Reading Room

Sorry! The requested paper could not be found.

Security Modeling

Featuring 14 Papers as of February 10, 2014

Click Here

  • Using the Department of Defense Architecture Framework to Develop Security Requirements James E. A. Richards - February 10, 2014

    Integrated architectures embody the discernable parts of a system and their relationships with each other in a single, normalized data repository.

  • Predicting Control Attributes With Bayesian Networks Masters Dan Lyon - December 4, 2013

    Attack trees have been used as a mechanism to formalize security analysis of a system for over a decade (Amoroso, 1994; Schneier, 1999), and have gone through various adaptations including Defense Trees, Attack Response Trees and Attack Countermeasure Trees.

  • Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization Masters Joseph Faust - October 7, 2011

    There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.

  • Measuring Psychological Variables of Control In Information Security Josh More - January 12, 2011

    Perceived Control is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of Actual Control that they may have. It is often paired against constructs such as Vicarious Control and Vicarious Perceived Control, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.

  • Network Security Model Josh Backfield - July 3, 2008

    A well structured NSM will give the security community a way to study, implement, and maintain network security that can be applied to any network. In study, it can be used as a tool to breakdown network security into seven simple layers with a logical process. Traditional books have always presented network security in an unorganized fashion where some books cover issues that other books may completely neglect. In implementation, it can be used by network architects to insure that they are not missing any important security details while designing a network. In maintaining existing networks it can be used to develop maintenance schedules and life-cycles for the security of the existing network. It can also be used to detect where breaches have occurred so that an attack can be mitigated.

  • Advanced Threat Analytics for Incident Response Darren Spruell - March 28, 2008

    Incident handling is a term which describes a formalized process of identifying and responding to security incidents in a structured manner (SANS, 2006). Threat analysis is a concept most often associated with security threat intelligence, an area which focuses on gaining knowledge of new and existing threats for the purpose of formulating defenses to mitigate them.

  • Governmental Effects upon the Cyber Security Decision Making Cycle Bruce Norquist - May 5, 2005

    The purpose of this paper is to consider the direct influence and impact of government agencies on the cybersecurity decision cycle, especially regarding computer system and network critical infrastructure.

  • Governmental Effects upon the Cyber Security Decision Making Cycle Bruce Norquist - March 9, 2005

    The purpose of this paper is to consider the direct influence and impact of government agencies on the cybersecurity decision cycle, especially regarding computer system and network critical infrastructure.

  • Building a More Secure Network George Rosamond - June 9, 2004

    When firms, including less capital-flush small and mid-sized entities, look to increase the level of security on their networks, they frequently look to expensive hardware and software solutions.

  • Building a Secure Enterprise Grade V3PN Ian Rudy - February 26, 2004

    The purpose of this paper is to demonstrate a secure, scalable, and redundant V3PN architecture that can be used as a model for implementation in the Enterprise.

  • Applying Security to an Enterprise using the Zachman Framework Lori DeLooze - October 31, 2003

    Designing and implementing a streamlined, integrated security architecture should not be difficult if you follow the Zachman Framework as a guide.

  • The Evolution of the Information Security Mindset: A Hypothesis of Stages of Individual and Enterpri Glenn Fourie - October 31, 2003

    This paper explores the evolution of individual and enterprise thinking around information security.

  • Implementing a Project Security Review Process within the Project Management Methodology Darlene Rodgers - October 31, 2003

    This paper will focus on how to get greater penetration of security policies within the enterprise, by adding a security review process within the existing project management methodology.

  • Building a Secure Internet Data Center Network Infrastructure Chang Tee - November 7, 2001

    Best practice information on designing and implementing secure networks in an Internet Data Center.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.