Assessing the Feasibility of Security Metrics
نویسندگان
چکیده
Security metrics are used to measure the effectiveness of an organisation's Information Security Management System (ISMS) as well as the sub-processes, activities and controls of the ISMS. Guidelines and example metrics have been published, but it is still difficult for an organisation to select metrics that are feasible for their environment, i.e. their ISMS. This paper proposes a self-assessment framework that allows a user to determine security metrics that are feasible specifically for the user's ISMS. To achieve this, a metric catalogue containing 95 metrics from different sources was created. For each metric, requirements that need to be fulfilled in order to be able to use the metric, and ISO 27001 clauses and controls whose effectiveness is being measured by the metric, were ascertained and assigned. By this, a list of requirements was generated that can be used to describe an organisation's ISMS. During an assessment, the user indicates which requirements from the list of requirements are fulfilled. After conducting an assessment, a list of feasible metrics, the number of metrics per ISO 27001 clause and control, and other information are generated as assessment results. A software prototype was created and shows a proof of concept of the self-assessment framework. The results of the study were evaluated by external experts, which has shown the usefulness of the study and helped to identify areas of improvement and future work.
منابع مشابه
On the Feasibility of Utilizing Security Metrics in Software-Intensive Systems
Security measurement of software-intensive systems is an emerging field, rapidly gaining momentum. Well-designed security metrics offer credible and sufficient evidence of security level and performance for security decision-making. In this study, we introduce a novel security metrics feasibility validation approach, consisting of validation criteria and an associated validation process that ta...
متن کاملUsing the Taxonomy and the Metrics: What to Study When and Why; Comment on “Metrics and Evaluation Tools for Patient Engagement in Healthcare Organization- and System-Level Decision-Making: A Systematic Review”
Dukhanin and colleagues’ taxonomy of metrics for patient engagement at the organizational and system levels has great potential for supporting more careful and useful evaluations of this ever-growing phenomenon. This commentary highlights the central importance to the taxonomy of metrics assessing the extent of meaningful participation in decision-making by patients, consumers and community mem...
متن کاملAssessing Business Process Security Awareness: A Service-Oriented Approach
The aim of this paper is to present some preliminary ideas about practical metrics and measurements useful for (i) assessing business process risk at design time and (ii) computing security and trust metrics at run time on business process orchestrations. In particular, the study is focused on a priori metrics applied to behavioral specifications of business processes (e.g., business rules and ...
متن کاملProperties for Security Measures of Software Products
A large number of attacks on computing systems succeed because of the existence of software flaws (e.g. buffer overflow, race conditions etc.) that could be fixed through a careful design process. An effective way of improving the quality of software products consists of using metrics to guide the development process. The field of software security metrics however is still in infancy in contras...
متن کامل