Research archives

In addition to what we consider as being our five most important papers there over fifty others. Click on a title below to list the papers in that section.

Past events (all years)
a series of 25 papers presented over the years at various conferences and events

There are a wide variety of conferences and events at which we have presented. The table below lists all those since 2002 with links to the presentations.

KEY to topics:
Basel Operational risk, e.g. the Basel Accord
BCMS Business Continuity Management Systems
CC Common Criteria
Effect Effectiveness
IMS Integrated Management Systems
ISMS Information Security Management Systems
Risk Risk assessment
Smart Smart cards


13 May, 2010 London The BSI ‘Information Security Conference - Latest Standards and Developments’, where we presented our views on ISO/IEC 27003 (Implementation Guidance), fresh back from the ISO SC 27 meetings in Malaysia (having successfully passed the business continuity challenges afforded by the Icelandic volcano!) ISMS
22-24 September, 2009 Tromsø, Norway The Tenth International Common Criteria Conference where we presented our paper entitled “Common Criteria Development - Lessons from the ISMS World CC
23-25 September, 2008 Jeju, Korea The Ninth International Common Criteria Conference where we presented our paper entitled “How to write Protection Profiles and Security Targets, the PPST Guide” CC
12-13 May, 2008 Bahrain CISO Executive Summit, where we presented on Integrated Management Systems, showing this time that it is more than just fitting ISO standards together. IMS
15 April, 2008 Mumbai, India BSI’s BS 25999 launch seminar in Mumbai where we were invited to address the audience. Dr. Brewer made 8 observations in support of this new British Standard on business continuity management. BCMS
16 February, 2008 New Delhi, India The ISACA Conference of Information Security, Audit & Control, where we addressed the audience on the subject of Integrated Management Systems for Enterprise Security and IT Governance. Our presentation provided a survey of all our research to-date in internal control and was dedicated to the memory of our late friend and colleague, William List. IMS
22 September, 2007 Pune, India We gave three presentations to over 30 IT Heads of Banks at the Reserve Bank of India’s College of Agricultural Banking in Pune, India. The main thrust of our presentation was to share our views on meeting the standardised and advancement measurement approaches in Basel II for operational risk. As the concept of a management system is an important component in this regard, Dr. Brewer began with a presentation on the ISMS standards. He concluded with a case study of work he performed last year in conjunction with our partner, Secure Matrix.



30 November, 1 December 2006 Port Louis, Mauritius We gave three presentations to celebrate Computer Security Day. The event was hosted by the National Computer Board and the IT Security Unit.  The first presentation was entitled “Implementing ISO/IEC 27001”, the second “Information Security Compliance for Sarbanes-Oxley and Basel II” and the third “ISO/IEC 27001: a comprehensive approach to Information Security”.



19 - 21 September 2006 Lanzarote We gave a paper on “Alternative Assurance Criteria” at the 7th International Common Criteria Conference. CC
21, 24 May 2006 Kuwait, and UAE We gave the Keynote address at the Information Security Conference - ISO 27001. ISMS
20 March 2006 London We presented our paper “Measuring the effectiveness of an internal control system” and related material to a packed audience at the ISACA euro-CACS conference in London. Effect
14 March 2006 Port Louis, Mauritius Together with the British Computer Society (Mauritius Section), the Minister for IT and his Ministry, we gave a presentation on ISO/IEC 27001 and integrated management systems



18, 22 February 2006 Mumbai, Delhi The Information Security Conference ISO 27001.  The first conference of its kind ever in India, sponsored by Secure Matrix, NASSCOM and the Computer Society of India, Dr. David Brewer and Willie List were the keynote speakers ISMS
25-26 October 2005 London The AIIM Europe Conference and Exhibition where we spoke about the “IT security implications of Basle II”. Basel
28 - 29 September 2005 Tokyo The 6th International Common Criteria Conference, where we spoke about the “ISO PPST Guide” and answered the question “Is the CC the only way? CC
29 November - 1 December 2004 London The 2004 BS 7799 Goes Global conference, where we gave a presentation on “How do you know the ISMS is working”. We also had the privilege of giving, reproduced with kind permission of the Ministry of Information Technology and Telecommunications, Mauritius, their paper on our work in rolling out BS 177999 to various Ministries and Departments. ISMS
October -December 2004 Leeds, London,  Manchester, Birmingham, Cardiff

Five Institute of Chartered Accountants in England and Wales IT Faculty half-day Roadshows on how to create effective internal control across the whole organisation, reduce your risks and take charge.

We also published a series of four short articles in CHARTECH magazine:

  1. Effectiveness of Internal Control Systems
  2. Risk analysis
  3. How is effectiveness measured in internal control systems?
  4. Management Systems.




4 October Long Eaton
A presentation entitled “Security -Who is in charge? -The users? Or the system?”, given to the Nottingham and Derby Branch of the British Computer Society Winter School 2004.



28 - 30 September 2004 Berlin The 5th International Common Criteria Conference where we spoke about “Simpler Security Targets” and “The Relevance of the Common Criteria to Sarbanes-Oxley and Corporate Governance”.  CC
22-24 September 2004 Sophia Antipolis e-Smart 2004 where we applied our time paper in the context of GlobalPlatform smart cards. Smart
19 August 2004 London The Independent Information Security Group (IISyG): a half day seminar entitled “Rolling out ISO/BS (1) 7799 in the real world”. ISMS
6 May 2004 Singapore BS 7799 and IT Corporate Governance, a whole day seminar hosted by Symantec, where we presented on corporate governance and intrusion detection. ISMS
29 April 2004 Domain Les Pailles, Mauritius Ministry of Information Technology and Telecommunications (Mauritius) seminar on rollout of ISO/IEC 17799 to government ISMS
14 October 2003 Domain de Pailles, Mauritius World Standards Day, where we gave a presentation on information security standards. ISMS
17-19 September 2003 Sophia Antipolis e-Smart 2003, where we gave a presentation on the GlobalPlatform Card Security Requirements Specification. Smart
18-19 September 2003 London 7799 Goes Global Conference, where we gave a presentation on e-biz governance. ISMS
7-9 September 2003 Stockholm The 4th International Common Criteria Conference, where we presented on dealing with smart cards as evaluated systems. Smart
4 December 2002 London

UK 7799 Users Group Meeting, where we role played an audit. There isn’t a paper or presentation, only a photograph of the event:

19-20 September 2002 Nice e-Smart 2002, where we gave a paper on the ITRI/Gamma architecture for GlobalPlatform smart cards. Smart
4-5 September 2002 London The first 7799 Goes Global Conference where we gave a presentation entitled is IT governance enough? ISMS
July 2000 London The IAAC workshop at Senate House, where we presented our thoughts on risk assessment. Just thee years years later, we totally changed our views. Risk



Other IMS and ISMS papers (2004 — 2006)
a series of 4 papers concerning integrated management systems and ISMS

Gamma’s mainstream papers are still current, However, there are a number of papers that we wrote at around the same time which may be of historical interest. They are:


Common Criteria Conferences (2001 — 2010)
a series of 13 papers presented by us at various Common Criteria Conferences

Gamma has enjoyed a long and fruitful association with the Common Criteria (ISO/IEC 15408) since its inception, having provided the only non-government member of the ISO standardisation committee and having helped to develop the ITSEC; one of the three security evaluation criteria that were used to create the Common Criteria.

Essentially, the Common Criteria facilitate the means to confirm that particular security features of some Target of Evaluation (TOE), which is usually an IT product, have:

  • Been implemented correctly and cannot be bypassed, deactivated, corrupted or otherwise circumvented;
  • Is able to resist direct attack with a given attack potential.

This evaluation is predicated on a detailed examination of the construction of the TOE, commensurate with some given level of confidence (often specified as a Common Criteria “Evaluation Assurance Level”).

The Common Criteria Recognition Arrangement facilitates the means for the nominated authority in one country to formally accept Common Criteria evaluations that have been certified in another country, and is singularly responsible for the dramatic uptake of interest in the Common Criteria by Visa and MasterCard at the turn of the century.   

There is now a regular International Common Criteria Conference; the last we attended was held in September in Antalya, Turkey 2010.

These are the papers that we have presented:

2010 Antalya Using the Common Criteria in Practice”, by Mike Nash
2009 Tromsø Common Criteria Development - Lessons from the ISMS World”, by Mike Nash
2008 Jeju How to write PPs and STs - the PPST Guide”, by Mike Nash
CC Part II Tutorial, by Mike Nash
2006 Lanzarote Alternative Assurance Criteria, by David Brewer
2005 Tokyo The ISO PPST Guide - Tool or Irrelevance”, by Mike Nash
Is the CC the only way?”, by David Brewer
Summary of Track A”, by Mike Nash
2004 Berlin

Simpler Security Targets”, by Mike Nash
The Relevance of the Common Criteria to Sarbanes-Oxley and Corporate Governanceby David Brewer and William List

2003 Stockholm Dealing with smart cards as evaluated systems”, by David Brewer and Marc Kekicheff
2002 Ottawa Proving Protection Profile Compliance for the CCL/ITRI Visa Open Platform Smart Card by David Brewer, Chilung Wang and Paulie Tsai
2001 Brighton The Open Platform Protection Profile (OP3)”, by Marc Kekicheff, Forough Kashef and David Brewer


Smart cards (2001 — 2004)
a series of six papers concerning our work with GlobalPlatform smart cards

GlobalPlatform technology

Smart cards, we believe, are generally good things.  The GlobalPlatform idea is that we just need one piece of plastic to carry around with us.  Issued by our bank, or phone company perhaps, it will always give us access to our account with them.  The same card could also give us access to Visa, MasterCard, etc and loyalty  programmes with various retailers, gasoline outlets, hotels and airlines.  We could choose to have these other businesses on our card at the time of issue or, provided that our Card Issuer agrees, download them later.  So we just need one card. But what of security?  What if our card fell into the wrong hands? Could merchants do nasty things when they put the card into their machines (called a Card Acceptance Device or CAD for short)? What happens if I use it over the Internet or with my WAP enabled mobile phone? Could I catch a virus?  Could someone steal all my money? or discover where I have been spending it?

These are very interesting questions.  They are security related questions and demand an answer.  However, they are cardholder questions.  What questions do the Card Issuers have regarding their security risks?  What about the Application Providers?  Who loads the software onto the cards? Can they be trusted?  What about the Card Manufacturers? (and we must bear in mind that the chip manufactures and operating system providers are often different companies).  What indeed do organisations, such as Visa, think - whose brand names might be at stake?

Some of the answers to these questions present the Common Criteria (ISO/IEC 14508) as the answer, but these raise other questions.

What work has been done?

Pioneering work has been conducted in eight main areas:

  • In Europe, with EuroSmart, which represents the smart card vendors’ perspective - eager to embrace the Common Criteria and use it to as standard to express what can be achieved.

  • In the US, with Visa and the Smart Card Security Users’ Group (SCSUG) with the development of the SCSUG-Smart Card Protection Profile, which expresses the users’ perspective on requirements.

  • In the US, with Visa and GlobalPlatform with the development of the GlobalPlatform Card Specification

  • In the US, with Visa and the development of the Visa Open Platform Protection Profile (OP3)

  • In Taiwan, with the Industrial Technology Research Institute (ITRI) with the development of a comprehensive smart card architecture (also see our e-Smart 2002 paper).

  • This led, with GlobalPlatform, to the development of the GP Card Security Requirements Specification, which we presented at the 4th International Common Criteria Conference (also see our e-Smart 2003 paper).

  • At the 2004 eSmart 2004 conference, GlobalPlatform reported that it had embarked on a programme of formally specifying the card specification, using our informal card security requirements specification as the starting point.

  • At the same conference, Gamma presented in work in applying internal control system metrics in order to facilitate the correct choice of on-card and off-card measures.

Working for various clients, Gamma has been directly involved with the majority of these initiatives.

Other work of merit has been performed in Europe on a Protection Profile for the integrated circuitry (IC) - the Silicon Vendors’ Security Group Protection Profile (which is on the EuroSmart site) and some early work on Java Card TM (referred to as the JCSPP).

Where did this get us?

This is a very good question. There are two parts to this answer:

  • The ITRI/Gamma architecture and the GP Card Security Requirements Specification pave the way to showing how a security target can written that is compliant with all the relevant smart card protection profiles. Moreover, it shows that the composition problem that everyone has found so elusive is really a decomposition problem.

  • The GP Card Security Requirements Specification identifies the areas where off card measures are required, and ISO SC27 WG3 work directed towards system evaluation will help organisations to meet those requirements.

Two areas to watch were therefore GP developments and the ISO SC27 WG3 work.  At the Fourth International Common Criteria Conference (ICCC4)  we ran a track dedicated to such issues.


Projecting trust (1997 — 2000)
a series of five papers concerning the projection of trustworthiness of a business service

Standards, such as ISO/IEC 27001 , can be used to project the trustworthiness of a business service.  These papers trace this idea from its inception, culminating in the SEDUCER framework.

  • SEDUCER - An EC study (Dec 2000) to devise a framework for projecting the trustworthiness of a business service (such as a TTP).  It makes use of BS7799 Part 2 and the Common Criteria.
  • Guaranteeing Secure Transactions (e-Trust) - A paper based on a presentation given at the second E-Commerce and the Supply Chain Revolution Conference held in London in June 1999.
  • Accreditation criteria for secure information systems - This paper traces the evolution of criteria for the homologation (accreditation) of secure information systems and services, and shows the importance of real time risk management. It also suggests that BS7799 may offer a more attractive alternative to ITSEC system evaluation.  It was presented on 16 March 1998 at Eurosec in Paris.
  • Market Expectations of Trustworthiness in Third Party Electronic Services - a summary of our market survey for the UK Department of Trade and Industry published in April 1997, together with an extract concerning a taxonomy of TTP services.
  • Commercially-driven independent accreditation: an effective way ahead - examine why the directors of the Insurefast Company were seeking a public statement of assurance in the security of their service and how we proposed to provide one.  The paper was presented on 18 March 1997 at Eurosec in Paris.


Royal Air Force Security (1993 — 1996)
a series of four papers concerning a rare example of a very large - and very successful - secure system development where the security policies and practices have been published.

The Royal Air Force (RAF) Logistics Information Technology System (LITS) is a rare example of a very large - and very successful - secure system development where the security policies and practices have been published.  These four papers provide a introduction to this programme, and contain many useful tips, still valid today, for anyone about to embark on purchasing a large, networked system that has to be secure.  If you work in UK Government, or have an interest in the aerospace industry, you should find these papers particularly interesting.  All the papers are British Crown Copyright, and we would like to thank the Controller of HMSO for permission to make these papers web-accessible.

The first paper, Information Security in a Complex Defence System Procurement: A Personal Management Experience was presented at the Canadian Computer Security Symposium in May 1993.  This was very much a cook-book on how to extend the project management and system development methodologies in use in the UK Ministry of Defence at that time to handle information security.  It was widely adopted by other defence systems in the UK in the years that followed.

Security Policy in a Complex Logistics Procurement was presented later that year at the 1993 Computer Security Applications Conference in the US.  It documented the theoretical work that was necessary to apply the generic guidance on information security available from CESG (the UK national security authority) to a large, networked, multi-stage programme.  CESG must be thanked for their support in preparing this paper, including permission to publish openly the outline of their approved security documentation lifecycle.  Once again, much of the innovation within this paper subsequently became part of the officially adopted UK Government approach.

Managing Information in Large Defence Procurements: the Royal Air Force LITS Experience (another long title!) was presented at the 1995 Canadian Computer Security Symposium.  This paper recorded the LITS security team’s experiences in assessing the security knowledge, experience and capabilities of bidders to specify and develop the LITS system, and also the benefits to that process from early start “quick results” development contracts.

The final paper of the set, Implementing Security Policy in a Large Defence Procurement, was published at the 1996 Computer Security Applications Conference.  This reported our first experiences of system implementation and in particular a growing realisation that both UK national security policy and the role of the RAF were changing radically as a consequence of the end of the Cold War and the dissolution of the Warsaw Pact.  In consequence, the security threat to LITS was changing, and the design and implementation strategy had to adapt to and encompass the consequential change to both operational and security requirements.


Early papers (pre 1992)
three very early papers including our seminal Chinese Wall Security Policy paper

The Chinese Wall Security Policy - our seminal paper contrasting the Orange Book to the 1986 Financial Services Act.  First published at the IEEE Symposium on Security and Privacy, Oakland 1989.

Some Conundrums Concerning Separation of Duty - another seminal Gamma research paper, on the need for Role Based Access Control (RBAC), although written before the acronym RBAC was first popularised by Ferraiolo and Kuhn. First published at the 1990 IEEE Symposium on Security and Privacy.

Security Evaluation - a craftsman-led approach to system security evaluation that combines business risk analysis, evaluation and corrective action rolled into one, that is faster and less expensive than the Common Criteria - based on research performed in 1986, and is still relevant today.