It is a widely accepted management principle that an activity cannot be managed well if it cannot be measured. Carefully designed security metrics can be used to offer evidence of the security behavior of the system under development or operation. We propose a systematic and holistic method for security metrics development for software intensive systems. The approach is security requirement-centric and threat and vulnerability-driven. The high-level security requirements are expressed in terms of lower-level measurable components applying a decomposition approach. Next, feasibility of the basic measurable components is investigated, and more detailed metrics developed based on selected components.
|Title of host publication||Proceedings of the 3rd International Conference on Advances in Information Security and Its Application, ISA 2009|
|Place of Publication||Heidelberg, Berlin|
|Publication status||Published - 2009|
|MoE publication type||A4 Article in a conference publication|
|Series||Communications in Computer and Information Science|
Savola, R. (2009). A security metrics development method for software intensive systems. In Proceedings of the 3rd International Conference on Advances in Information Security and Its Application, ISA 2009 (pp. 11-16). Springer. Communications in Computer and Information Science, Vol.. 36 https://doi.org/10.1007/978-3-642-02633-1_2