Cost Estimation for Secure Software & Systems
Colbert, E; Boehm, B
University of Southern California

The Center for Software Engineering (CSSE) at the University of Southern California (USC) is extending the widely-used Constructive Cost Model version 2 (COCOMO II) [Boehm, Abts, et al. 2000] to account for developing secure software. CSSE is also developing a model for estimating the cost to acquire

secure systems (emphasizing space systems), and is evaluating the effect of security goals on other models in the COCOMO family. We will present the work to date.

Background

Engineering security in software-intensive system is now a high-priority objective (a) for the Aerospace Corporation, which is supporting this research, and the U.S. Federal Aviation Administration (FAA), which supported this research; (b) for the U.S. Government generally, and (c) for many industries. Prudent management is concerned about the life–cycle cost of security.

While it is widely held that engineering security will substantially raise software-project cost, different models vary in estimating the added cost. For example, [Bisignani and Reed 1988] estimates that engineering highly-secure software will increase costs by a factor of 8; the 1990's Softcost-R model estimates a factor of 3.43 [Reifer 2002].

Both of these models are based on the 1985 Department of Defense Standard 5200.28-STD, "Trusted Computer System Evaluation Criteria" (called the "Orange Book") [National Computer Security Center 1985]. However, the Orange Book, and cost models based on it, are obsolete. The ISO Standard Common Criteria for Information Technology Security Evaluation (CC) [ISO JTC 1/SC 27 1999a, b, c] has replaced the Orange Book.

COCOMO II provides an excellent base for developing and calibrating a software-cost driver for security. CSSE over the past three years has been extending COCOMO II to produce COSECMO, a model for costing secure software–intensive systems.

Presentation

1. We will present CSSE's model COSECMO, based on the following analysis of behavior.

  • Analyzed best practices of commercial and DoD developers of secure systems with respect to security (including standards the Common Criteria for Information Technology Security Evaluation, the DoD-8500 series, the NIST SP800 series).

  • Analyzed the Security Targets registered on the National Information Assurance Partnership (NIAP) Website (a collaboration of National Institute of Standards & Technology (NIST), and National Security Agency (NSA)).

  • Conducted preliminary surveys of experts in software development and security.

    2. COSECMO introduces a new cost driver, and defines guides for setting other COCOMO drivers when costing the development of a secure system.

    3. CSSE has also developed a preliminary model for estimating the cost for development or acquisition of a secure system, for early use e.g. at Investment or Mission Analysis in FAA terms, based on typical work–breakdown structures to which we added security activities. The Secure System Acquisition Cost Model will initially be calibrated for space systems. Project life–cycle cost is estimated by identifying major cost sources, estimating the cost for each (e.g. by unit cost), and summing the result.

    CSSE has developed prototype tools that can be used to test and validate the two models.