Risk-driven security metrics in agile software development: An industrial pilot study

Reijo Savola, C. Frühwirth, A. Pietikäinen

    Research output: Contribution to journalArticleScientificpeer-review

    11 Citations (Scopus)

    Abstract

    The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.
    Original languageEnglish
    Pages (from-to)1679-1702
    Number of pages23
    JournalJournal of Universal Computer Science
    Volume18
    Issue number12
    DOIs
    Publication statusPublished - 2012
    MoE publication typeA1 Journal article-refereed

    Fingerprint

    Software Development
    Software engineering
    Metric
    Risk analysis
    Security of data
    Visibility
    Product development
    Telecommunication
    Wireless networks
    Visualization
    Industry
    Software
    Information Security
    Software Process
    Risk Analysis
    Mobile Networks
    Product Development
    Telecommunications
    Development Process
    Linking

    Keywords

    • Agile SW Development
    • risk analysis
    • security metrics

    Cite this

    @article{c92d5d746dd84bd580140179e7d91895,
    title = "Risk-driven security metrics in agile software development: An industrial pilot study",
    abstract = "The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.",
    keywords = "Agile SW Development, risk analysis, security metrics",
    author = "Reijo Savola and C. Fr{\"u}hwirth and A. Pietik{\"a}inen",
    year = "2012",
    doi = "10.3217/jucs-018-12-1679",
    language = "English",
    volume = "18",
    pages = "1679--1702",
    journal = "Journal of Universal Computer Science",
    issn = "0948-695X",
    publisher = "Technische Universitat Graz from Austria",
    number = "12",

    }

    Risk-driven security metrics in agile software development : An industrial pilot study. / Savola, Reijo; Frühwirth, C.; Pietikäinen, A.

    In: Journal of Universal Computer Science, Vol. 18, No. 12, 2012, p. 1679-1702.

    Research output: Contribution to journalArticleScientificpeer-review

    TY - JOUR

    T1 - Risk-driven security metrics in agile software development

    T2 - An industrial pilot study

    AU - Savola, Reijo

    AU - Frühwirth, C.

    AU - Pietikäinen, A.

    PY - 2012

    Y1 - 2012

    N2 - The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.

    AB - The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.

    KW - Agile SW Development

    KW - risk analysis

    KW - security metrics

    U2 - 10.3217/jucs-018-12-1679

    DO - 10.3217/jucs-018-12-1679

    M3 - Article

    VL - 18

    SP - 1679

    EP - 1702

    JO - Journal of Universal Computer Science

    JF - Journal of Universal Computer Science

    SN - 0948-695X

    IS - 12

    ER -