Problem areas in computer security assessment

by S. Glaseman, Rein Turn, R. Stockton Gaines


Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback29 pages $20.00 $16.00 20% Web Discount

An important problem area in providing security in computer systems is the avoidance of excessively costly and constraining security practices while providing an adequate level of security. In addition, there are problems in determining an appropriate level of investment in techniques and practices which enhance security and in the measurement of returns on those investments, i.e., to what degree is security improved by any given technique? The resolution of these problems depends on the development of a capability for identifying and evaluating the risks of storing and processing sensitive data in imperfectly secure computing environments. This paper provides background information on security assessment, surveys recent work and the present status of computer security assessment, and identifies the research needed to move this field forward.

This report is part of the RAND Corporation Paper series. The paper was a product of the RAND Corporation from 1948 to 2003 that captured speeches, memorials, and derivative research, usually prepared on authors' own time and meant to be the scholarly or scientific contribution of individual authors to their professional fields. Papers were less formal than reports and did not require rigorous peer review.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.