Abstract
This paper presents some ideas on defining and implementing a new Cyber-security risk metric for measuring the readiness of organisations, in terms of the availability of their resources, in dealing with new attack incidents launched against their infrastructures whilst recovering from ongoing incidents. Our new metric, the Mean Blind Spot, is defined as the average interval between the recovery time of an existing incident and the occurrence time of a new incident. It is therefore designed to capture those time intervals where the organisation is most vulnerable due to possible lack of available resources. We present an approach for implementing our new metric using open data on security incidents available from the VERIS community dataset.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Black, P.E., Scarfone, K., Souppaya, M.: Cyber security metrics and measures. In: Voeller, J.G. (ed.) Wiley Handbook of Science and Technology for Homeland Security, Chap. 5, pp. 1–15. Wiley, London (2008)
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: Performance measurement guide for information security. Technical report 800–55 Revision 1, National Institute of Standards and Technology, July 2008
Hoo, K.J.S.: How Much is Enough? A Risk-Management Approach to Computer Security (2000)
The Center for Internet Security: CIS Security Metrics v1.1.0, November 2010
Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Executive 9(3) (2012). http://ssrn.com/abstract=2058035
Kwon, J., Ulmer, J.R., Wang, T.: The association between top management involvement and compensation and information security breaches. J. Inf. Syst. 27(1), 219–236 (2013). http://dx.doi.org/10.2308/isys-50339
P-Lippmann, R., Riordan, J.F., Yu, T.H., Watson, K.K.: Continuous security metrics for prevalent network threats: introduction and first four metrics. Technical report ESC-TR-2010-099, Massachusetts Institute of Technology (2012)
Payne, S.C.: A guide to security metrics. Technical report SANS Security Essentials GSEC Practical Assignment, Version 1.2e, Escal Institute of Advanced Technologies, Inc. (The SANS Institute), June 2006
von Solms, B., von Solms, R.: From information security to. business security? Comput. Secur. 24(4), 271–273 (2005)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security metrics guide for information technology systems. Technical report 800–55, National Institute of Standards and Technology, July 2003
International Telecommunication Union: A Cybersecurity indicator of risk to enhance confidence and security in the use of telecommunication/information and communication technologies. Technical report X.1208, International Telecommunication Union (2014)
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW 2009, pp. 37–50. ACM, New York (2009)
VERIZON: The Vocabulary for Event Recording and Incident Sharing (VERIS). http://veriscommunity.net/, Accessed 21 Nov 2016
VERIZON: VERIS Community Database. http://vcdb.org/, Accessed 21 Nov 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Aziz, B., Malik, A., Jung, J. (2017). Check Your Blind Spot: A New Cyber-Security Metric for Measuring Incident Response Readiness. In: Großmann, J., Felderer, M., Seehusen, F. (eds) Risk Assessment and Risk-Driven Quality Assurance. RISK 2016. Lecture Notes in Computer Science(), vol 10224. Springer, Cham. https://doi.org/10.1007/978-3-319-57858-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-57858-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57857-6
Online ISBN: 978-3-319-57858-3
eBook Packages: Computer ScienceComputer Science (R0)