Technical Reports

HPL-2006-50R1

Click here for full text: PDF

Predictive Modelling for Meaningful Security SLAs

Mike Yearworth, Brian Monahan, David Pym
HP Laboratories

HPL-2006-50R1

Keyword(s): service level agreements, demos2k, simulation, analtics, security, mathematical models

Abstract: A meaningful Service Level Agreement (SLA) is defined as a contractual agreement between a service provider and customer that is valuable, measurable, predictable, understandable, and affordable. In a previous paper we discuss the development of the concept of a meaningful security SLA; that is an SLA focussed on the security properties of an information system arising from the interrelation of the infrastructure, processes and security operations staff. In this paper, we focus specifically on the development of a security operations model suitable for predicting performance against possible security SLAs. Although consequential financial losses can arise from lack of availability, confidentiality and integrity of an information system we specifically focus on a model that addresses lack of availability; that is, sources of downtime arising from security vulnerabilities and misalignment. We have introduced misalignment as a catch-all term to describe all change management tasks arising from staff not being able to complete tasks, leading to downtime and consequential financial losses, arising from access control problems; the information system infrastructure is available but is inaccessible due to mis-configuration. Whilst security vulnerabilities are the usual motivation driving security costs, the impact of misalignment is important in understanding the overall cost of security operations.

23 Pages

External Posting Date: October 10, 2008 [Fulltext]. Approved for External Publication
Internal Posting Date: October 10, 2008 [Fulltext]

Back to Index