{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,6,2]],"date-time":"2022-06-02T04:40:25Z","timestamp":1654144825080},"reference-count":30,"publisher":"IGI Global","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010,4,1]]},"abstract":"<p>Benchmarking security is hard and, although there are many proposals of security metrics in the literature, no consensual quantitative security metric has been previously proposed. A key difficulty is that security is usually more influenced by what is unknown about a system than by what is known. In this paper, the authors propose the use of an untrustworthiness metric for benchmarking security. This metric, based on the idea of quantifying and exposing the trustworthiness relationship between a system and its owner, represents a powerful alternative to traditional security metrics. As an example, the authors propose a benchmark for Database Management Systems (DBMS) that can be easily used to assess and compare alternative database configurations based on minimum untrustworthiness, which is a low-cost and high-reward trust-based metric. The practical application of the benchmark in four real large database installations shows that untrustworthiness is a powerful metric for administrators to make informed security decisions by taking into account the specifics needs and characteristics of the environment being managed.<\/p>","DOI":"10.4018\/jdtis.2010040102","type":"journal-article","created":{"date-parts":[[2011,2,15]],"date-time":"2011-02-15T20:15:02Z","timestamp":1297800902000},"page":"32-54","source":"Crossref","is-referenced-by-count":2,"title":["Benchmarking Untrustworthiness"],"prefix":"10.4018","volume":"1","author":[{"given":"Afonso Ara\u00fajo","family":"Neto","sequence":"first","affiliation":[{"name":"University of Coimbra, Portugal"}]},{"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[{"name":"University of Coimbra, Portugal"}]}],"member":"2432","reference":[{"key":"jdtis.2010040102-0","doi-asserted-by":"crossref","unstructured":"Ara\u00fajo Neto, A., & Vieira, M. (2008). Towards Assessing the Security of DBMS Configurations. In Proceedings of the Intl Conf. Depend. Systems and Networks (DSN 2008), USA.","DOI":"10.1109\/DSN.2008.4630074"},{"key":"jdtis.2010040102-1","doi-asserted-by":"crossref","unstructured":"Ara\u00fajo Neto, A., Vieira, M., & Madeira, H. (2009). An Appraisal to Assess the Security of Database Configurations. In Proceedings of the 2nd Intl Conference on Dependability, DEPEND 2009, Greece.","DOI":"10.1109\/DEPEND.2009.17"},{"issue":"7","key":"jdtis.2010040102-2","article-title":"Database security: Research and practice.","volume":"20","author":"E.Bertino","year":"1995","journal-title":"Information Systems Journal"},{"key":"jdtis.2010040102-3","doi-asserted-by":"crossref","unstructured":"Bishop, M., & Gates, C. (2008). Defining the Insider Threat. In Proceedings of the Cyber Security and Information Intelligence Research Workshop, Oak Ridge, TN.","DOI":"10.1145\/1413140.1413158"},{"key":"jdtis.2010040102-4","author":"S.Castano","year":"1994","journal-title":"Database Security"},{"key":"jdtis.2010040102-5","unstructured":"Center for Internet Security. (2008). CIS Benchmarks\/Scoring tools. Retrieved August 24, 2010, from http:\/\/www.cisecurity.org"},{"key":"jdtis.2010040102-6","year":"1993","journal-title":"Information Technology Security Eval. Manual (ITSEM)"},{"key":"jdtis.2010040102-7","year":"1998","journal-title":"Commercial Database Management System Protection Profile (C.DBMS PP) (No. 1)"},{"key":"jdtis.2010040102-8","year":"1999","journal-title":"Common Criteria for Information Technology Security Evaluation: User Guide"},{"key":"jdtis.2010040102-9","year":"2000","journal-title":"Database Management System Protection Profile (DBMS PP) (No. 2.1)"},{"key":"jdtis.2010040102-10","first-page":"R1","article-title":"Database - Security Tech.","volume":"8","year":"2001","journal-title":"Implem. Guide"},{"key":"jdtis.2010040102-11","year":"1985","journal-title":"Trusted Computer System Evaluation Criteria"},{"key":"jdtis.2010040102-12","doi-asserted-by":"crossref","unstructured":"Fonseca, J., & Vieira, M. (2008). Mapping Software Faults with Web Security Vulnerabilities. In Proceedings of the IEEE\/IFIP International Conf. on Dependable Systems and Networks.","DOI":"10.1109\/DSN.2008.4630094"},{"key":"jdtis.2010040102-13","unstructured":"Howard, M., & LeBlanc, D. (2002). Writing Secure Code (2nd ed.). Microsoft press."},{"key":"jdtis.2010040102-14","unstructured":"INFOSEC Research Council. (2005). Hard Problem List. Retrieved March 2009, from http:\/\/www.cyber.st.dhs.gov\/docs\/IRC_Hard_Problem_List.pdf"},{"key":"jdtis.2010040102-15","unstructured":"Jansen, W. (2009). Directions in Security Metrics Research (NISTIR 7564). Retrieved March 2009, from http:\/\/csrc.nist.gov\/publications\/drafts\/nistir-7564\/Draft-NISTIR-7564.pdf"},{"key":"jdtis.2010040102-16","doi-asserted-by":"crossref","unstructured":"Jelen, G., & Williams, J. (1998). A Practical Approach to Measuring Assurance. In Proceedings of the 14th Annual Computer Security Applications Conference, Phoenix.","DOI":"10.1109\/CSAC.1998.738653"},{"key":"jdtis.2010040102-17","doi-asserted-by":"crossref","unstructured":"Mendes, N., Ara\u00fajo Neto, A., Dur\u00e3es, J., Vieira, M., & Madeira, H. (2008). Assessing and Comparing Security of Web Servers. In Proceedings of the 14th Pacific Rim International Symposium on Dependable Computing (PRDC'08), Taiwan.","DOI":"10.1109\/PRDC.2008.45"},{"key":"jdtis.2010040102-18","unstructured":"Open Web Application Security Project (OWASP). (2007). OWASP top 10. Retrieved August 2010, from http:\/\/www.owasp.org\/index.php\/Top_10_2007"},{"key":"jdtis.2010040102-19","author":"S. C.Payne","year":"2006","journal-title":"A Guide to Security Metrics"},{"key":"jdtis.2010040102-20","doi-asserted-by":"publisher","DOI":"10.1145\/130868.130884"},{"key":"jdtis.2010040102-21","unstructured":"Sandia National Laboratories. (2010). The Information Design Assurance Red Team. Retrieved August 2010, from http:\/\/idart.sandia.gov"},{"key":"jdtis.2010040102-22","author":"R.Schell","year":"1987","journal-title":"Views for multilevel database security"},{"key":"jdtis.2010040102-23","unstructured":"Shoulman, A. (2009). Top Ten Database Security Threats. Retrieved August 2010, from http:\/\/www.imperva.com\/go\/wp10\/"},{"key":"jdtis.2010040102-24","unstructured":"Torgerson, M. (2007). Security Metrics for Communication Systems. In Proceedings of the 12th International Command and Control Research and Technology Symposium, Newport, RI."},{"key":"jdtis.2010040102-25","unstructured":"Transaction Processing Performance Council. (2010). Retrieved August 2010, from http:\/\/www.tpc.org"},{"key":"jdtis.2010040102-26","doi-asserted-by":"crossref","unstructured":"Vieira, M., & Madeira, H. (2003). A Dependability Benchmark for OLTP Application Environments. In Proceedings of the 29th International Conference on Very Large Data Bases (VLDB2003), Berlin.","DOI":"10.1016\/B978-012722442-8\/50071-9"},{"key":"jdtis.2010040102-27","doi-asserted-by":"crossref","unstructured":"Vieira, M., & Madeira, H. (2005). Towards a Security Benchmark for Database Management Systems. In Proceedings of the Intl Conf. on Dependable Systems and Networks, Yokohama, Japan.","DOI":"10.1109\/DSN.2005.93"},{"key":"jdtis.2010040102-28","author":"S.Zanero","year":"2005","journal-title":"Automatic Detection of Web Application Security Flaws"},{"key":"jdtis.2010040102-29","doi-asserted-by":"publisher","DOI":"10.1201\/NOE0849324796"}],"container-title":["International Journal of Dependable and Trustworthy Information Systems"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=46937","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T18:17:53Z","timestamp":1654107473000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jdtis.2010040102"}},"subtitle":["An Alternative to Security Measurement"],"short-title":[],"issued":{"date-parts":[[2010,4,1]]},"references-count":30,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2010,4]]}},"URL":"https:\/\/doi.org\/10.4018\/jdtis.2010040102","relation":{},"ISSN":["1947-9050","1947-9069"],"issn-type":[{"value":"1947-9050","type":"print"},{"value":"1947-9069","type":"electronic"}],"subject":[],"published":{"date-parts":[[2010,4,1]]}}}