A practical approach to measuring assurance

Abstract

Assurance has been defined as "the degree of confidence that security needs are satisfied". The problem with this definition is that, unless one has a way to specify security needs in some measurable way, assurance cannot be expressed in a measurable way either. The definition leaves the practitioner with the challenge of determining what security needs are, whether or not they have been satisfied, and how to determine confidence. We define assurance as a measure of confidence in the accuracy of a risk or security measurement. A critical feature of the view of assurance presented is that it is orthogonal to the measurement of risk and security. High assurance ratings have traditionally been associated with high security and low risk. Our definition permits high assurance to be associated with low security and high risk as well. It also provides a way of deciding whether or not the assurance one has is sufficient.