Quality of security metrics and measurements

Reijo Savola (Corresponding Author)

Research output: Contribution to journalArticleScientificpeer-review

27 Citations (Scopus)

Abstract

Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quantitative security metrics expert survey of 141 respondents, and an associated interview study, regarding the prioritization of 19 quality criteria of security metrics identified in the literature. The interviews were used to validate the survey results and to obtain further information on the findings. The results identified three foundational quality criteria of security metrics: correctness, measurability, and meaningfulness. These criteria form the basis for credibility and sufficiency for security metrics and associated measurements. Moreover, usability was seen as an important criterion. The paper analyzes the foundational and related quality criteria and proposes a model of them.
Original languageEnglish
Pages (from-to)78-90
Number of pages12
JournalComputers and Security
Volume37
DOIs
Publication statusPublished - 2013
MoE publication typeA1 Journal article-refereed

Fingerprint

Security of data
Decision making
expert survey
interview
quantification
credibility
decision making
performance
evidence

Keywords

  • expert opinion survey
  • quality of security metrics
  • security effectiveness
  • security metrics
  • security quantification

Cite this

@article{162637d31df94972a8f30fb1ee161a9c,
title = "Quality of security metrics and measurements",
abstract = "Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quantitative security metrics expert survey of 141 respondents, and an associated interview study, regarding the prioritization of 19 quality criteria of security metrics identified in the literature. The interviews were used to validate the survey results and to obtain further information on the findings. The results identified three foundational quality criteria of security metrics: correctness, measurability, and meaningfulness. These criteria form the basis for credibility and sufficiency for security metrics and associated measurements. Moreover, usability was seen as an important criterion. The paper analyzes the foundational and related quality criteria and proposes a model of them.",
keywords = "expert opinion survey, quality of security metrics, security effectiveness, security metrics, security quantification",
author = "Reijo Savola",
year = "2013",
doi = "10.1016/j.cose.2013.05.002",
language = "English",
volume = "37",
pages = "78--90",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier",

}

Quality of security metrics and measurements. / Savola, Reijo (Corresponding Author).

In: Computers and Security, Vol. 37, 2013, p. 78-90.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Quality of security metrics and measurements

AU - Savola, Reijo

PY - 2013

Y1 - 2013

N2 - Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quantitative security metrics expert survey of 141 respondents, and an associated interview study, regarding the prioritization of 19 quality criteria of security metrics identified in the literature. The interviews were used to validate the survey results and to obtain further information on the findings. The results identified three foundational quality criteria of security metrics: correctness, measurability, and meaningfulness. These criteria form the basis for credibility and sufficiency for security metrics and associated measurements. Moreover, usability was seen as an important criterion. The paper analyzes the foundational and related quality criteria and proposes a model of them.

AB - Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quantitative security metrics expert survey of 141 respondents, and an associated interview study, regarding the prioritization of 19 quality criteria of security metrics identified in the literature. The interviews were used to validate the survey results and to obtain further information on the findings. The results identified three foundational quality criteria of security metrics: correctness, measurability, and meaningfulness. These criteria form the basis for credibility and sufficiency for security metrics and associated measurements. Moreover, usability was seen as an important criterion. The paper analyzes the foundational and related quality criteria and proposes a model of them.

KW - expert opinion survey

KW - quality of security metrics

KW - security effectiveness

KW - security metrics

KW - security quantification

U2 - 10.1016/j.cose.2013.05.002

DO - 10.1016/j.cose.2013.05.002

M3 - Article

VL - 37

SP - 78

EP - 90

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -