COMMAND: Certifiable Open Measurable Mandates

TL;DR

This paper proposes open security mandates that require vendors to allocate resources to security without prescribing specific controls, offering flexibility while ensuring a minimum security level, and demonstrates their effectiveness and enforceability.

Contribution

It introduces the concept of open mandates, develops the COMMAND system to quantify security overheads, and validates the approach with high-accuracy predictions and cost analyses.

Findings

Mandating 10% of resources towards security reduces losses by 8%.

COMMAND predicts security overheads with less than 1% error.

End-user valuation of security-related performance loss informs cost assessments.

Abstract

Security mandates today are often in the form of checklists and are generally inflexible and slow to adapt to changing threats. This paper introduces an alternate approach called open mandates, which mandate that vendors must dedicate some amount of resources (e.g. system speed, energy, design cost, etc.) towards security but unlike checklist security does not prescribe specific controls that must be implemented. The goal of open mandates is to provide flexibility to vendors in implementing security controls that they see fit while requiring all vendors to commit to a certain level of security. In this paper, we first demonstrate the usefulness of open security mandates: for instance, we show that mandating 10% of resources towards security reduces defenders losses by 8% and forestalls attackers by 10%. We then show how open mandates can be implemented in practice. Specifically, we solve the problem of identifying a system's overhead due to security, a key problem towards making such an open mandate enforceable in practice. As examples we demonstrate our open mandate system -- COMMAND -- for two contemporary software hardening techniques and show that our methodology can predict security overheads to a very high degree of accuracy (<1% mean and median error) with low resource requirements. We also present experiments that quantify, in terms of dollars, how much end users value the performance lost to security, which help determine the costs of such a program. Taken together -- the usefulness of mandates, their enforceability, and their quantifiable costs -- make the case for an alternate resource-based mandate.