Data Collection for Security Fault Forecasting - Pilot Experiment

Journal article, 1993

In most contexts, it is not feasible to guarantee that a system is 100% secure. Measures and predictions of operational security of computer systems are therefore obviously of interest to any owner of a system which is a candidate for potential intruders. Such measures would allow assessment of current and future expected loss to thesystem owner due to security breaches in a given attacking environment and a given level of protection. In [Littlewood, Brocklehurst et al. 1991] a probabilistic approach to modelling operational security, analogous to that used in reliability, is suggested. It is clear that empirical data would be useful in deriving a plausible probabilistic approach to security modelling. Such data can be acquired experimentally, by allowing a group of selected people to perform security attacks on a given computer system in a controlled way. The attack process can then be monitored and relevant data recorded. This document describes such an experiment. As far as we are aware, this is the first attempt to conduct such an experiment, and our intention was more to explore general feasibility than to collect data that provides significant information for modelling. This pilot experiment did indeed give some valuable information on how future full-scale experiments of this kind should be performed and the results and recommendations for improvements to the experimental set-up are discussed here.