Abstract
In order to obtain evidence of the security and privacy issues of
products, services or an organization, systematic approaches to measuring
security are needed. In this study we survey the emerging security metrics
approaches from the academic, governmental and industrial perspectives. We aim
to bridge the gaps between business management, information security
management and ICT product security practices. If appropriate security metrics
can be to offer a quantitative and objective basis for security assurance, it
would be easier to make business and engineering decisions concerning
information security. We believe that being able to express a high-level
taxonomy of security metrics will help the actual process of developing
feasible composite metrics even for complex situations. A well-defined
taxonomy can be used to enhance the composition of feasible security metrics
all the way from business management to the lowest level of technical detail.
Information security management, business management and, on the other hand,
software security and network security engineering have been handled as
separate areas. Common metrics approaches can be used to bridge the gaps in
between.
Original language | English |
---|---|
Title of host publication | Proceedings of the Innovative Minds Conference, ISSA 2008 |
Pages | 379-390 |
Publication status | Published - 2008 |
MoE publication type | A4 Article in a conference publication |
Event | Innovative Minds Conference, ISSA 2008 - Pretoria, South Africa Duration: 7 Jul 2008 → 9 Jul 2008 |
Conference
Conference | Innovative Minds Conference, ISSA 2008 |
---|---|
Abbreviated title | ISSA 2008 |
Country/Territory | South Africa |
City | Pretoria |
Period | 7/07/08 → 9/07/08 |