Model Based Security Policy Assessment for E-Business Environment

The key to profitability for e-business is ensuring data integrity, service availability, and user information confidentiality along the entire e-services chain. Both staffs and IT system components need to compare secure policy with performance in an e-business environment. Currently, most efforts set focus on e-business process analysis and value-chain analysis, little attention is put on the secure policy compliance assessment. This paper presens a model based security policy assessment approach that integrates fault tree analysis technology and top-down architecture driven system analysis method. The assessment process includes security attribute scenarios generation, e-business security model construction, fault tree based threat model construction, and security policy evaluation. It can be used to analyze the security policy for the e-business environment from two different perspectives: 1) Compliance analysis between security policy and e-business security model, intended to elicit all possible discrepancies; 2) Adequacy analysis of security policy for identified threats, aiming at verifying and demonstrating whether the security policy are appropriate for the emerging secure risks.