Why cocomo needs security

secomo:it is nothing but a security cost model. mostly this is the one created for cocomo(constructive cost model). if the s/w size is defined then user can be abled to estimate the security but if it is not then it needs to provide the security. The COnstructive COst MOdel (COCOMO) is an algorithmic Software Cost Estimation Model developed by Barry Boehm. The model uses a basic regression formula, Basic COCOMO Basic COCOMO computes software development effort (and cost) as a function of program size. Program size is expressed in estimated thousands of lines of code (KLOC).

COCOMO applies to three classes of software projects:

Organic projects - "small" teams with "good" experience working with "less than rigid" requirements Semi-detached projects - "medium" teams with mixed experience working with a mix of rigid and less than rigid requirements Embedded projects - developed within a set of "tight" constraints (hardware, software, operational, ...) The basic COCOMO equations take the form

Effort Applied = ab(KLOC)bb [ man-months ] Development Time = cb(Effort Applied)db [months] People required = Effort Applied / Development Time [count] The coefficients ab, bb, cb and db are given in the following table.

Software project   ab      bb      cb      db   Organic             2.4     1.05    2.5     0.38 Semi-detached      3.0     1.12    2.5     0.35 Embedded           3.6     1.20    2.5     0.32 Basic COCOMO is good for quick estimate of software costs. However it does not account for differences in hardware constraints, personnel quality and experience, use of modern tools and techniques, and so on.

with parameters that are derived from historical project data and current project characteristics. We present in this paper an estimation cost model for risk management projects, called SECOMO. This model helps managers reasoning about the cost and schedule implications of network security decisions that security teams may need to make. It aims to achieve several objectives including: (1) providing accurate cost and scheduling estimates for currently security projects, and(2) providing a normative method for the allocation of resources necessary for the development and maintenance of network security solution. INTRODUCTION SECURITY cost estimation is important because it aims to provide accurate cost and schedule for current (and likely future) security solutions to organizations. It also enables security teams to easily recalibrate, customize, and extend the cost model the estimation may produce. An accurate cost-estimation capability provides security teams with a solid basis for determining how much time, cost and personnel each risk management process should take. This helps managers to plan the securing activities, to perform competitive security contract bids, and to tell whether or not a security project is proceeding according to plan. Efficient security cost models should provide a normative mechanism to allocate the resources necessary for effective security solutions development and maintenance. It should be evolving to integrate new capabilities to address needs for protection. Moreover, security cost models should provide an efficient and easy to understand set of definitions of the inputs, assumptions and outputs required for the estimations. Several estimation techniques have been proposed and used during the late decades. However, to our knowledge, these techniques have considered that security projects are aggregate of sub-projects, which may be addressed separately. Estimation techniques include COCOMO, COCOTS, COQUALMO, and Expert COCOMO (see [1] for a description of these models). These techniques have addressed the cost estimation of the development of software, constructive integration, expert-determined defect introduction and removal, and risk assessment, respectively. We believe that a security cost model should be based on the joint estimation of the cost of a set of processes including, but not limited to, the following inter-related processes:1) building systems with commercial-off-the-shelf solutions,2) risk analysis and monitoring,3) security quality assurance,4) project planning and5) security policy definition. To this end, we have developed a security cost model that we describe in this paper. The objective of this paper is then to propose an estimation technique security oriented. This technique, which is inspired from those used successfully in software engineering, aims to develop an estimation cost model allowing managers to estimate the effort needed to set up a security solution. Because of the similarity existing between the security engineering management and the software engineering management, we have chosen to found the development of security cost model on the Constructive Cost Model (COCOMO II version).COCOMO, which represents a basis for the model presented in this paper, can be defined as an objective cost model for planning and executing software projects [1]. COCOMO refers to a parametric software cost model for planning and executing software projects. It supports bottom-up algorithmic model estimates. COCOMO advantages include generality, efficiency, and extensibility [1], and its computations are based on the estimation of a project’s size. Like COCOMO, the estimation model proposed in this paper, which we referred to as SECOMO, supports algorithmic model estimates. The estimation is made for the whole security project. Due to the lack of security data statistics, the model initialization is based on expert judgment. SECOMO is specific to security projects. It is defined as an objective model for planning and per-forming risk management projects in networked environments. The remaining of this paper is organized as follows: Section2 presents the SECOMO model, its estimating equations and the method used to estimate the network size. The estimations are performed using concept of network size and various parameters called scale factors and effort multipliers, that give a measure of the security task complexity. Effort estimation, expressed as    man*time – unit is give n by : E= a X EAF  X  S^b Where a -->constant, EAF---> Effort Adjustment Factor S-> size of the network and b=β+∑wi β->constant   and the wi> are the scale factor SECOMO uses 4 scale factors and 13 effort multipliers classified into 4 categories, Despite the similarity existing between SECOMO and COCOMO in using both Effort Multipliers(EM) and Scale Factors(SF), we highlights the facts that these parameters are different in the two models. For instance, in SECOMO model we use an effort multipliers category that is totally appropriate to security projects called “Information System Factors”.