A Framework for Reasoning about Assurance

Informed decisions about security depend upon a complex set of factors related to both assurance and risk. In this paper we argue for a new definition of assurance, specifically describing its relationship to measurements of risk or security. The following definition expands the traditional definition of assurance to include a broad range of evidence, while narrowing the scope to a specific type of confidence. Assurance is a measure of confidence in the accuracy of a risk or security measurement. This paper offers a way to build upon risk and security measurement methodologies and to employ them in such a way as to yield a rough measure of assurance. We do not advocate a particular method for measuring risk or security, but assume that such methodologies and tools are available. Consider the decision maker who must decide whether to accept a risk or make an investment to mitigate the problem. He may use a risk assessment tool to help quantify the risk, but he may have very little confidence that the numbers are accurate. In essence, he is not sure whether the risk is acceptable or not. Assurance is a major factor in security decisions. The decision maker has two options for handling such situations. If his confidence in the risk measurement is high, he can attempt to reduce risk by adding security mechanisms. If his confidence is low, however, adding another mechanism may not help. In fact, adding a new mechanism may even increase uncertainty in the risk measurement. In this case, the decision maker needs to improve assurance by obtaining better information about the severity of the risk. If the decision maker then decides to reduce this uncertainty, we offer a structure for assurance arguments as a logical way to communicate the information used in making security decisions. An assurance argument starts with claims about risks and then packages all the evidence and supporting arguments into a logical hierarchical structure. The goal is that these arguments will be capable of reuse in a wide variety of applications, easing the burden of security evaluations. Assurance arguments are a powerful tool to reduce the uncertainty in risk or security assessments. Although this paper does not provide a means by which one can determine assurance need in the sense of some quantitative or even qualitative statement, it does provide a way of deciding whether or not the assurance one has is sufficient, …