 27002:2003 using SSE-CMM

This research was conducted to find out the level of information securit...

A Security Cost Modelling Framework for Cyber-Physical Systems

Cyber-Physical Systems (CPS) are formed through interconnected component...

An Efficient Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications

Defects in requirements specifications can have severe consequences duri...

How to Quantify the Security Level of Embedded Systems? A Taxonomy of Security Metrics

Embedded Systems (ES) development has been historically focused on funct...

Steganography Security: Principle and Practice

This paper focuses on several theoretical issues and principles in stega...

A Critical View on CIS Controls

CIS Controls is a set of 20 controls and 171 sub-controls that were crea...

Please sign up or login with your details

Forgot password? Click here to reset