Skip to main content
SpringerLink
Log in

Why to adopt a security metric? A brief survey

  • Conference paper
Book cover Quality of Protection

Part of the book series: Advances in Information Security ((ADIS,volume 23))

Abstract

No doubt that computer security is a hot topic nowadays: given the importance of computer-assisted activities, protection of computer system is of the utmost importance. However we have insofar failed to evaluate the actual security level of a system and thus to justify (either in technical or economical terms) the investments in security. This paper highlights the motivations to improve security measurement techniques, analyses the existing approaches, and discusses whether their are appropriate or some new directions should be explored.

This work is part of the POSITIF project, funded by the EC under contact IST-2002-002314.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. K. Fowler and J. Schmalzel. Why do we care about measurement? Instrumentation & Measurement Magazine, IEEE, 7(1):38–46, March 2004.

    Article  Google Scholar 

  2. William Thompson. Popular lectures and addresses, 1891–1894.

    Google Scholar 

  3. KnowledgeRoundtable. Metrics. http://www.knowledge-roundtable.com/app/content/knowledgesource/section/149.

  4. B. Blakley. The measure of information security is dollars. In The First Workshop on Economics and Information Security, Berkeley (CA, USA), 16–17 May 2002.

    Google Scholar 

  5. S.F. Bush and S.C. Evans. Complexity based information assurance. Technical report, General Electrics corporate research and development, October 2001.

    Google Scholar 

  6. S.J. Keene. Cost effective software quality. In Proceedings of Annual Reliability and Maintainability Symposium, Orlando (FL, USA), pages 433–437, 29–31 January 1991.

    Google Scholar 

  7. Sixth Framework Programme IST-2002-002314. Policy-based security tools and framework. [Online] http://www.positif.org/.

  8. A. Linklate. Measuring America. Walker & company, 2002.

    Google Scholar 

  9. S. A. Butler. Security attribute evaluation method, a cost-benefit approach. In Proceedings of ICSE2002 International Conference on Software Engineering, Orlando (Florida, USA), pages 232–240, 19–25 May 2002.

    Google Scholar 

  10. L. A. Gordon, M. P. Loeb, and W. Lucyshyn. An economics perspective on the sharing of information related to security breaches: concepts and empirical evidence. In The First Workshop on Economics and Information Security, Berkeley (CA, USA), 16–17 May 2002.

    Google Scholar 

  11. L. A. Gordon and M. P. Loeb. The economics of information security investment. ACM Transactions on Information and System Security, 5(4):438–457, 2002.

    Article  Google Scholar 

  12. B. Cashell, W. D. Jackson, M. Jickling, and B. Webel. The economic impact of cyber attacks. Technical Report RL32331, U.S.A. Government and Finance Division, 1 April 2004.

    Google Scholar 

  13. H. Cavusoglu, B. Mishra, and S. Raghunathan. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1):69, Fall 2004.

    Google Scholar 

  14. M.P. Loeb Campbell K, L.A. Gordon and L. Zhou. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3):431–448, 2003.

    Google Scholar 

  15. M. Ettredge and V. J. Richardson. Assessing the risk in e-commerce. In Proceedings of the 35th Hawaii International Conference on System Sciences, Big Island (Hawaii), page 11, 7–10 January 2002.

    Google Scholar 

  16. A. Garg, J. Curtis, and H. Halper. Quantifying the financial impact of it security breaches. Information Management & Computer Security, 11(2):74–83, 2003.

    Article  Google Scholar 

  17. S. Glover, S. Liddle, and D. Prawitt. Ebusiness: principles & strategies for accountants. Prentice Hall, 2001.

    Google Scholar 

  18. OnlineWritingLab. Using metaphors in creative writing-why use metaphors? http://owl.english.purdue.edu/handouts/general/gl_metaphor.html.

  19. P. Swami. Failed intelligence. Frontline, 18,7 December 2001.

    Google Scholar 

  20. L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson. Ninth CSI/FBI computer crime and security survey. Technical Report RL32331, C.S.I. Computer Security Institute, 2004.

    Google Scholar 

  21. K. Fowler. Giving meaning to measurement. Instrumentation & Measurement Magazine, IEEE, 4(3):41–45, September 2001.

    Article  Google Scholar 

  22. A. Avizienis, J. Laprie, and B. Randell. Fundamental concepts of dependability. Technical Report N01145, LAAS-CNRS, April 2001.

    Google Scholar 

  23. D.M. Ntcol, W.H. Sanders, and K.S. Trivedi. Model-based evaluation: from dependability to security. IEEE Transactions on Dependable and Secure Computing, 1(1):48–65, Jan.–March 2004.

    Article  Google Scholar 

  24. M. Sahinoglu, C.V. Ramamoorthy, A.E. Smith, and B. Dengiz. A reliability block diagramming tool to describe networks. In Proceedings of Reliability and Maintainability Annual Symposium, Los Angeles (CA, USA), pages 141–145, 26–29 January 2004.

    Google Scholar 

  25. W. Wang, J.M. Loman, R.G. Arno, P. Vassiliou, E.R. Furlong, and D. Ogden. Reliability block diagram simulation techniques applied to the ieee std. 493 standard network. IEEE Transactions on Industry Applications, 40(3):887–895, May–June 2004.

    Article  Google Scholar 

  26. L.L. Pullum and J.B. Dugan. Fault tree models for the analysis of complex computer-based systems. In Proceedings of Reliability and Maintainability Symposium, ‘International Symposium on Product Quality and Integrity’, Las Vegas (NV, USA), pages 200–207, 22–25 January 1996.

    Google Scholar 

  27. B. Schneier. Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, 2000.

    Google Scholar 

  28. M. Dacier. Towards Quantitative Evaluation of Computer Security. PhD thesis, Institute National Politechnique de Toulose, 1994.

    Google Scholar 

  29. M. Dacier and Y. Deswarte. The privilege graph: an extension to the typed access matrix model. In D. Gollman, editor, European Symposium in Computer Security (ESORICS 94), (Brighton, UK), Lecture Notes in Computer Science, 875, pages 319–334. Springer Verlag, 1994.

    Google Scholar 

  30. M. Dacier, Y. Deswarte, and M. Kaaniche. Models and tools for quantitative assessment of operational security. In 12th International Information Security Conference (IFIP/SEC 96), Samos (Greece), pages 177–186. Chapman & Hall, 1996.

    Google Scholar 

  31. M. Dacier, Y. Deswarte, and M. Kaaniche. Quantitative assessment of operational security: Models and tools, 1996.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Politecnico di Torino, Dip di Automatica ed Informatica, Torino, Italy

    Andrea Atzeni & Antonio Lioy

Authors
  1. Andrea Atzeni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Lioy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Security in Distributed Applications, TU Hamburg-Harburg, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

  2. Dipartimento Informatica e Telecomunicazioni (DIT), University of Trento, Via Sommarive, 14 38050, Trento, Italy

    Fabio Massacci  & Artsiom Yautsiukhin  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer Science+Business Media, LLC.

About this paper

Cite this paper

Atzeni, A., Lioy, A. (2006). Why to adopt a security metric? A brief survey. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-36584-8_1

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-29016-4

  • Online ISBN: 978-0-387-36584-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation