At a minimum, security evaluation criteria provide a standard language for expressing security characteristics and establish an objective basis for evaluating a product relative to these characteristics. Thus one can critique such criteria based on how well security characteristics can be expressed and evaluated relative to the criteria. Security evaluation criteria also serve as frameworks for users (purchasers) and for vendors. Users employ criteria in the selection and acquisition of computer and network products, for example, by relying on independent evaluations to validate vendor claims for security and by using ratings as a basis for concisely expressing computer and network security requirements. Vendors rely on criteria for guidance in the development of products and use evaluations as a means of product differentiation. Thus it is also possible to critique security evaluation criteria based on their utility to users and vendors in support of these goals.

These goals of security evaluation criteria are not thoroughly complementary. Each of the national criteria sets in use (or proposed) today reflects somewhat different goals and the trade-offs made by the criteria developers relative to these goals. A separate issue with regard to evaluating system security is how applicable criteria of the sort noted above are to complete systems, as opposed to individual computer or network products. This question is addressed below in "System Certification vs. Product Evaluation." Before discussing in more detail the goals for product criteria, it is useful to examine the nature of the security characteristics addressed in evaluation criteria.

Security Characteristics

Most evaluation criteria reflect two potentially independent aspects of security: functionality and assurance. Security functionality refers to the facilities by which security services are provided to users. These facilities may include, for example, various types of access control mechanisms that allow users to constrain access to data, or authentication mechanisms that verify a user's claimed identity. Usually it is easy to understand differences in security functionality, because they are manifested by mechanisms with which the user interacts (perhaps indirectly). Systems differ in the number, type, and combination of security mechanisms available.

In contrast, security assurance often is not represented by any user-visible mechanisms and so can be difficult to evaluate. A product rating intended to describe security assurance expresses an evaluator's

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement