|Speaker:||Professor Andy Ju An Wang|
Department of Information Technology
Southern Polytechnic State University
|Date & Time:||19 Jun 2008 (Thursday) 16:00 - 17:00|
The importance of quantifying security attributes and mechanisms continuous to grow as our society and infrastructures are more and more dependent on information security. Without well-defined security metrics, we cannot measure the success or failure of security policy, control mechanisms, or implementations thus we cannot improve it effectively. Metrics also help identify system vulnerabilities, providing guidance in prioritizing corrective actions, and raising the level of security awareness within an organization. Common security metrics are often qualitative, subjective, without a formal model, or too naive to be applied in real world. This presentation will discuss the criteria for good security metrics, common metric properties, and how to establish quantitative and objective information security metrics. Since many security issues are rooted in software defects, software vulnerabilities jeopardize infrastructure operations, business operations and services, and consumer trust. This talk will focus on quantitative approaches to measuring software vulnerabilities. An introduction and comment on the recently released CVSS 2.0 (Common Vulnerability Scoring System) will be given followed by further insights on security metrics and their applications in security automation and standardization. A prototype of an automated tool in measuring software vulnerabilities will be demonstrated.
Andy Ju An Wang is a Professor of Information Technology in the School of Computing and Software Engineering, Southern Polytechnic State University. His research interests center on information security and component-based software development. He obtained his BS, MS, and Ph.D. all in computer science and has been teaching in various universities since 1982. In addition to be a widely published author of books and papers, he has served as CTO and founder and as a consultant for many IT companies. As the Department Chair, Dr. Wang established the information security curriculum and Graduate Certificate Program in Information Security and Assurance, and serves as the founding director for the Center of Information Security Education (CISE) at SPSU. Dr. Wang has broad interests in information systems security, information security model and metrics, component-oriented programming, embedded software engineering, and computer science education.