Applying a model of configuration complexity to measure security impact on IT procedures

IT security has become over the recent years a major concern for organizations. However, it doesn´t come without large investments on both the acquisition of tools to satisfy particular security requirements and complex procedures to deploy and maintain a protected infrastructure. The scientific community has proposed in the recent past models and techniques to measure the complexity of configuration procedures, aware that they represent a significant operational cost, often dominating total cost of ownership. However, despite the central role played by security within this context, it has not been subject to any investigation so far. To address this issue, we apply a model of configuration complexity proposed in the literature in order to be able to estimate security impact on the complexity of IT procedures. Our proposal has been materialized through a prototypical implementation of a complexity scorer system called security complexity analyzer (SCA). To prove concept and technical feasibility of our proposal, we have used the SCA to evaluate real-life security scenarios.