Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry

To obtain evidence of the security of different products or organizations, systematic approaches to measuring security are needed. We introduce a high abstraction level taxonomy to support the development of feasible security metrics, along with a survey of the emerging security metrics from the academic, governmental and industrial perspectives. With our taxonomy, we strive to bridge the gap between information security management and ICT products, and services security engineering. We believe that if common metrics approaches between different security disciplines can be found, this will advance our holistic understanding and capabilities, both in security management and engineering. Our taxonomy is based on comparing earlier taxonomy approaches and analyzing types of security metrics. Based on the survey, a discussion of future research directions is given in order to prompt advances in the field.