Technical Security Metrics Model in Compliance with ISO/IEC 27001 Standard

Technical security metrics provide measurements in ensuring the effectiveness of technical security controls or technology devices/objects that are used in protecting the information systems. However, lack of understanding and method to develop the technical security metrics may lead to unachievable security control objectives and inefficient implementation. This paper proposes a model of technical security metrics to measure the effectiveness of network security management. The measurement is based on the security performance for (1) network security controls such as firewall, Intrusion Detection Prevention System (IDPS), switch, wireless access point and network architecture; and (2) network services such as Hypertext Transfer Protocol Secure (HTTPS) and virtual private network (VPN). The methodology used is Plan-Do-Check-Act process model. The proposed technical security metrics provide guidance for organizations in complying with requirements of ISO/IEC 27001 Information Security Management System (ISMS) standard. The proposed model should also be able to provide a comprehensive measurement and guide to use ISO/IEC 27004 ISMS Measurement standard

Technical Security Metrics Model in Compliance with ISO/IEC 27001 Standard

Technical security metrics provide measurements in ensuring the effectiveness of technical security controls or technology devices/objects that are used in protecting the information systems. However, lack of understanding and method to develop the technical security metrics may lead to unachievable security control objectives and inefficient implementation. This paper proposes a model of technical security metrics to measure the effectiveness of network security management. The measurement is based on the security performance for (1) network security controls such as firewall, Intrusion Detection Prevention System (IDPS), switch, wireless access point and network architecture; and (2) network services such as Hypertext Transfer Protocol Secure (HTTPS) and virtual private network (VPN). The methodology used is Plan-Do-Check-Act process model. The proposed technical security metrics provide guidance for organizations in complying with requirements of ISO/IEC 27001 Information Security Management System (ISMS) standard. The proposed model should also be able to provide a comprehensive measurement and guide to use ISO/IEC 27004 ISMS Measurement standard

Measuring Security Requirements for Software Security

For the last decade’s software security has gained attention by industries, experts and all other communities. Secure software is about mitigating risks from assets to achieve business goals. Security is highly depending on the context where software is deployed. But measuring software security even within a specific context is still not mature. This is because properties and metrics for measuring security are not properly defined and methods are lacking to provide a complete picture for measuring software security. Here we identify security requirements through asset based risk management process to describe soft ware security goal. Then based on the Goal-Question-Metric approach the identified security requirements are evaluated for measuring software security

Measuring security requirements for software security

For the last decade's software security has gained attention by industries, experts and all other communities. Secure software is about mitigating risks from assets to achieve business goals. Security is highly depending on the context where software is deployed. But measuring software security even within a specific context is still not mature. This is because properties and metrics for measuring security are not properly defined and methods are lacking to provide a complete picture for measuring software security. Here we identify security requirements through asset based risk management process to describe soft ware security goal. Then based on the Goal-Question-Metric approach the identified security requirements are evaluated for measuring software security

Requirements for IT Security Metrics - an Argumentation Theory Based Approach

The demand for measuring IT security performance is driven by regulatory, financial, and organizational factors. While several best practice metrics have been suggested, we observe a lack of consistent requirements against which IT security metrics can be evaluated. We address this research gap by adopting a methodological approach that is based on argumentation theory and an accompanying literature review. As a result, we derive five key requirements: IT security metrics should be (a) bounded, (b) metrically scaled, (c) reliable, valid and objective, (d) context-specific and (e) computed automatically. We illustrate and discuss the context-specific instantiation of requirements by using the practically used vulnerability scanning coverage and mean-time-to-incident discovery metrics as examples. Finally we summarize further implications of each requirement

A revised framework of information security principles

Confidentiality, Integrity and Availability are referred to as the basic principles of Information Security. These principles have remained virtually un-changed over time, but several authors argue they are clearly insufficient to pro-tect information. Others go a step further and propose new security principles, to update and complement the traditional ones. Prompt by this context, the aim of this work is to revise the framework of Information Security principles, making it more current, complete, and comprehensive. Based on a systematic literature re-view, a set of Information Security principles is identified, defined and character-ized, which, subsequently, leads to a proposal of a Revised Framework of Infor-mation Security Principles. This framework was evaluated in terms of completeness and wholeness by intersecting it with a catalog of threats, which re-sulted from the merger of four existing catalogs. An initial set of security metrics, applied directly to the principles that constitute the framework, is also suggested, allowing, in case of adverse events, to assess the extent to which each principle was compromised and to evaluate the global effectiveness of the information pro-tection efforts.Programa Operacional Fatores de Competitividade – COMPETE and National funds by FCT – Fundação para a Ciência e Tecnologia under Project FCOMP-01-0124-FEDER-022674