Skip to main content
SpringerLink
Log in

Metrics of Password Management Policy

  • Conference paper
Computational Science and Its Applications - ICCSA 2006 (ICCSA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3982))

Included in the following conference series:

Abstract

The necessity to management the computer security of an institution implies an evaluation phase and the most common method to carry out this evaluation it consists on the use of a set of metrics. As any system of information needs of an authentication mechanism being the most used one those based on password, in this article we propose a set of metric of password management policies based on the most outstanding factors in this authentication mechanism. Together with the metrics, we propose a quality indicator derived from these metrics that allows us to have a global vision of the quality of the password management policy used and a complete example of calculation of the proposed metric. Finally, we will indicate the future works to be performed to check the validity and usefulness of the proposed metrics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ACSA (ed.): Proceedings of the Workshop on Information Security System Scoring and Ranking, Williamsburg, Virginia (May 2001)

    Google Scholar 

  2. Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Proceedings of Human Computer Interaction, Bristol, England (August 1997)

    Google Scholar 

  3. Bishop, M.: Comparing authentication techniques. In: Proceedings of the Third Workshop con Computer Incident Handling, August 1991, pp. 1–10 (1991)

    Google Scholar 

  4. Bouvier, P., Longeon, R.: Le tableau de bord de la sécurité du système d’information. Sécurité Informatique, (June 2003)

    Google Scholar 

  5. SSE-CMM Model Description Document, 3rd edn., Carnegie Mellon University, Pittsburgh, Pennsylvania (June 2003)

    Google Scholar 

  6. Chapin, D.A., Akridge, S.: How can security be measured? Information Systems Control Journal 2, 43–47 (2005)

    Google Scholar 

  7. Colado, C., Franco, A.: Métricas de seguridad: una visión actualizada. SIC. Seguridad en Informática y Comunicaciones 57, 64–66 (2003)

    Google Scholar 

  8. Departament of the Air Force. AFI33-205. Information Protection Metrics and Measurements Program (August 1997)

    Google Scholar 

  9. Halderman, A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International World Wide Web Conference, Chiba, Japan, May 2005, pp. 471–479 (2005)

    Google Scholar 

  10. ISO. ISO 7498-2. Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture (1989)

    Google Scholar 

  11. ISO/IEC. ISO/IEC TR 13335-1. Guidelines for the Management of IT Security. Part I: Concepts and Models of IT Security (1996)

    Google Scholar 

  12. ISO/IEC. ISO/IEC 15408. Evaluation Criteria for IT Security (December 1999)

    Google Scholar 

  13. ISO/IEC. ISO/IEC 17799. Code of Practice for Information Security Management (2000)

    Google Scholar 

  14. King, G.: Best security practices: An overview. In: Proceedings of the 23rd National Information Systems Security Conference, Baltimore, Maryland, NIST (October 2000)

    Google Scholar 

  15. Marcelo, J.M.: Seguridad de las Tecnologías de la Información, capítulo Identificación y Evaluación de Entidades en un Método AGR, pp. 69–103. AENOR (2003)

    Google Scholar 

  16. McKnight, W.L.: What is information assurance? CrossTalk. The Journal of Defense Software Engineering, 4–6 (July 2002)

    Google Scholar 

  17. Mercuri, R.T.: Analyzing security costs. CACM 46(6), 15–18 (2003)

    Google Scholar 

  18. Morris, R., Thompson, K.: Password security: A case history. CACM 22(11), 594–597 (1979)

    Google Scholar 

  19. Nielsen, F.: Approaches of security metrics. Technical report, NIST-CSSPAB (June 2000)

    Google Scholar 

  20. NIST. FIPS-112: Password Usage (May 1985)

    Google Scholar 

  21. NIST. FIPS-181: Automated Password Generator (October 1993)

    Google Scholar 

  22. Payne, S.C.: A guide to security metrics. Technical report, SANS Institute (July 2001)

    Google Scholar 

  23. Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the ACM Computer and Security Conference (CSC 2002), November 2002, pp. 161–170 (2002)

    Google Scholar 

  24. Schuedel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Procedings of the New Security Paradigm Workshop, Ireland, September 2000, pp. 23–30 (2000)

    Google Scholar 

  25. Swanson, M.: Security self-assessment guide for information technology systems. Tech. Report NIST 800-26, National Institute of Standards and Technology (November 2001)

    Google Scholar 

  26. Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security metrics guide for information technology systems. Technical Report NIST 800-55, National Institute of Standards and Technology (July 2003)

    Google Scholar 

  27. Vaughn Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics – state of practice and proposed taxonomy. In: Proceedings of the 36th Hawaii International Conference on Systems Sciences (2003)

    Google Scholar 

  28. Vaughn Jr., R.B., Siraj, A., Dampier, D.A.: Information security system rating and ranking. CrossTalk. The Journal of Defense Software Engineering, 30–32 (May 2002)

    Google Scholar 

  29. Villarrubia, C., Fernández-Medina, E., Piattini, M.: Towards a classification of security metrics. In: Proceedings of the 2nd international workshop on security in information systems (WOSIS 2004), April 2004, pp. 342–350 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Alarcos Research Group, Information Systems and Technologies Department, UCLM-Soluziona Research and Development Institute, University of Castilla-La Mancha, Paseo de la Universidad, 4, 13071, Ciudad Real, Spain

    Carlos Villarrubia, Eduardo Fernández-Medina & Mario Piattini

Authors
  1. Carlos Villarrubia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eduardo Fernández-Medina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mario Piattini
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina Gavrilova

  2. Department of Mathematics and Computer Science, University of Perugia, via Vanvitelli, 1, I-06123, Perugia, Italy

    Osvaldo Gervasi

  3. William Norris Professor, Head of the Computer Science and Engineering Department, University of Minnesota, USA

    Vipin Kumar

  4. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  5. Clayton School of IT, Monash University, 3800, Clayton, Australia

    David Taniar

  6. Department of Chemistry, University of Perugia, Via Elce di Sotto, 8, I-06123, Perugia, Italy

    Antonio Laganá

  7. School of Computing, Soongsil University, Seoul, Korea

    Youngsong Mun

  8. School of Information and Communication Engineering, Sungkyunkwan University, Korea

    Hyunseung Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Villarrubia, C., Fernández-Medina, E., Piattini, M. (2006). Metrics of Password Management Policy. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_106

Download citation

  • DOI: https://doi.org/10.1007/11751595_106

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34075-1

  • Online ISBN: 978-3-540-34076-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation