Evaluation Methodology

Abstract

The previous two parts provide the fundamentals and specify a list of requirements for stand-alone direct recording electronic voting machines and a second list for remote electronic voting systems. The “requirement part” overcomes one of the identified vulnerabilities of existing evaluation documents for electronic voting systems by defining standardised, consistent, and exhaustive requirements. In this part the remaining identified vulnerabilities are addressed by providing a standardised evaluation methodology, taking the underlying trust model into account and being flexible with respect to different evaluation depths.This “evaluation part” only considers remote electronic voting systems, while in the previous part, the requirements for electronic voting machines and for remote electronic voting systems are specified. In addition, the proposed evaluation methodology only addresses the security, functional, and assurance requirements for remote electronic voting systems, while the de- fined operational and usability requirements are not considered. However, the proposed methodology can easily be adapted and extended for stand-alone direct recording electronic voting machines or any other type of electronic voting system.After a short discussion of established evaluation methodologies, the most appropriate methodology is explained: The Common Criteria (CC) [35] and the corresponding Common Evaluation Methodology (CEM) [36]. In particular, the application of the Common Criteria for remote electronic voting is discussed. In this context, different trust models for remote electronic voting in terms of the Common Criteria approach are discussed in general and in particular their implications for possible implementations of remote electronic voting systems. There are two chosen examples: The “temporary unlimited secrecy of the vote” and the “trustworthiness of the vote-casting device”.In addition, the requirements from Chap. 6 are translated to the Common Criteria syntax; in particular the assurance requirements to the corresponding Common Criteria evaluation level. In order to be able to choose also high Common Criteria evaluation levels requiring formal methods, a first step to develop a formal IT security model is taken. A subset of requirements from Chap. 6 is specified in such a model.KeywordsTrust ModelEvaluation MethodologySecurity ModelSecure StateCommon CriterionThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.