ABSTRACT
Organizations have moved their business activity to the Internet and mobile applications, which make them more exposed to unexpected and underestimated security risks. This fact requires organizations to implement adequate security controls as well as the respective monitoring and evaluation on a regular basis. However, these tasks require strong arguments (in monetary terms) to justify the return of investment in the security controls. In this context, it is crucial for organizations to define metrics to assess the efficiency of the implemented controls, to justify the security investments. This paper highlights some reflections regarding the definition of meaningful metrics of security controls, to deliver actionable information for decision makers for managing their organizational assets and ensure their day-to-day operations.
- Ashford, W., (2011). Security Think Tank: How can businesses measure the effectiveness of their IT security teams?{on-line}. ComputerWeekly.com. Available from: http://www.computerweekly.com/feature/Security-Think-Tank-How-can-businesses-measure-the-effectiveness-of-their-IT-security-teams. {Accessed January 2014}.Google Scholar
- ISO/IEC_JTC1, 2009a. ISO/IEC FDIS 27000 Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. ISO copyright office: Geneva, Switzerland.Google Scholar
- Pagett, J., Ng, S. (2010). Improving Residual Risk Management Through the Use of Security Metrics {on-line}. Royal Holloway Series 2010. Available from: http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RHUL_Pagett_v2.pdf. {Accessed January 2014}.Google Scholar
- Peláez, M. H. S., (2010). Measuring effectiveness in Information Security Controls {on-line}. SANS Institute InfoSec Reading Room. Available from: http://www.sans.org/reading-room/whitepapers/basics/measuring-effectiveness-information-security-controls-33398. {Accessed January 2014}.Google Scholar
- Pereira, T., 2012. Conceptual Framework to Support Information Security Risk Management. Doctoral Thesis. University of Minho.Google Scholar
Index Terms
- Security metrics to evaluate organizational IT security
Recommendations
A Survey on Systems Security Metrics
Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of system vulnerabilities, ...
Addressing misalignment between information security metrics and business-driven security objectives
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and MetricsCompanies, which approach information security management from a business perspective, invest in using security metrics to measure the degree to which their security objectives are being met.
The decision however, on which particular security metrics to ...
Capturing industry experience for an effective information security assessment
An Information System (IS) security programme consists of several essential security controls. In order to verify and maintain the effectiveness of an IS security programme, it is pertinent to identify how security controls are compared to each other in ...
Comments