DocumentCode
2265827
Title
Using security metrics coupled with predictive modeling and simulation to assess security processes
Author
Beres, Yolanta ; Mont, Marco Casassa ; Griffin, Jonathan ; Shiu, Simon
Author_Institution
HP Labs., UK
fYear
2009
fDate
15-16 Oct. 2009
Firstpage
564
Lastpage
573
Abstract
It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show, by means of two case studies, how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations\´ security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what-if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders.
Keywords
DP management; security of data; software metrics; large business organization; predictive modeling; process-based security metrics; security investments; security process assessment; Predictive models; Security;
fLanguage
English
Publisher
ieee
Conference_Titel
Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on
Conference_Location
Lake Buena Vista, FL
ISSN
1938-6451
Print_ISBN
978-1-4244-4842-5
Electronic_ISBN
1938-6451
Type
conf
DOI
10.1109/ESEM.2009.5314213
Filename
5314213
Link To Document