Friday, November 23, 2007

The most annoying security procedures

According to a Swedish survey with 1200 participants, these are the three most annoying security procedures that are enforced at companies:

...change password: 43%
...the USB port is blocked: 42%
...not being able to select password: 41%

I certainly agree with the first one... it is annoying, because it is hard to remember all passwords at different places.

Posted by Tomas at 8:48 PM 1 comments
Labels:

Thursday, November 15, 2007

Security Architecture Analysis

When I have been looking for work related to my research I stumbled over this survey from the Australian government: A Survey of Techniques for Security Architecture Analysis. It's quite an interesting survey. Only too bad that it is rather old from 2003. However, It contains a lot of interesting stuff and I have not found any other paper that covers as much work in this field in the same context. The abstract of the survey says (my layout and emphases):

This technical report is a survey of existing techniques which could potentially be used in the analysis of security architectures. The report has been structured to section the analysis process over three phases:
  • the capture of a specific architecture in a suitable representation,
  • discovering attacks on the captured architecture, and
  • then assessing and comparing different security architectures.
Each technique presented in this report has been recognised as being potentially useful for one phase of the analysis. By presenting a set of potentially useful techniques, it is hoped that designers and decisionmakers involved in the development and maintenance of security architectures will be able to develop a more complete, justified and usable methodology other than those currently being used to perform analyses.
Does anybody know of any other work that covers all the three phases above?

Posted by Tomas at 6:41 PM 0 comments
Labels: , , ,

Wednesday, November 14, 2007

Computer Security Strength & Risk

Previously on this blog I have related to an ongoing discussion on risk analysis with FAIR. Also related to this problem is this doctoral dissertation at Harvard university from 2004:

http://citeseer.ist.psu.edu/631841.html

In this dissertation the author suggests an economical model to measure security of a software product. By deriving an upper and lower the bound for the price for finding a new vulnerability he is able to set a value of a vulnerability and a higher value means a more secure product.

My questions are: Has anybody implemented ideas similar to this? What do you think of such an approach?

Posted by Tomas at 10:17 AM 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)