Experience With the Systems Security Engineering Capability Maturity Model

Hefner, Rick; Monroe, Warren; Hsiao, David W.

doi:10.1002/j.2334-5837.1996.tb02124.x

Cited by 4 publications

(5 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This support is captured in a set of Common Features and Generic Practices for each level. Further details are in (SSE-CMM Project, 1996) and (Hefner, et al, 1996). An assessment against this model involves determining the appropriate capability level for each Process Area, forming a spectrum of capability across the domain.…”

Section: Figure 2 Domain Aspectmentioning

confidence: 99%

See 1 more Smart Citation

Pilot Results Applying the System Security Engineering CMM

Hefner¹

1997

INCOSE International Symp

Self Cite

View full text Add to dashboard Cite

The Systems Security Engineering Capability Maturity Model (SSE-CMM) describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. The model also highlights the relationship between security engineering and systems engineering. This paper summarizes pilot appraisals conducted at four security contractors during 1996. The results indicate the model and appraisal method are fundamentally sound. In 1997, the project will promote use of the model by acquisition agencies to evaluate potential system security vendors.

show abstract

Section: Figure 2 Domain Aspectmentioning

confidence: 99%

“…This support is captured in a set of Common Features and Generic Practices for each level. Further details are in (SSE-CMM Project, 1996) and (Hefner, et al, 1996).…”

Section: Figure 2 Domain Aspectmentioning

confidence: 99%

Pilot Results Applying the System Security Engineering CMM

Hefner¹

1997

INCOSE International Symp

Self Cite

View full text Add to dashboard Cite

show abstract

“…Environmental, typical lifecycle-associated failure or human-induced (accidental or malicious) system degradation may be sources of adverse conditions. 2 While cybersecurity is widely understood in the Information Technology (IT) context, it is less understood in the control system context. For example, the malicious actor group that launched the ransomware attack on the Colonial Pipeline business system claimed the goal was monetary rather than creating problems in the physical systems.…”

Section: Introductionmentioning

confidence: 99%

A model for measuring multi‐concern assurance of critical infrastructure control systems

Scalco¹,

Simske

2023

Systems Engineering

View full text Add to dashboard Cite

Digital transformation of engineering practice, paradigms, processes, and workforce engender agreement uncertainty among professionals, particularly in the critical industry control system field. Control systems are susceptible to cyber‐mediated changes that can uniquely affect the control of the physical world from data‐centric information systems. Change to the system can be introduced by any proposed or forced alteration that affects the acceptability, suitability, feasibility, or resiliency to perform its intended mission, either positively or negatively. The potential impact of the cybersecurity threat on control systems is difficult to quantify. Agreement among professionals about decision authority and Command and Control (C2) over this threat is even more challenging to quantify. Understanding what cybersecurity entails still needs to be widely understood by the critical infrastructure control system workforce, and the control system assets are not widely understood by the Information Technology (IT) workforce. This research introduces a model and methodology for measuring multi‐concern assurance through the statistical uncertainty analysis of Likert semantic differential scales. The model addresses agreement in priority, the lack of which means there might be competing aims, competing spending, and competing focus on different aspects of the cybersecurity governance or policy as examples. The outcome identifies where different types of professionals do not agree about cybersecurity readiness and best practices for critical infrastructure control systems.

show abstract

“…Finally, Section 5 presents the conclusions and suggestions for future study. Research on the selection/evaluation of security tools and related issues are considerably few ( [5], [11], [15], [16]). Polk and Bassham [17] introduced a guide with criteria for judging the functionality, practicality, and convenience of anti-virus tools.…”

Section: ⅰ Introductionmentioning

confidence: 99%

“…Moreover, the objective of these evaluation schemes is often to produce an official certification for each specific security tool, making it difficult to evaluate and select among those which have similar levels of certification [7]. Others based on two aspects which are annual loss expected (ALE) and return on security investment (ROSI) to evaluate information security system ( [11], [15]). Recently, there is a new approach which uses security criteria and experts' estimations as the input data.…”

Section: ⅰ Introductionmentioning

confidence: 99%

An integrated framework of security tool selection using fuzzy regression and physical programming

)¹,

최용선²,

김상균³

et al. 2010

Journal of the Korea Society of Computer and Information

View full text Add to dashboard Cite

Faced with an increase of malicious threats from the Internet as well as local area networks, many companies are considering deploying a security system. To help a decision maker select a suitable security tool, this paper proposed a three-step integrated framework using linear fuzzy regression (LFR) and physical programming (PP). First, based on the experts' estimations on security criteria, analytic hierarchy process (AHP) and quality function deployment (QFD) are employed to specify an intermediate score for each criterion and the relationship among these criteria. Next, evaluation value of each criterion is computed by using LFR. Finally, a goal programming (GP) method is customized to obtain the most appropriate security tool for an organization, considering a tradeoff among the multi-objectives associated with quality, credibility and costs, utilizing the relative weights calculated by the physical programming weights (PPW) algorithm. A numerical example provided illustrates the advantages and contributions of this approach. Proposed approach is anticipated to help a decision maker select a suitable security tool by taking advantage of experts' experience, with noises eliminated, as well as the accuracy of mathematical optimization methods.

show abstract

Experience With the Systems Security Engineering Capability Maturity Model

Cited by 4 publications

References 2 publications

Pilot Results Applying the System Security Engineering CMM

Pilot Results Applying the System Security Engineering CMM

A model for measuring multi‐concern assurance of critical infrastructure control systems

An integrated framework of security tool selection using fuzzy regression and physical programming

Contact Info

Product

Resources

About