Abstract
No doubt that computer security is a hot topic nowadays: given the importance of computer-assisted activities, protection of computer system is of the utmost importance. However we have insofar failed to evaluate the actual security level of a system and thus to justify (either in technical or economical terms) the investments in security. This paper highlights the motivations to improve security measurement techniques, analyses the existing approaches, and discusses whether their are appropriate or some new directions should be explored.
This work is part of the POSITIF project, funded by the EC under contact IST-2002-002314.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
K. Fowler and J. Schmalzel. Why do we care about measurement? Instrumentation & Measurement Magazine, IEEE, 7(1):38–46, March 2004.
William Thompson. Popular lectures and addresses, 1891–1894.
KnowledgeRoundtable. Metrics. http://www.knowledge-roundtable.com/app/content/knowledgesource/section/149.
B. Blakley. The measure of information security is dollars. In The First Workshop on Economics and Information Security, Berkeley (CA, USA), 16–17 May 2002.
S.F. Bush and S.C. Evans. Complexity based information assurance. Technical report, General Electrics corporate research and development, October 2001.
S.J. Keene. Cost effective software quality. In Proceedings of Annual Reliability and Maintainability Symposium, Orlando (FL, USA), pages 433–437, 29–31 January 1991.
Sixth Framework Programme IST-2002-002314. Policy-based security tools and framework. [Online] http://www.positif.org/.
A. Linklate. Measuring America. Walker & company, 2002.
S. A. Butler. Security attribute evaluation method, a cost-benefit approach. In Proceedings of ICSE2002 International Conference on Software Engineering, Orlando (Florida, USA), pages 232–240, 19–25 May 2002.
L. A. Gordon, M. P. Loeb, and W. Lucyshyn. An economics perspective on the sharing of information related to security breaches: concepts and empirical evidence. In The First Workshop on Economics and Information Security, Berkeley (CA, USA), 16–17 May 2002.
L. A. Gordon and M. P. Loeb. The economics of information security investment. ACM Transactions on Information and System Security, 5(4):438–457, 2002.
B. Cashell, W. D. Jackson, M. Jickling, and B. Webel. The economic impact of cyber attacks. Technical Report RL32331, U.S.A. Government and Finance Division, 1 April 2004.
H. Cavusoglu, B. Mishra, and S. Raghunathan. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1):69, Fall 2004.
M.P. Loeb Campbell K, L.A. Gordon and L. Zhou. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3):431–448, 2003.
M. Ettredge and V. J. Richardson. Assessing the risk in e-commerce. In Proceedings of the 35th Hawaii International Conference on System Sciences, Big Island (Hawaii), page 11, 7–10 January 2002.
A. Garg, J. Curtis, and H. Halper. Quantifying the financial impact of it security breaches. Information Management & Computer Security, 11(2):74–83, 2003.
S. Glover, S. Liddle, and D. Prawitt. Ebusiness: principles & strategies for accountants. Prentice Hall, 2001.
OnlineWritingLab. Using metaphors in creative writing-why use metaphors? http://owl.english.purdue.edu/handouts/general/gl_metaphor.html.
P. Swami. Failed intelligence. Frontline, 18,7 December 2001.
L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson. Ninth CSI/FBI computer crime and security survey. Technical Report RL32331, C.S.I. Computer Security Institute, 2004.
K. Fowler. Giving meaning to measurement. Instrumentation & Measurement Magazine, IEEE, 4(3):41–45, September 2001.
A. Avizienis, J. Laprie, and B. Randell. Fundamental concepts of dependability. Technical Report N01145, LAAS-CNRS, April 2001.
D.M. Ntcol, W.H. Sanders, and K.S. Trivedi. Model-based evaluation: from dependability to security. IEEE Transactions on Dependable and Secure Computing, 1(1):48–65, Jan.–March 2004.
M. Sahinoglu, C.V. Ramamoorthy, A.E. Smith, and B. Dengiz. A reliability block diagramming tool to describe networks. In Proceedings of Reliability and Maintainability Annual Symposium, Los Angeles (CA, USA), pages 141–145, 26–29 January 2004.
W. Wang, J.M. Loman, R.G. Arno, P. Vassiliou, E.R. Furlong, and D. Ogden. Reliability block diagram simulation techniques applied to the ieee std. 493 standard network. IEEE Transactions on Industry Applications, 40(3):887–895, May–June 2004.
L.L. Pullum and J.B. Dugan. Fault tree models for the analysis of complex computer-based systems. In Proceedings of Reliability and Maintainability Symposium, ‘International Symposium on Product Quality and Integrity’, Las Vegas (NV, USA), pages 200–207, 22–25 January 1996.
B. Schneier. Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, 2000.
M. Dacier. Towards Quantitative Evaluation of Computer Security. PhD thesis, Institute National Politechnique de Toulose, 1994.
M. Dacier and Y. Deswarte. The privilege graph: an extension to the typed access matrix model. In D. Gollman, editor, European Symposium in Computer Security (ESORICS 94), (Brighton, UK), Lecture Notes in Computer Science, 875, pages 319–334. Springer Verlag, 1994.
M. Dacier, Y. Deswarte, and M. Kaaniche. Models and tools for quantitative assessment of operational security. In 12th International Information Security Conference (IFIP/SEC 96), Samos (Greece), pages 177–186. Chapman & Hall, 1996.
M. Dacier, Y. Deswarte, and M. Kaaniche. Quantitative assessment of operational security: Models and tools, 1996.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Atzeni, A., Lioy, A. (2006). Why to adopt a security metric? A brief survey. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_1
Download citation
DOI: https://doi.org/10.1007/978-0-387-36584-8_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29016-4
Online ISBN: 978-0-387-36584-8
eBook Packages: Computer ScienceComputer Science (R0)