Improving residual risk management through the use of security metrics

Introduction Reported security breaches over the last 3 years suggest that a large number of security procedures are not currently operating at full effectiveness. Security breaches have ranged from the loss of personal details of 25 million UK citizens to the disclosure of national security information assets. It is highly likely that the organisations involved in these security breaches performed risk assessments for their information assets and implemented a range of security controls to manage these risks, leading to the resulting residual risks being within acceptable risk appetites. But as investigations into security breaches have shown, these controls are often ignored, bypassed or incorrectly implemented [ICO07]. Organisations may not currently understand how ineffectively their security controls are being managed, resulting in higher levels of risk exposure through controls operating at below optimal effectiveness. By introducing real world effectiveness measurements into an organisation’s risk management activities, organisations can improve their understanding of their current risk exposure. Research We have found that a number of organisational issues exist with the use of security metrics in measuring control effectiveness, which can be summarised as follows: * Metrics that measure effectiveness can be difficult to define. * Resulting measurements can be difficult to interpret by non-security professionals. * Effectiveness metrics cannot be easily compared to allow benchmarking of an organisation’s performance. Our research has concluded that there is a gap in current IT governance models and management best practices for the definition of how to measure the effectiveness of security controls. While these standards do recognise the requirement for continual assessment of operational effectiveness, the definition of these measurements and how to interpret the results are left to the organisation. Information Security Effectiveness Framework (ISEF) This project introduces ISEF, a framework that assists organisations in defining, visualising and comparing security metrics. The framework uses the concept of grouping controls based on their implementation type and temporal objectives to present common characteristics that can be measured. The framework uses the relationship between controls and risks to align security metrics against organisational risk, and visualises these to support the direction of remedial efforts. The ISEF is designed to complement current IT governance models and standards such as COBIT and ISO27002. This is provided by its alignment with these ‘what’ should be done models and standards by providing the ‘how’. The ISEF provides a method of comparing security metrics based on the financial stock markets indices. This allows the comparison of security control management between organisations and allows the organisations to benchmark themselves against peers without revealing specific security control information. Conclusion A case study using ISEF has shown that the framework provides a method for defining metrics in order to obtain real world data to modify current residual risk levels. For organisations with a risk management approach, the framework can visualise effectiveness in the context of risk allowing resources to be focused on improving security management where it will make the greatest risk reduction

A Comprehensive Survey on Routing and Security in Mobile Wireless Sensor Networks

With the continuous advances in mobile wirelesssensor networks (MWSNs), the research community hasresponded to the challenges and constraints in the design of thesenetworks by proposing efficient routing protocols that focus onparticular performance metrics such as residual energy utilization,mobility, topology, scalability, localization, data collection routing,Quality of Service (QoS), etc. In addition, the introduction ofmobility in WSN has brought new challenges for the routing,stability, security, and reliability of WSNs. Therefore, in thisarticle, we present a comprehensive and meticulous investigationin the routing protocols and security challenges in the theory ofMWSNs which was developed in recent years

A Comprehensive Survey on Routing and Security in Mobile Wireless Sensor Networks

With the continuous advances in mobile wirelesssensor networks (MWSNs), the research community hasresponded to the challenges and constraints in the design of thesenetworks by proposing efficient routing protocols that focus onparticular performance metrics such as residual energy utilization,mobility, topology, scalability, localization, data collection routing,Quality of Service (QoS), etc. In addition, the introduction ofmobility in WSN has brought new challenges for the routing,stability, security, and reliability of WSNs. Therefore, in thisarticle, we present a comprehensive and meticulous investigationin the routing protocols and security challenges in the theory ofMWSNs which was developed in recent years

Developing Secure Systems: A Comparative Study of Existing Methodologies

With the increasing demand for developing high-quality and more reliable systems, the process of developing trustworthy computer software is a challenging one. In this paper, we review various approaches to producing more secure systems. This includes established general principles for designing secure systems. It also provides an introduction to general software quality measurements including existing software security metrics. This paper also includes a comparison of the various security metrics for developing secure systems (i.e., architectural, design, and code-level metrics). Lastly, the paper examines the approach of refactoring, illustrates its objectives, and shows how refactoring is generally used for enhancing the quality of existing programs from the perspective of information security. At the end of this paper, we provide a discussion of these three approaches and how they can be used to provide guidance for future secure software development processes

Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS

Many safety and mission critical systems depend on the correct and secure operation of both supportive and core software systems. E.g., both the safety of personnel and the effective execution of core missions on an oil platform depend on the correct recording storing, transfer and interpretation of data, such as that for the Logging While Drilling (LWD) and Measurement While Drilling (MWD) subsystems. Here, data is recorded on site, packaged and then transferred to an on-shore operational centre. Today, the data is transferred on dedicated communication channels to ensure a secure and safe transfer, free from deliberately and accidental faults. However, as the cost control is ever more important some of the transfer will be over remotely accessible infrastructure in the future. Thus, communication will be prone to known security vulnerabilities exploitable by outsiders. This paper presents a model that estimates risk level of known vulnerabilities as a combination of frequency and impact estimates derived from the Common Vulnerability Scoring System (CVSS). The model is implemented as a Bayesian Belief Network (BBN)

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach