Enhanced Model for Security Audit Criteria Development
Kelo, Tomi (2026)
Tampere University
2026
Tieto- ja sähkötekniikan tohtoriohjelma - Doctoral Programme in Computing and Electrical Engineering
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Väitöspäivä
2026-05-21
Julkaisun pysyvä osoite on
https://urn.fi/URN:ISBN:978-952-03-4579-2
https://urn.fi/URN:ISBN:978-952-03-4579-2
Tiivistelmä
Modern digitalised societies are highly dependent on trustworthiness and availability of Communication and Information Systems (CIS). Cyberattacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria support defensive capabilities, as they can be used in the design, implementation, maintenance and audit of critical CIS.
Multiple security criteria already exist and several new ones are being developed. Most of the criteria are or shall be under regular update process. Only considering the pace the technology is evolving, criteria updates are needed frequently, urging efficiency also to criteria development projects. Criteria development projects are, however, insufficiently supported by currently available research and guidance that primary focus on criteria selection. This may lead to inefficient criteria development work. In addition, the resulting criteria may not fully meet their goals.
This dissertation presents a novel approach for security criteria development. The approach is based on linking the currently available research and guidance on criteria selection with criteria development. This is achieved by transforming the characteristics desired for criteria selection into criteria design goals, and by providing implementation guidance on meeting the goals. The presented and validated model can be used as a tool to support criteria development, enhancing the efficiency of development processes. The model can also be used for reviewing existing criteria, highlighting issues to be addressed in criteria updates.
Case study research was used in the development and validation of the model. This dissertation is based on the author's work at the Finnish Communications Regulatory Authority (FICORA) and its successor, the Finnish Transport and Communications Agency (Traficom).
Multiple security criteria already exist and several new ones are being developed. Most of the criteria are or shall be under regular update process. Only considering the pace the technology is evolving, criteria updates are needed frequently, urging efficiency also to criteria development projects. Criteria development projects are, however, insufficiently supported by currently available research and guidance that primary focus on criteria selection. This may lead to inefficient criteria development work. In addition, the resulting criteria may not fully meet their goals.
This dissertation presents a novel approach for security criteria development. The approach is based on linking the currently available research and guidance on criteria selection with criteria development. This is achieved by transforming the characteristics desired for criteria selection into criteria design goals, and by providing implementation guidance on meeting the goals. The presented and validated model can be used as a tool to support criteria development, enhancing the efficiency of development processes. The model can also be used for reviewing existing criteria, highlighting issues to be addressed in criteria updates.
Case study research was used in the development and validation of the model. This dissertation is based on the author's work at the Finnish Communications Regulatory Authority (FICORA) and its successor, the Finnish Transport and Communications Agency (Traficom).
Kokoelmat
- Väitöskirjat [5295]