Howard R Chivers
Security Design Analysis
PhD thesis, University of York, 2006


Risk has always motivated security in general terms; both assurance and IT governance approaches to security begin with a focus on risk, but the connection between risk and technical security is soon lost. As a result it is usually impossible to quantify the value of security features, or give metrics for the value of a security design compared to alternatives.

This thesis describes the Security Design Analysis Framework (SeDAn), which relates a system design to its security environment (security goals, organisations, users, and attackers), allowing the connection between systematic risk and security requirements to be maintained and analysed. SeDAn innovations include: modelling the flexible relationships between organisations, assets and security goals in emerging networked systems; security requirements that constrain service behaviour; and the decomposition of systematic risk to sub-systems, allowing implementers to relate components of a system to their organisational and physical context.

The framework also provides quality metrics for complete protection strategies, including: the value of security requirements in terms of risk; the degree of trust, or assurance, required of system components; and the balance between security and functional liveness.

The effectiveness of SeDAn is demonstrated in practical tooling and a substantial industrial case-study. The proof-of-concept tool is capable of managing security requirements, and supporting the analysis of realistic systems. It is also able to exchange models with proprietary UML design tools, and hence integrate with standard engineering environments. The case study demonstrates the whole process of risk analysis and security design for a realistic industrial system, which includes a collaborative workflow between several companies (each with different assets and security concerns), distributed databases and queries, and specialised security goals.

In summary, this thesis demonstrates the feasibility of a new security analysis and design framework, which maintains the vital connection between the requirements for security controls and systematic risks.

Full thesis : PDF 2060K