Measuring IT security - a method based on common criteria's security functional requirements

Abstract

A networked defense, and the networked information society, requires both trustworthy information systems and that users and societies trust these systems. Since the trustworthiness of systems depends on the level of IT security, the ability to assess the IT security ability is vital. Currently, there are no efficient methods for establishing the level of IT security in information systems. The main results described in this paper are: a set of security functions needed in systems, based on the security functional requirements of the Common Criteria (CC, 1999) and a method using the set of security functions to assess the securability of components in distributed information systems. Work in progress focuses on system-wide evaluations.