DECISION-ORIENTED AUDITING OF ENCRYPTION AND KEY MANAGEMENT POLICIES BASED ON CONSISTENCY, STABILITY, AND RISK METRICS
Abstract
Auditing encryption and key management policies in modern web and server systems is complicated by architectural complexity and continuous configuration change. Existing approaches largely rely on static compliance checks or isolated metrics, providing limited support for actionable decision-making. This paper proposes a decision-oriented framework that bridges metric-based auditing and practical security governance. The framework relies on system-level abstractions of policy requirements and enforcement evidence, and maps consistency, conflict, stability, and risk metrics to discrete decision outcomes. A bounded and non-intrusive satisfaction function supports partial compliance, heterogeneous evidence, and conservative handling of missing data without accessing cryptographic key material. In addition, a riskaware remediation prioritization algorithm ranks policy requirements by urgency and architectural impact. Scenario-based evaluation demonstrates improved interpretability of audit results and supports proactive, risk-aware remediation planning.