TY - JOUR ID - 41785 TI - Quantitative evaluation of software security: an approach based on UML/SecAM and evidence theory JO - The ISC International Journal of Information Security JA - ISECURE LA - en SN - 2008-2045 AU - Sedaghatbaf, A. AU - Abdollahi Azgomi, M. AD - School of Computer Engineering, Iran University of Science and Technology, Tehran, Iran Y1 - 2016 PY - 2016 VL - 8 IS - 2 SP - 141 EP - 153 KW - Software architecture KW - Security Evaluation KW - Uncertainty Quantification KW - Evidence Theory DO - 10.22042/isecure.2016.8.2.5 N2 - Quantitative and model-based prediction of security in the architecture design stage facilitates early detection of design faults hence reducing modification costs in subsequent stages of software life cycle. However, an important question arises with respect to the accuracy of input parameters. In practice, security parameters can rarely be estimated accurately due to the lack of sufficient knowledge. This inaccuracy is ignored in most of the existing evaluation methods. The aim of this paper is to explicitly consider parameter uncertainty in the software security evaluation process. In particular, we use the Dempster-Shafer theory of evidence to formulate the uncertainties in input parameters and determine their effects on output measures. In the proposed method, security attacks are expressed using UML diagrams (i.e., misuse case and mal-activity diagrams) and security parameters are specified using the SecAM profile. UML/SecAM models are then transformed into attack trees, which allow quantifying the probability of security breaches. The applicability of the method is validated by a case study on an online marketing system. UR - https://www.isecure-journal.com/article_41785.html L1 - https://www.isecure-journal.com/article_41785_9252fa03f3ddb3eb5211906fd97cc164.pdf ER -