Thesis (Ph.D., Computer Science) -- University of Idaho, 2016 | All computer systems or systems of computers are composed of some combination of three basic components; hardware, firmware, and software. These systems are assessed to determine our confidence in their level of robustness, where robustness is the characterization of strength of a security function, mechanism, service, or solution, and the assurance that it is implemented and functioning correctly. Most experienced assessors are aware that the level of robustness required for each system is dependent upon dynamic factors such as operational environment, threat source interest, and mission criticality. This dissertation provides a methodology and mathematical models to assess systems.
The models, and the results they yield, provide an equal level of understanding for those that implement them, as well as those that interpret their results. The methodology provides an objective characterization of the system by providing the mechanisms to map the evidence of the assessment findings to mathematical models. It is very important to understand that the methodology presented in this paper is not to be a checklist or a formula to grade systems. Instead, it is meant provide an objective characterization of the system.