- Ghazy Mahjub
- gmahjub@hotmail.com
- www.students.depaul.edu/~gmahjub
- DePaul University

- SE MS Thesis (SE690 & SE698), supervised by Dr. Jane Huang

- Phase 1:
- Background Survey: COMPLETE
- Defining Research Scope: COMPLETE
- Formulation of Process Model: COMPLETE

- Phase 2:
- Collection of Data: COMPLETE
- Complete Code to Automate Intermediate Calculations: January 15th
- Process Model Testing with Data: Feburary 1st
- Intermediate Presentation Deliverable: Feburary 15th

- Phase 3:
- Complete Additional Model Testing: March 15th
- Thesis Deliverable: April 1st

#### Project Description

The goal of this research is to attempt to attack the problem in industry of justifying investments in software security infrastructure. The question that is posed is exactly how much money should be spent on software security and is there a way to quantify this value that makes sense to those in management and decision making roles. Although this problem has existed for decades and solutions have been previously posed to the question, none have tackeled the problem with the mathematical rigor that is required in order to come up with statiscally valid numbers of return on software security investments. The goal is to provide a process model that would allow institutions to proactively estimate loss and required software security investment to offset loss so that such individuals have more to work with than the often heavily biased words of security consultants who want nothing more than to load up your system with more security than may be needed. Such a policy often leads to loss due to decreased productivity. This research places software security as an issue of software quality, arguing that a quality system which places emphasis on quality of security rather than quantity of security provides the best and most rewarding investment. The Robust Design Method developed in this research is a spin off of the Taguchi Method, a method for the justification of quality engineering investments, combines statistical mathematics with old-fashioned analytics to allow users to set up an environment where several combinations or proposed security solutions to be tested. Using Orthogonal Arrays, exhaustive testing is not required, since the total number of combinations could potentially exceed a million. With estimates of safeguard efficacy in hand and cost of safeguard assets and implementation, these numbers are run through a series of calculations which eventually yield a confidence interval for the results and an actual ROI number for each proposed solution. The Robust Design Method also allows users to account for Interaction Effects, where two or more factors potentially interact. For example, an Intrusion Detection System and a Firewall, although could be considered separate factors/safeguards, interact heavily in a security system to stop breach and stop potential intrusions. Therefore, Interaction Effects must be accounted for in order to acheive an accurate ROI number for a potential security solution. The goal is to acheive a small confidence interval, in order to acheive maximum confidence in the results. A concept which is currently being research is integration of the Taguchi Loss Function. Such a function essentially says that there will always be loss, no matter how perfect the system is engineered. It is a parabolic function where the maxium depth of the parabola is the point of least deviation from a target value for a factor. How this function would apply to this research a current sticky point which may or may not be resolved.#### Documents

#### References

- Gamma et al,
*Design Patterns*, Addison-Wesley, 1995. - ...