Analysis of the Effects of Common Criteria Certification on the Information Security Solutions

Young Ran Hong, Dongsoo Kim


As the functions and technology of IT security solution has been diversified and complicated, it is necessary to make the functions standardized. The common criteria (CC) evaluation and certification scheme was introduced with this background in 2000. For over 10 years after the introduction of CC evaluation and certification scheme, many security solution vendors have developed functions following the security functional requirement in CC. Most of CC evaluators and developers think that CC has helped to enhance the security of the solution. So, it is a right time to prove the affirmative effects of CC in quantity. In this research, we compare two cases, the security status of the solution before and after the experience of CC evaluation, and analyze the results. We made the questionnaire for the domestic solutions vendors. We show that CC has made positive effects on the security of the solution quantitatively using statistical analysis. This research is meaningful security enhancement of domestic security solutions.

Full Text:



Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, CCRA management committee, 2000.

Chapman, R., "A state of the practice approach to the Common Criteria implementation requirements," 2nd Internatimal Common Criteria Conference, 2001.

Common Criteria, CCMB, 2007.

Common Criteria Portal site,

Common Methodology for Information Technology Security Evaluation, CCMB, 2007.

Fedeke, A., "Common Criteria for the assessment of critical infrastructure," International Journal of Disaster Risk Science, VoL 2, No.1, pp. 15-24, 2011.

Mellado, D., Fernandez-Medina, E., and Piattini, M., "A common criteria based security requirements engineering process for the development of secure information systems," Computer Standards and Interfaces, VoL 29, No.2, pp. 244-253, 2007.

MeIkow, M. S. and Breithaupt J., "Computer security assurance using the common criteria," Thomson, 2004.

Nguyen, T. D., Levin, T. E., and Irvine, C. E., "High robustness requirements in a Common Criteria protection profile Information Assurance," Information Assurance Workshop, pp. 10-78, 2006.

Seo, Y. J. and Han, S. Y., "An Information Flow Security Based on Protected Area in eCommerce," Journal of Society for e-Business Studies, Vol. 15, No.1, pp. 1-16, 2010.

Singh, M. and Patterh, M. S., "Formal Specification of Common Criteria Based Access Control Policy Model," International Journal of Network Security, Vol. 11, No.3, p. 112, 2010.

Stoneburner, G., "Developer-focused assurance requirements [Evaluation Assuranee Level and Common Criteria for IT system evaluation," IEEE Computer Society, Vol. 38, No.7, pp. 91-93, 2005.

Ware, M. S., Bowles, J. B., and Eastman, C. M., "Using the Common Criteria to Elicit Security Requirements with Use Cases," SoutheastCon, pp. 273-278, 2006.



  • There are currently no refbacks.