14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


A Practical Approach to Measuring Assurance

George F. Jelen, G-J Consulting; and Jeffrey R. Williams, Arca Systems, Inc.

Assurance has been defined as “the degree of confidence that security needs are satisfied.” The problem with this definition is that, unless one has a way to specify security needs in some measurable way, assurance can not be expressed in a measurable way either. The definition leaves the practitioner with the challenge of determining what “security needs” are, whether or not they have been “satisfied,” and how to determine “confidence.” In this paper, assurance is defined as “a measure of confidence in the accuracy of a risk or security measurement.” A critical feature of the view of assurance presented here is that it is orthogonal to the measurement of risk and security. High assurance ratings have traditionally been associated with high security and low risk. The paper's definition permits high assurance to be associated with low security and high risk as well. It also provides a way of deciding whether or not the assurance one has is sufficient.