Skip to Main content Skip to Navigation

Évaluation quantitative de la sécurité des systèmes d’information

Rodolphe Ortalo 1
1 LAAS-TSF - Équipe Tolérance aux fautes et Sûreté de Fonctionnement informatique
LAAS - Laboratoire d'analyse et d'architecture des systèmes
Abstract : This dissertation presents a general method for the specification and quantitative evaluation of information systems security. This method allows to monitor the evolutions of an information system in operation, as well as to compare the impact on security of possible modifications of the functioning. It relies on a formal specification of the system security policy, augmented by a model of the vulnerabilities observed in the real system in operation. Then, a security measure represents the difficulty for an attacker to exploit the vulnerabilities and defeat the objectives defined in the security policy. Information systems security policy specification necessitates the definition of a rigorous and expressive framework. Furthermore, the language should be general enough to be usable in the context of an organization. The method defined and used in this work is based on an extension of deontic logic, enriched with a graphical representation. Vulnerabilities of the information system are described by a model called a privilege graph. These vulnerabilities, probed in the system, may have various origins, such as incorrect operation of the protection mechanisms of a computer system, or delegation of privileges in an organization. The assessment of a weight to these individual vulnerabilities allows the definition of highly relevant and global quantitative measures of security. Two practical examples are presented to illustrate the methodology: the study of a medium-size bank agency; and the observation of the security evolutions of a large computer system in operation.
Document type :
Complete list of metadata

Cited literature [55 references]  Display  Hide  Download
Contributor : Yves Crouzet <>
Submitted on : Monday, February 16, 2015 - 6:51:50 PM
Last modification on : Thursday, June 10, 2021 - 3:02:53 AM


  • HAL Id : tel-01115455, version 1


Rodolphe Ortalo. Évaluation quantitative de la sécurité des systèmes d’information. Cryptographie et sécurité [cs.CR]. INP DE TOULOUSE, 1998. Français. ⟨tel-01115455⟩



Record views


Files downloads