Skip to main content
SpringerLink
Log in

Assessing the Feasibility of Security Metrics

  • Conference paper
Trust, Privacy, and Security in Digital Business (TrustBus 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8058))

Abstract

This paper proposes a self-assessment framework that allows a user to determine security metrics that are feasible specifically for the user’s ISMS. To achieve this, a metric catalogue containing 95 metrics from different sources was created. The catalogue was enhanced by ascertaining requirements that need to be fulfilled in order to be able to use the metric as well as ISO 27001 clauses and controls whose effectiveness is being measured by each metric. During an assessment, the user indicates which requirements are fulfilled. After conducting an assessment, a list of feasible metrics, the number of metrics per ISO 27001 clause and control, and other information are generated as assessment results. A software prototype was created and shows a proof of concept. The results of the study were evaluated by external experts, which has validated the composition of the metrics catalogue, the design of the self-assessment framework, the value of the prototype and helped to identify areas of improvement and future work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Savola, R.: Towards a taxonomy for information security metrics. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 28–30. ACM, New York (2007)

    Chapter  Google Scholar 

  2. Jansen, W.A.: NIST IR 7564: Directions in security metrics research, National Institute of Standards and Technology, U.S. Dept. of Commerce, Gaithersburg (2009), http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf (accessed December 25, 2011)

  3. Savola, R.: On the feasibility of utilizing security metrics in software-intensive systems. IJCSNS International Journal of Computer Science and Network Security 10(1), 230–239 (2010)

    Google Scholar 

  4. Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: NIST Special Publication 800-55: Performance Measurement Guide for Information Security, National Institute of Standards and Technology, U.S. Dept. of Commerce, Gaithersburg (2008), http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf (accessed December 15, 2011)

  5. COBIT5, Illinois, A Business Framework for the Governance and Management of Enterprise IT. ISACA (2012), http://www.isaca.org/COBIT/Pages/Product-Family.aspx (accessed May 16, 2012)

  6. Saydjari, O.S.: Is risk a good security metric? In: Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP 2006, pp. 59–60. ACM, New York (2006)

    Google Scholar 

  7. ISO 27004, Genf, ISO/IEC 27004:2009 – Information technology – Security techniques – Information security management – Measurement. International Organization for Standardization, ISO (2009)

    Google Scholar 

  8. Payne, S.C.: A Guide to Security Metrics, SANS Institute (2006), http://www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55 (accessed December 17, 2011)

  9. Bellovin, S.: On the Brittleness of Software and the Infeasibility of Security Metrics. Security & Privacy 4(4), 96 (2006)

    Article  Google Scholar 

  10. Bayuk, J.: Alternative Security Metrics. In: Information Technology: New Generations, ITNG 2011, pp. 943–946 (2011)

    Google Scholar 

  11. Hinson, G.: Seven myths about information security metrics. The Information Systems Security Association ISSA Journal, 1–6 (July 2006)

    Google Scholar 

  12. Rosenquist, M.: Measuring the Return on IT Security Investments, Intel Corporation, Whitepaper (2007), http://communities.intel.com/docs/DOC-1279 (accessed December 02, 2011)

  13. Fruehwirth, C., Biffl, S., Tabatabai, M., Weippl, E.: Addressing misalignment between information security metrics and business-driven security objectives. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec 2010, pp. 6:1–6:7. ACM, New York (2010)

    Google Scholar 

  14. CobiT 4.1, Illinois, Control Objectives for Information and related Technology. IT Governance Institute (2007), http://www.isaca.org/Knowledge-Center/cobit/Documents/CobiT_4.1.pdf (accessed December 12, 2011).

  15. BSI IT-Grundschutz Catalogues, Bonn, Federal Office for Information Security (BSI) (2005), https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html (accessed December 12, 2011)

  16. ISO 27001, Genf, ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization, ISO (2005)

    Google Scholar 

  17. Wright, S.: Measuring the Effectiveness of Security using ISO 27001 (2006), http://wwww.iwar.org.uk/comsec/resources/iso-27001/measuring-effectiveness.pdf (accessed January 07, 2012)

  18. The Center for Internet Security, The CIS Security Metrics (2010), https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf (accessed November 29, 2011)

  19. Berinato, S.: A Few Good Information Security Metrics (2005), http://www.csoonline.com/article/220462/a-few-good-information-security-metrics (accessed May 05, 2012)

  20. Lemos, R.: Five Strategic Security Metrics To Watch (2012), http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/232601457/five-strategic-security-metrics-to-watch.html (accessed May 20, 2012)

  21. Brotby, C., Hinson, G.: Security Metametrics: SMotW: Security Metrics of the Week (2012), http://securitymetametrics.blogspot.co.nz/search/label/SMotW (accessed June 23, 2012)

Download references

Author information

Authors and Affiliations

  1. Centre for Security, Communications and Network Research, Plymouth University, United Kingdom

    Bernhard Heinzle & Steven Furnell

Authors
  1. Bernhard Heinzle
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steven Furnell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Centre for Security Communications and Network Research, Plymouth University, PL4 8AA, Plymouth, UK

    Steven Furnell

  2. Department of Digital Systems, University of Piraeus, 18532, Piraeus, Greece

    Costas Lambrinoudakis

  3. Computer Science Department, University of Malaga, Campus de Teatinos s/n, 29071, Malaga, Spain

    Javier Lopez

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Heinzle, B., Furnell, S. (2013). Assessing the Feasibility of Security Metrics. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds) Trust, Privacy, and Security in Digital Business. TrustBus 2013. Lecture Notes in Computer Science, vol 8058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40343-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40343-9_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40342-2

  • Online ISBN: 978-3-642-40343-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation