A threat model for security specification in security evaluation by ISO/IEC 19791

Abstract

ISO/IEC TR 19791 is an international standard that must be used as the basis for the security evaluation of operational systems. This standard has been recently developed, and the first version was made available in May 2006. ISO/IEC TR 19791 is intended to be an extension of ISO/IEC 15408, known as “Common Criteria” (CC). In order to evaluate an IT product or system using CC or ISO/IEC TR 19791, developers must create a Security Target (ST), or a System Security Target (SST). However, a problem encountered in creating these is the determination of the Security Problem Definitions (SPDs), because the SPDs fall outside of the scope of CC. Neither ISO/IEC 15408 nor ISO/IEC TR 19791 provides a framework for risk analysis or the specification of threats. In this paper, we propose a threat model based on multiple international standards and evaluated ST information, and describe a Web application that can be used for security specifications in the production of STs and SSTs which are to be evaluated by CC and ISO/IEC TR 19791, respectively.