The processes of granting security clearances to people andnaccrediting trusted computer systems are compared, both informally andnusing preliminary mathematical models of risk probabilities. The risknmodels support the validity of two hypotheses that were previouslynmerely conjectures: (1) in determining an acceptable accreditation rangenfor a computer one need only consider the highest classification of datanon it and the least-cleared person using it, (2) that under suitablenconditions a cascade (combination) of two trusted systems can be trustednmore than either individually. In particular, it is shown that a cascadenof two (independently built) B2 systems is as good as one B3nsystem
展开▼