A Novel Security Metrics Taxonomy for R&D Organisations

In order to obtain evidence of the security and privacy issues of products, services or an organization, systematic approaches to measuring security are needed. In this study we survey the emerging security metrics approaches from the academic, governmental and industrial perspectives. We aim to bridge the gaps between business management, information security management and ICT product security practices. If appropriate security metrics can be to offer a quantitative and objective basis for security assurance, it would be easier to make business and engineering decisions concerning information security. We believe that being able to express a high-level taxonomy of security metrics will help the actual process of developing feasible composite metrics even for complex situations. A welldefined taxonomy can be used to enhance the composition of feasible security metrics all the way from business management to the lowest level of technical detail. Information security management, business management and, on the other hand, software security and network security engineering have been handled as separate areas. Common metrics approaches can be used to bridge the gaps in between.