• DocumentCode
    2265827
  • Title

    Using security metrics coupled with predictive modeling and simulation to assess security processes

  • Author

    Beres, Yolanta ; Mont, Marco Casassa ; Griffin, Jonathan ; Shiu, Simon

  • Author_Institution
    HP Labs., UK
  • fYear
    2009
  • fDate
    15-16 Oct. 2009
  • Firstpage
    564
  • Lastpage
    573
  • Abstract
    It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show, by means of two case studies, how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations\´ security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what-if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders.
  • Keywords
    DP management; security of data; software metrics; large business organization; predictive modeling; process-based security metrics; security investments; security process assessment; Predictive models; Security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on
  • Conference_Location
    Lake Buena Vista, FL
  • ISSN
    1938-6451
  • Print_ISBN
    978-1-4244-4842-5
  • Electronic_ISBN
    1938-6451
  • Type

    conf

  • DOI
    10.1109/ESEM.2009.5314213
  • Filename
    5314213