Mean Failure Cost as a Measurable Value and ... - Semantic Scholar
64 International Journal of Secure Software Engineering, 4(3), 64-81, July-September 2013
Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study
Neila Rjaibi, Department of Computer Science, ISG, Tunis, Tunisia Latifa Ben Arfa Rabai, Department of Computer Science, ISG, Tunis, Tunisia Anis Ben Aissa, Department of Computer Science, ENIT, Tunis, Tunisia Ali Mili, Department of Computer Science, New Jersey Institute of Technology, Newark, NJ, USA
ABSTRACT Addressing Cybersecurity within e-Learning systems becomes empowered to make online information more secure. Certain competences need to be identified as necessary skills to manage security online such the ability to assess sources and architectural components, understanding the privacy, confidentiality and user authentication. Security management approaches quantifying security threats in e-learning are common with other e-services. It is of our need to adopt a quantitative security risk management process in order to determine the worthiest attack and the ignored one, based on financial business risk measure which is the measure of the mean failure cost.This paper proposes a cyber security measure called the Mean Failure Cost (MFC) suitable for e-Learning systems. It is based on the identification of system’s architecture, the well-defined classes of stakeholders, the list of possible threats and vulnerabilities and the specific security requirements related to e-Learning systems and applications. In the mean time, security requirements are considered as appropriate mechanisms for preventing, detecting and recovering security attacks, for this reason an extension of the MFC measure is presented in order to detect the most critical security requirements. Also this paper highlights the security measures and guidelines for controlling e-Learning security policies regarding the most critical security requirements. Keywords:
Critical Security Requirements, Cyber Security Metrics, E-Learning, Information Security, Mean Failure Cost, Risk Management, Security Measures, Threats Analysis
DOI: 10.4018/jsse.2013070104 Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Secure Software Engineering, 4(3), 64-81, July-September 2013 65
1. INTRODUCTION Because of our ever-increasing dependency on distance learning, it is of our need to validate their applications and infrastructures as trustworthy to address mission-critical use. Although, they are many models, standard, and metrics for cyber-security, there is no commonly quantitative accepted evidence of their correctness or even applicability in e-learning context. This is justified of the lack of a scientific basis measure for cybersecurity and security risk management within e-learning systems. E-learning or other e-systems need to be safe and secure, to maintain the perfect running of the system and to learn in safe. It is of our need to adopt a security risk management process in order to determine the worthiest attack and the ignored one, it is one way to focus on the serious attacks, to better manage the budget and find the best way to use it and provide a good plan for risk mitigation. In a quantitative security risk management, there are two input variables that need to be fixed but they are difficult in the priori phase: the probability that a threat may occur and the loss suffered from a successful attack. Our focus here is to illustrate a dependable measure and a quantitative security risk model called the MFC, it provides specific, objective, and measurable evidence to support security activities, assessments, and cybersecurity goals for e-Learning systems as a case study. The MFC is a recent value based measure of cybersecurity, it computes for each stakeholder of the given system his loss of operation ($/H). This quantitative model is a cascade of linear models to quantify security threats in term of loss that results from system vulnerabilities. The MFC measure is then extended to measure the critical security requirements of the given system. The first step towards addressing this evidence is the focus on security
measures and their related security mechanisms. This is advantageous in the verification and validation of our software systems in terms of security level. This paper is organized as follows. In Section 2, we present an overview of security challenges in e-learning systems. In Section 3, we review related research on security risk management approaches, to give a proper context to our work. In Section 4, we present the proposed metric for cybersecurity, and in Sections 5 and 6 we discuss how this metric can be specialized to e-learning systems, in light of specific attributes of such systems, such as: their standard architecture, their standard deployment over the internet infrastructure, their typical stakeholders, and their specific security requirements. In Section 7, we show how the proposed metric can be extended to computing the critical security requirements. In Section 8, we analyze security measures of e-learning systems regarding the critical security requirement to support quantitative decision-making. Finally we conclude by summarizing our results and sketching directions of further research.
2. SECURITY CHALLENGES IN E-LEARNING SYSTEMS E-learning concept is the use of technology to deliver information for training. This modern education is useful and interesting as it creates interactions between learners and instructors, or learners and learners regardless of time and space (Sun et al., 2008). E-learning is an educational system where the instructor and the learner are at distance, collaborate and communicate using the technology. E-learning is the delivery of a learning, training or education program by electronic means as it involves the use of a computer or electronic device in some way to provide training, educational or learning mate-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
16 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/mean-failure-cost-as-ameasurable-value-and-evidence-ofcybersecurity/83635?camid=4v1
This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2
Related Content A Comparative Study of the EUREQA Tool for End-User Development Paul G. Austrem (2012). International Journal of Information System Modeling and Design (pp. 66-87).
www.igi-global.com/article/comparative-study-eureqa-toolend/67581?camid=4v1a Towards a More Systematic Approach to Secure Systems Design and Analysis Simon Miller, Susan Appleby, Jonathan M. Garibaldi and Uwe Aickelin (2013). International Journal of Secure Software Engineering (pp. 11-30).
www.igi-global.com/article/towards-more-systematic-approachsecure/76353?camid=4v1a Enhancing ERP System with RFID: Logistic Process Integration and Exception Handling Dickson K. W. Chiu, Kai-Pan Mark, Eleanna Kafeza and Tat-Pui Wong (2011). International Journal of Systems and Service-Oriented Engineering (pp. 63-79).
www.igi-global.com/article/enhancing-erp-system-rfid/58513?camid=4v1a
A Comparative Analysis of Reliability Assessment Methods for Web-Based Software Jinhee Park, Yeong-Seok Seo and Jongmoon Baik (2013). International Journal of Software Innovation (pp. 31-44).
www.igi-global.com/article/a-comparative-analysis-of-reliability-assessmentmethods-for-web-based-software/105630?camid=4v1a
Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study
Neila Rjaibi, Department of Computer Science, ISG, Tunis, Tunisia Latifa Ben Arfa Rabai, Department of Computer Science, ISG, Tunis, Tunisia Anis Ben Aissa, Department of Computer Science, ENIT, Tunis, Tunisia Ali Mili, Department of Computer Science, New Jersey Institute of Technology, Newark, NJ, USA
ABSTRACT Addressing Cybersecurity within e-Learning systems becomes empowered to make online information more secure. Certain competences need to be identified as necessary skills to manage security online such the ability to assess sources and architectural components, understanding the privacy, confidentiality and user authentication. Security management approaches quantifying security threats in e-learning are common with other e-services. It is of our need to adopt a quantitative security risk management process in order to determine the worthiest attack and the ignored one, based on financial business risk measure which is the measure of the mean failure cost.This paper proposes a cyber security measure called the Mean Failure Cost (MFC) suitable for e-Learning systems. It is based on the identification of system’s architecture, the well-defined classes of stakeholders, the list of possible threats and vulnerabilities and the specific security requirements related to e-Learning systems and applications. In the mean time, security requirements are considered as appropriate mechanisms for preventing, detecting and recovering security attacks, for this reason an extension of the MFC measure is presented in order to detect the most critical security requirements. Also this paper highlights the security measures and guidelines for controlling e-Learning security policies regarding the most critical security requirements. Keywords:
Critical Security Requirements, Cyber Security Metrics, E-Learning, Information Security, Mean Failure Cost, Risk Management, Security Measures, Threats Analysis
DOI: 10.4018/jsse.2013070104 Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Secure Software Engineering, 4(3), 64-81, July-September 2013 65
1. INTRODUCTION Because of our ever-increasing dependency on distance learning, it is of our need to validate their applications and infrastructures as trustworthy to address mission-critical use. Although, they are many models, standard, and metrics for cyber-security, there is no commonly quantitative accepted evidence of their correctness or even applicability in e-learning context. This is justified of the lack of a scientific basis measure for cybersecurity and security risk management within e-learning systems. E-learning or other e-systems need to be safe and secure, to maintain the perfect running of the system and to learn in safe. It is of our need to adopt a security risk management process in order to determine the worthiest attack and the ignored one, it is one way to focus on the serious attacks, to better manage the budget and find the best way to use it and provide a good plan for risk mitigation. In a quantitative security risk management, there are two input variables that need to be fixed but they are difficult in the priori phase: the probability that a threat may occur and the loss suffered from a successful attack. Our focus here is to illustrate a dependable measure and a quantitative security risk model called the MFC, it provides specific, objective, and measurable evidence to support security activities, assessments, and cybersecurity goals for e-Learning systems as a case study. The MFC is a recent value based measure of cybersecurity, it computes for each stakeholder of the given system his loss of operation ($/H). This quantitative model is a cascade of linear models to quantify security threats in term of loss that results from system vulnerabilities. The MFC measure is then extended to measure the critical security requirements of the given system. The first step towards addressing this evidence is the focus on security
measures and their related security mechanisms. This is advantageous in the verification and validation of our software systems in terms of security level. This paper is organized as follows. In Section 2, we present an overview of security challenges in e-learning systems. In Section 3, we review related research on security risk management approaches, to give a proper context to our work. In Section 4, we present the proposed metric for cybersecurity, and in Sections 5 and 6 we discuss how this metric can be specialized to e-learning systems, in light of specific attributes of such systems, such as: their standard architecture, their standard deployment over the internet infrastructure, their typical stakeholders, and their specific security requirements. In Section 7, we show how the proposed metric can be extended to computing the critical security requirements. In Section 8, we analyze security measures of e-learning systems regarding the critical security requirement to support quantitative decision-making. Finally we conclude by summarizing our results and sketching directions of further research.
2. SECURITY CHALLENGES IN E-LEARNING SYSTEMS E-learning concept is the use of technology to deliver information for training. This modern education is useful and interesting as it creates interactions between learners and instructors, or learners and learners regardless of time and space (Sun et al., 2008). E-learning is an educational system where the instructor and the learner are at distance, collaborate and communicate using the technology. E-learning is the delivery of a learning, training or education program by electronic means as it involves the use of a computer or electronic device in some way to provide training, educational or learning mate-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
16 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/mean-failure-cost-as-ameasurable-value-and-evidence-ofcybersecurity/83635?camid=4v1
This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2
Related Content A Comparative Study of the EUREQA Tool for End-User Development Paul G. Austrem (2012). International Journal of Information System Modeling and Design (pp. 66-87).
www.igi-global.com/article/comparative-study-eureqa-toolend/67581?camid=4v1a Towards a More Systematic Approach to Secure Systems Design and Analysis Simon Miller, Susan Appleby, Jonathan M. Garibaldi and Uwe Aickelin (2013). International Journal of Secure Software Engineering (pp. 11-30).
www.igi-global.com/article/towards-more-systematic-approachsecure/76353?camid=4v1a Enhancing ERP System with RFID: Logistic Process Integration and Exception Handling Dickson K. W. Chiu, Kai-Pan Mark, Eleanna Kafeza and Tat-Pui Wong (2011). International Journal of Systems and Service-Oriented Engineering (pp. 63-79).
www.igi-global.com/article/enhancing-erp-system-rfid/58513?camid=4v1a
A Comparative Analysis of Reliability Assessment Methods for Web-Based Software Jinhee Park, Yeong-Seok Seo and Jongmoon Baik (2013). International Journal of Software Innovation (pp. 31-44).
www.igi-global.com/article/a-comparative-analysis-of-reliability-assessmentmethods-for-web-based-software/105630?camid=4v1a
