Abstract
This paper proposes a self-assessment framework that allows a user to determine security metrics that are feasible specifically for the user’s ISMS. To achieve this, a metric catalogue containing 95 metrics from different sources was created. The catalogue was enhanced by ascertaining requirements that need to be fulfilled in order to be able to use the metric as well as ISO 27001 clauses and controls whose effectiveness is being measured by each metric. During an assessment, the user indicates which requirements are fulfilled. After conducting an assessment, a list of feasible metrics, the number of metrics per ISO 27001 clause and control, and other information are generated as assessment results. A software prototype was created and shows a proof of concept. The results of the study were evaluated by external experts, which has validated the composition of the metrics catalogue, the design of the self-assessment framework, the value of the prototype and helped to identify areas of improvement and future work.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Savola, R.: Towards a taxonomy for information security metrics. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 28–30. ACM, New York (2007)
Jansen, W.A.: NIST IR 7564: Directions in security metrics research, National Institute of Standards and Technology, U.S. Dept. of Commerce, Gaithersburg (2009), http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf (accessed December 25, 2011)
Savola, R.: On the feasibility of utilizing security metrics in software-intensive systems. IJCSNS International Journal of Computer Science and Network Security 10(1), 230–239 (2010)
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: NIST Special Publication 800-55: Performance Measurement Guide for Information Security, National Institute of Standards and Technology, U.S. Dept. of Commerce, Gaithersburg (2008), http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf (accessed December 15, 2011)
COBIT5, Illinois, A Business Framework for the Governance and Management of Enterprise IT. ISACA (2012), http://www.isaca.org/COBIT/Pages/Product-Family.aspx (accessed May 16, 2012)
Saydjari, O.S.: Is risk a good security metric? In: Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP 2006, pp. 59–60. ACM, New York (2006)
ISO 27004, Genf, ISO/IEC 27004:2009 – Information technology – Security techniques – Information security management – Measurement. International Organization for Standardization, ISO (2009)
Payne, S.C.: A Guide to Security Metrics, SANS Institute (2006), http://www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55 (accessed December 17, 2011)
Bellovin, S.: On the Brittleness of Software and the Infeasibility of Security Metrics. Security & Privacy 4(4), 96 (2006)
Bayuk, J.: Alternative Security Metrics. In: Information Technology: New Generations, ITNG 2011, pp. 943–946 (2011)
Hinson, G.: Seven myths about information security metrics. The Information Systems Security Association ISSA Journal, 1–6 (July 2006)
Rosenquist, M.: Measuring the Return on IT Security Investments, Intel Corporation, Whitepaper (2007), http://communities.intel.com/docs/DOC-1279 (accessed December 02, 2011)
Fruehwirth, C., Biffl, S., Tabatabai, M., Weippl, E.: Addressing misalignment between information security metrics and business-driven security objectives. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec 2010, pp. 6:1–6:7. ACM, New York (2010)
CobiT 4.1, Illinois, Control Objectives for Information and related Technology. IT Governance Institute (2007), http://www.isaca.org/Knowledge-Center/cobit/Documents/CobiT_4.1.pdf (accessed December 12, 2011).
BSI IT-Grundschutz Catalogues, Bonn, Federal Office for Information Security (BSI) (2005), https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html (accessed December 12, 2011)
ISO 27001, Genf, ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization, ISO (2005)
Wright, S.: Measuring the Effectiveness of Security using ISO 27001 (2006), http://wwww.iwar.org.uk/comsec/resources/iso-27001/measuring-effectiveness.pdf (accessed January 07, 2012)
The Center for Internet Security, The CIS Security Metrics (2010), https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf (accessed November 29, 2011)
Berinato, S.: A Few Good Information Security Metrics (2005), http://www.csoonline.com/article/220462/a-few-good-information-security-metrics (accessed May 05, 2012)
Lemos, R.: Five Strategic Security Metrics To Watch (2012), http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/232601457/five-strategic-security-metrics-to-watch.html (accessed May 20, 2012)
Brotby, C., Hinson, G.: Security Metametrics: SMotW: Security Metrics of the Week (2012), http://securitymetametrics.blogspot.co.nz/search/label/SMotW (accessed June 23, 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Heinzle, B., Furnell, S. (2013). Assessing the Feasibility of Security Metrics. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds) Trust, Privacy, and Security in Digital Business. TrustBus 2013. Lecture Notes in Computer Science, vol 8058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40343-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-40343-9_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40342-2
Online ISBN: 978-3-642-40343-9
eBook Packages: Computer ScienceComputer Science (R0)