Browse > Article
http://dx.doi.org/10.13089/JKIISC.2007.17.4.61

Estimation of relative evaluation effort ratios for each EALs in CC 2.3 and CC 3.1  

Kou, Kab-Seung (Hannam University)
Kim, Young-Soo (Hannam University)
Lee, Gang-Soo (Hannam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.17, no.4, 2007 , pp. 61-74 More about this Journal
Abstract
In Common Criteria evaluation scheme, sponsor and evaluator should estimate evaluation cost and duration of IT security system evaluation in contracting the evaluation project. In this paper, We analyzed study result that achieve at 2003 and 2005, and utilized part of study result. And we empirically estimate relative evaluation effort ratios among evaluation assurance levels($EAL1{\sim}EAL7$) in CC v2.3 and CC v3.1. Also, we estimate the ratios from 'developer action elements', adjusted 'content and presentation of evidence elements', and 'evaluator action elements 'for each assurance component. We, especially, use ratio of amount of effort for each 'evaluator action elements', that was obtained from real evaluators in KISA in 2003. Our result will useful for TOE sponsor as well as evaluation project manager who should estimate evaluation cost and duration for a specific EAL and type of TOE, in a new CC v3.1 based evaluation schem.
Keywords
CC(Common Criteria);
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Common Criteria for Information Technology Security Evaluation - Evaluation methodology, Version 3.1, Revision 1, September 2006
2 '엔지니어링사업대가기준', 과학기술부 공고, 2004
3 'SW기술자 노임단가 기준', 한국소프트웨어산업협회, 2006
4 Common Criteria for Information Technology Security Evaluation Part 1, 2, 3, Version 2.3, August 2005
5 B. Boehm, et al., 'Software Cost Estimation with COCOMO II', Prentice-Hall, 2000
6 '소프트웨어사업대가의 기준', 정보통신부 공고, 제2005-22호 개정 (2006. 4. 27) http://www.sw.or.kr
7 Common Criteria for Information Technology Security Evaluation Part 1, 2, 3, Version 3.1, Revision 1, September 2006
8 정보보호시스템 평가.인증인증가이드, KISA, 2006.12
9 ISO/IEC 17799, Information technology - Security techniques - Code of practice for information security management, June 2005
10 Albert B. Jeng and Yu-Min Yu, 'Analysis of the composition problems in CC v3.1 rev.1 with some suggested solutions', ICCC 2006, 스페인, 2006.9
11 Information Assurance - National Partnership Offers Benefits, but faces considerable challenges, GAO-06-392, GAO, March 2006. http://www.gao.gov/new.items/d06392.pdf
12 T. Jones, 'Estimating Software Costs', McGraw-Hill, 1998
13 FIPS 140-2, Security Requirements for Cryptographic Modules, May 2001. [http://csrc.nist.gov/cryptval/]
14 '평가수수료개선을 위한 수수료모델 타당성조사', 한영회계법인, KISA연구보고서, 2005.12
15 ISO/IEC TR 15443, 'Information technology - Security Techniques - A Framework for it Security Assurance', 2001
16 Regulations on Ex-parte Costs on Official Acts of the Federal Office for Information Security (BSI Regulations on Ex-parte Costs-BSI-KostV), March 2005 http://www.bsi.bund.de/english/exparte_costs.pdf
17 F. Forge, 'Ways to CC evaluation cost reduction - beyond CC V3', 7'th ICCC, Sep. 2006
18 '공통평가기준 기반 평가기간 산정 방안 및 평가수수료 정책 연구', 한국정보보호학회 (한남대학교), KISA연구보고서, 2003.11
19 최상수, 최승, 이완석, 이강수, 'CC기반에서 보증수준 및 제품유형을 동시에 고려한 평가업무량 모델', 정보보호학회논문지, 14권 1호, pp.25-34, 2004년 2월