A security metrics development method for software intensive systems

Reijo Savola

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    5 Citations (Scopus)


    It is a widely accepted management principle that an activity cannot be managed well if it cannot be measured. Carefully designed security metrics can be used to offer evidence of the security behavior of the system under development or operation. We propose a systematic and holistic method for security metrics development for software intensive systems. The approach is security requirement-centric and threat and vulnerability-driven. The high-level security requirements are expressed in terms of lower-level measurable components applying a decomposition approach. Next, feasibility of the basic measurable components is investigated, and more detailed metrics developed based on selected components.
    Original languageEnglish
    Title of host publicationProceedings of the 3rd International Conference on Advances in Information Security and Its Application, ISA 2009
    Place of PublicationHeidelberg, Berlin
    ISBN (Print)978-3-642-02632-4
    Publication statusPublished - 2009
    MoE publication typeA4 Article in a conference publication

    Publication series

    SeriesCommunications in Computer and Information Science


    Dive into the research topics of 'A security metrics development method for software intensive systems'. Together they form a unique fingerprint.

    Cite this