Risk Management and Information Assurance Decision Support

Department of Defense (DoD) information assurance (IA) certification and accreditation relies on a multi-tier risk framework where security assessment aligns with NIST information assurance control set. The human analyst faces multiple burdens, including resolving dependencies among IA controls, understanding how security requirements apply to a specific context, and integrating expertise from multiple technical areas. In this research, we will investigate new ways to leverage component-based architecture in reducing security threats. These new techniques integrate human security expert judgements with notions of composable security to identify interactions among security requirements that affect overall system assurance levels. The research is based on using the Multi-factor Quality Measurement (MQM) method to collect security ratings from multiple experts with documented expertise in specific technical areas. We will share results from collecting and analyzing data from security experts with an average of 10 years of experience. The results of this evaluation will improve DoD acquisition by providing reliable ways to express and evaluate cybersecurity mitigations that are commensurate with changing security risks. These evaluations will be semi- automated, focusing expert evaluations on relevant details in an IT scenario. In addition, the MQM framework can be extended and reused for security, privacy, and even outside of security for domain where composable requirements exist. This research will yield important public benefits to private sector companies who supply and consume the dual-purpose information technology (IT) used by the DoD and who are frequently subject to security threats from organized crime, foreign governments and stateless hackers. This work helps IT by providing companies new means for security risk assessment that collects multiple experts input in a feasible approach without the hassle of hiring more experts. The ratings provided by experts can support companies with their security risk assessment and related security decisions. The experts can also provide further suggestions through the tool which can help companies identify unforeseen dependencies and/or missing requirements.?Naval Postgraduate School Acquisition Research Progra