Quantifying Satisfaction of Security Requirements of Cloud Software Systems

The satisfaction of a software requirement is commonly stated as a Boolean value, that is, a security requirement is either satisfied (true) or not (false). However, a discrete Boolean value to measure the satisfaction level of a security requirement by deployed mechanisms is not very useful. Rather, it would be more effective if we could quantify the level of satisfaction of security requirements on a continuous scale. We propose an approach to achieve this for cloud software systems based on relationships between defense strength, exploitability of vulnerabilities, and attack severity. We extend the concept of entailment relationship from the field of requirements engineering with the satisfiability aspects of security requirements. The proposed approach enables us to systematically structure security concepts into three sets of related descriptions to quantify the satisfaction level of security requirements with the deployed security solutions. To demonstrate the feasibility of the proposed approach, we evaluate the approach in a case study. As a result, security administrators are able to deploy more effective and appropriate security solutions based on their assessment.