Fuzzy-Based Security Assurance Framework Considering Uncertainty in Decision Making

Information and communication technology (ICT) has brought about a profound transformation in numerous facets of contemporary society, spanning education, communication, healthcare, commerce, governance, and banking. However, it has resulted in a significant rise in cyber-attacks, often with disastrous consequences. Hence, it becomes imperative to guarantee the security of the information and computing system. Security assurance provides confidence by ensuring that the security features, practices, procedures, and architectural elements of software systems serve as effective mediators and enforcers of the security policy while also demonstrating resilience against security failures and attacks. In the past, several quantitative security assurance methods have been proposed. The majority of these methods rely on the security requirements and/or threat profiles to qualify the security level of the system based on an interview with the owner and development team. While conducting an interview, the quality of data we receive often depends on the interviewer’s ability, and interviewers sometimes face a dilemma when answering a question. A security testing team also faces the same challenges during the testing and enumeration. In this paper, we have proposed a fuzzy-based security assurance approach to model the uncertainty generated by these factors in decision-making. This approach will be helpful in scenarios where security professionals and testing teams are uncertain about a statement or situation. The proposed method is implemented on a private cloud infrastructure based on OpenStack.