ABSTRACT
Systematic approaches to measuring security are needed in order to obtain evidence of the security performance of products or an organization. In this study we survey the emerging security metrics approaches from the academic, governmental and industrial perspectives and aim to bridge the gap between information security management and Information and Communication Technology (ICT) product security practices. If common metrics approaches between different security disciplines can be found, this will advance our holistic understanding and capabilities, both in management and engineering practices.
- Bellovin, S. M. On the Brittleness of Software and the Infeasibility of Security Metrics. IEEE Security & Privacy, Jul/Aug, 2006, 96. Google ScholarDigital Library
- Burris, P., King, C. A Few Good Security Metrics. METAGroup, Inc., Oct. 2000.Google Scholar
- Henning, R. et al. Proc. of Workshop on Information Security System, Scoring and Ranking - Information System Security Attribute Quantification or Ordering, ACSA and MITRE, Williamsburg, Virginia, May 2001, 2002Google Scholar
- ISO/IEC 17799:2005. Information Technology - Security Techniques - Code of Practice for Information Security Management. ISO, 2005.Google Scholar
- Jelen, G. SSE-CMM Security Metrics. NIST and CSSPAB Workshop, Washington, D.C., June, 2000.Google Scholar
- McHugh, J. Quantitative Measures of Assurance: Prophecy, Process or Pipedream? Proc. of Workshop on Information Security System Scoring and Ranking (WISSSR), ACSA and MITRE, Williamsburg, Virginia, May 2001, 2002Google Scholar
- Payne, S. C. A Guide to Security Metrics. SANS Institute Information Security Reading Room, June, 2006.Google Scholar
- Seddigh, N., Pieda, P., Matrawy, A., Nandy, B., Lambadaris, I., Hatfield, A. Current Trends and Advances in Information Assurance Metrics. Proc. of the 2nd Ann. Conf. Privacy, Security and Trust (PST 2004), Fredericton, NB, Oct., 2004.Google Scholar
- Stoddard, M. et al. Process Control System Security Metrics - State of Practice. I3P Institute for Information Infrastructure Protection Research Report No. 1, Aug., 2005.Google Scholar
- Swanson, M. Security Self-Assessment Guide for Information Technology Systems. NIST Special Publication 800-26, Nov., 2001.Google Scholar
- Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L. Security Metrics Guide for Information Technology Systems. NIST Special Publication 800-55, Jul., 2003.Google Scholar
- Vaughn, R., Henning, R. and Siraj, A. Information Assurance Measures and Metrics: State of Practice and Proposed Taxonomy. Proc. of 36th Hawaii Int. Conf. on System Sciences HICSS 03., 2003. Google ScholarDigital Library
Index Terms
- Towards a taxonomy for information security metrics
Recommendations
Quantitative security assurance metrics: REST API case studies
ECSA '18: Proceedings of the 12th European Conference on Software Architecture: Companion ProceedingsSecurity assurance is the confidence that a system meets its security requirements based on specific evidences that an assurance technique provide. The notion of measuring security is complex and tricky. Existing approaches either (1) consider one ...
The Dartmouth Cyber Security Initiative: Faculty, Staff, and Students Work Together
The Dartmouth College Cyber Security Initiative (CSI) is a collaboration between faculty, staff, and students that focuses on projects to improve the security of Dartmouth's information systems. The CSI gives students experience in real-world, hands-on ...
Towards agile security assurance
NSPW '04: Proceedings of the 2004 workshop on New security paradigmsAgile development methodologies are gaining acceptance in the software industry. If they are to be used for constructing security-critical solutions, what do we do about assurance? This paper examines how conventional security assurance suits agile ...
Comments