Efficient Security Measurements and Metrics for Risk Assessment (original) (raw)
Related papers
Metrics for Information Security - A literature review
2004
It is important to know how vulnerable systems are for a wide variety of reasons. Information Systems managers have the duty to advise senior management of the level of risks faced by the information systems. Therefore an assessment of the level of risk is necessary. Research work in this area is in its infancy. Further, the efforts are varied and deal with different aspects of the issue. There is no coherent approach. This paper provides a review of the literature and will be presenting a framework for analysis and development of metrics for security at the conference.
Information Security Metrics: State of the Art : State of the art
Managing something that is not measured is difficult to near impossible and Information Security is not an exception. Effective measurement and reporting are required in order to demonstrate compliance, improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner. The main purpose of the report is to examine the present state of the art of information security measurement from an organizational standpoint and to present the reader with enough relevant information so as to facilitate a holistic understanding of the area. To a lesser degree, this document may be used as a high-level guidance on the common challenges of information security measurement and possible ways for addressing them, and on where to find more in-depth information on the subject. This report is produced as part of the Controlled Information Security (COINS) research project funded by the Swedish Civil Contingencies Agency (MSB).
Performance Metrics for Information Security Risk Management
IEEE Security & Privacy Magazine, 2000
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss. You can't control what you can't measure. 1 -Tom DeMarco
Procedia Manufacturing, 2020
Elements of good practice and principles of a risk-based approach are often used in measurement models to assess the level of security of the information resource. The practical problem of measuring the level of information security is the selection of an appropriate model, followed by measures and a method that will be adequate to the specific organization. This puts in light second problem related to set a proper method of binding them together to generate consistent measure for determining the total information security level within organization. Paper presents two models proposed by authors for this use case. The proposed models can become the starting point for creating an information security evaluation system for each type of organization.
Measuring information security: understanding and selecting appropriate metrics
Thanks to numerous information in newspapers about data leaks, advocacy for information security is no more that difficult. But on the practical side, it is usually tough time for information security professionals when they have to demonstrate the value of information security to their organizations; they have so much metrics available on hand that making the right selection is far from obvious. This paper is about understanding the metrics that are available and discussing how to use them in some specific less developed economies.
Towards a measurement framework for security risk management
2008
Abstract. Risk management is currently a key tool for managing Information System (IS) security. In the context of the definition of an IS Security Risk Management (ISSRM) modelling language, we already defined the set of concepts and relationships taking a place in the ISSRM domain within a UML class diagram. To extend this work and to support reasoning at the modelling language level, the objective is now to define the metrics available.
SECURITY METRICS AND EVALUATION OF INFORMATION SYSTEMS SECURITY
The evaluation of information systems security is a process in which the evidence for assurance is identified, gathered, and analysed against criteria for security functionality and assurance level. This can result in a measure of trust that indicates how well the system meets particular security target. However, as the information systems complexity increases, it becomes increasingly hard to address security targets and the concept of perfect security proves to be unachievable goal for computer systems developer, testers and users.
Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities
With increasing dependency on IT infrastructure, the main objective of a system administrator is to maintain a stable and secure network, with ensure that the network is robust enough against malicious network users like attackers and intruders. Security risk management provides way to manage the growing threats to infrastructures or system. This paper proposes a framework for risk level estimation that uses vulnerability database National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). The proposedframework measuresthe frequency of vulnerability exploitation; converges this measured frequency with standard CVSS score and estimates the security risk levelwhich helps in automated and reasonable security management. In this paper, equation for the Temporal score calculation with respect to availability of remediation plan is derived and further, frequency of exploitation is calculated with determined temporal score. The frequency of exploitation along with CVSS score is used to calculate the security risk level of the system. The proposed framework uses the CVSS vectors for risk level estimation and measures the security level of specific network environment, which assists system administrator for assessment of security risks and making decision related to mitigation of security risks.
Towards the Application of Security Metrics at Different Stages of Information Systems
Journal of Global Research in Computer Sciences, 2011
A formal approach to the measurement of security in Information Systems is essential. However little thought has been given to this aspect of Information system life cycle. The attention towards the security aspect of the system has got least attention during the development process and much focus has been given to the functionality provided by the system. As the threats in the operational environment increased the attention towards incorporating security got the attention. With such incorporation of security mechanisms, the question now is how much we secure we are and what is the level of security in the system. The answer to this question can be possible by the application of security metrics and to analyse the results. Security metrics play a vital role at every stage of Information Systems development and in operational environment. This paper focus on the applicability of security metrics at the different stages of Information Systems life cycle and identifying some metrics fr...
Security Metrics and the Risks: An Overview
— measuring information security is difficult; it is difficult to have one metrics that covers all types of devices. Security metrics is a standard used for measuring any organization's security. Good metrics are needed for analysts to answer many security related questions. Effective measurement and reporting are required to improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner. This paper provides an overview of the security metrics and its definition, standards, advantages, types, problems, taxonomies, risk assessment methods and also classifies the security metrics and explains its risks.