Advertisement

Measurement of Information Security in Processes and Products

  • Reijo Savola
  • Juhani Anttila
  • Anni Sademies
  • Jorma Kajava
  • Jarkko Holappa
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 193)

Abstract

In order to better understand the information security performance in products, processes, technical systems or organizations as a whole, and to plan, control, and improve it, security engineers, system developers and business managers must be able to get early feedback information from the achieved security situation. Systematic security metrics provides the means for managing security-related measurements comprehensively. We reflect on the use of information security metrics by presenting the results of an interview study carried out in Finnish industrial companies and State institutions. Furthermore, we discuss the application of security measurements from the business process and technical points of view. The role of technical security metrics is analyzed using mobile ad hoc networks as a case example.

Key words

security metrics information security process performance security measurement mobile ad hoc networks 

References

  1. BS 7799-2., 2002, Information Security Management Systems — Specification with Guidance for Use. Part 2. British Standards Institution, London.Google Scholar
  2. Henning, R. (ed.)., 2001, Workshop on Information Security Scoring and Ranking — Information System Security Attribute Quantification or Ordering (Commonly but Improperly Known as “Security Metrics”), Applied Computer Security Associates.Google Scholar
  3. ISO 9000. 2000, Quality Management Standards. International Standardization Organization, Geneva, Switzerland.Google Scholar
  4. ISO/IEC 15939. 2002, Software Engineering — Software Measurement Process, International Standardization Organization, Geneva, Switzerland.Google Scholar
  5. ISO/IEC 17799., 2001, Information Technology — Code of Practice for Information Security Management, International Standardization Organization, Geneva, Switzerland.Google Scholar
  6. ISO/IEC 21827., 2002, Information Technology — Systems Security Engineering — Capability Maturity Model (SSE-CMM), International Standardization Organization, Geneva, Switzerland.Google Scholar
  7. Jonsson, E., 2003, Dependability and Security Modelling and Metrics, Lecture Slides, Chalmers University of Technology, Sweden.Google Scholar
  8. Internet Engineering Task Force (IETF) MANET Working Group; www.ietf.org/html.charters/manet-charter.html.Google Scholar
  9. Ministry of Finance of Finland, 2004, Valtionhallinnon tietoturvallisuuden kehitysohjelma 2004–2006 (The Finnish Government Information Security Development Programme 2004–2006). In Finnish, English summary available.Google Scholar
  10. Sademies, A., 2004, Process Approach to Information Security Metrics in Finnish Industry and State Institutions. VTT Publications 544, Technical Research Centre of Finland, Espoo.Google Scholar
  11. Sademies A. and Savola R., 2004, Measuring the Information Security Level — A Survey of Practice in Finland. In: 5th Annual International Systems Security Engineering Association (ISSEA) Conference, Arlington, Virginia, October 13–15. 10 p.Google Scholar
  12. Savola R. and Holappa J., 2005, Self-Measurement of the Information Security Level in a Monitoring System Based on Mobile Ad Hoc Networks. In: Proceedings of the 2005 IEEE Int. Workshop on Homeland Security, Contraband Detection and Personal Safety, Orlando, FL, 29–30 March, 8 p.Google Scholar
  13. Trusted Computer System Evaluation Criteria (TCSEC) “Orange Book”, 1985, U.S. Department of Defense Standard, DoD 5200.28-std.Google Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Reijo Savola
    • 1
  • Juhani Anttila
    • 2
  • Anni Sademies
    • 1
  • Jorma Kajava
    • 3
  • Jarkko Holappa
    • 1
  1. 1.VTT Technical Research Centre of FinlandOuluFinland
  2. 2.Quality IntegrationHelsinkiFinland
  3. 3.University of OuluOuluFinland

Personalised recommendations