The Common Criteria and Information Systems Security Certification

Authors

  • Nikolaos C. Kokkinos Kavala Institute of Technology (KIT), Faculty of Engineering
  • Dimitrios I. Maditinos Kavala Institute of Technology (KIT), School of Business and Economics
  • Željko Šević Glasgow Caledonian University, Glasgow School for Business and Society
  • Aleksandar Stojanovic University of Greenwich, Business School

Keywords:

information systems security, information security management standards, information security certification

Abstract

Information security is a vital business requirement in today’s information systems (IS). Last decades, the prospect of information technology security evaluation became a great worldwide challenge for many national institutes, agencies and schemes. Eventually, on the road to international harmonisation the Common Criteria Editorial Board (CCEB) managed to establish a common worldwide platform and called it: Common Criteria for Information Technology Security Evaluation (known as CC).

Purpose: The number of the information threats and violations are increasing while technology is developing. The need for certifying the efficiency and the safety of an IS is a fundamental business issue. This paper discusses the sufficiency of the CC IS security evaluation-certification and it is intended to shed light to the shortcomings of the CC.

Design/methodology/approach: The Common Evaluation Methodology (CEM, 2009) has been studied and used in order to examine the security certification of IS.

Findings: The results of the specific study revealed the weaknesses of the CC international standard to evaluate and to certify an IS as a secure one. No matter to what extent the components products of an IS have been evaluated, when they are combined and connected into a network or system, further security issues are going to arise. Moreover, the information system security evaluation takes time, but the Target Of Evaluation (TOE) belongs to a very frequently changing world. On the other hand, an IS comprises not only hardware, software and networks, but also people; and the prediction of human error and its frequency in a Protection Profile (PP) is very close to a practical impossibility.

Research implications: There is a fundamental requirement for better assurance of IS and for a continuous improvement of the common worldwide security evaluation platform, which is called Common Criteria.

Originality/value: This study opens a road to an essential and efficient information system security evaluation, which is a common concern for every business or enterprise.

Downloads

Published

19.01.2023

Issue

Vol. 5 No. Special Edition (2012): Journal of Business Management

Section

Articles

License

Copyright (c) 2023 Nikolaos C. Kokkinos, Dimitrios I. Maditinos, Željko Šević, Aleksandar Stojanovic

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

https://creativecommons.org/licenses/by/4.0/deed.en