Trust and Assumptions
•Underlie all aspects of security
•Policies
–Unambiguously partition system states
–Correctly capture security requirements
•Mechanisms
–Assumed to enforce policy
–Support mechanisms work correctly
Assurance
•Specification
–Requirements analysis
–Statement of desired functionality
•Design
–How system will meet specification
•Implementation
–Programs/systems that carry out design
Operational Issues
•Cost-Benefit
Analysis
–Is it cheaper to prevent or
recover?
•Risk
Analysis
–Should we protect something?
–How much should we protect this
thing?
•Laws
and Customs
–Are desired security measures
illegal?
–Will people do them?
Human Issues
•Organizational Problems
–Power and responsibility
–Financial benefits
•People problems
–Outsiders and insiders
–Social engineering
No comments:
Post a Comment