Risk-driven security metrics in agile software development

An industrial pilot study

Reijo Savola, C. Frühwirth, A. Pietikäinen

Research output: Contribution to journalArticleScientificpeer-review

11 Citations (Scopus)

Abstract

The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.
Original languageEnglish
Pages (from-to)1679-1702
Number of pages23
JournalJournal of Universal Computer Science
Volume18
Issue number12
DOIs
Publication statusPublished - 2012
MoE publication typeA1 Journal article-refereed

Fingerprint

Software Development
Software engineering
Metric
Risk analysis
Security of data
Visibility
Product development
Telecommunication
Wireless networks
Visualization
Industry
Software
Information Security
Software Process
Risk Analysis
Mobile Networks
Product Development
Telecommunications
Development Process
Linking

Keywords

  • Agile SW Development
  • risk analysis
  • security metrics

Cite this

@article{c92d5d746dd84bd580140179e7d91895,
title = "Risk-driven security metrics in agile software development: An industrial pilot study",
abstract = "The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.",
keywords = "Agile SW Development, risk analysis, security metrics",
author = "Reijo Savola and C. Fr{\"u}hwirth and A. Pietik{\"a}inen",
year = "2012",
doi = "10.3217/jucs-018-12-1679",
language = "English",
volume = "18",
pages = "1679--1702",
journal = "Journal of Universal Computer Science",
issn = "0948-695X",
publisher = "Technische Universitat Graz from Austria",
number = "12",

}

Risk-driven security metrics in agile software development : An industrial pilot study. / Savola, Reijo; Frühwirth, C.; Pietikäinen, A.

In: Journal of Universal Computer Science, Vol. 18, No. 12, 2012, p. 1679-1702.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Risk-driven security metrics in agile software development

T2 - An industrial pilot study

AU - Savola, Reijo

AU - Frühwirth, C.

AU - Pietikäinen, A.

PY - 2012

Y1 - 2012

N2 - The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.

AB - The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use of resources. We present experiences of developing and using hierarchical security metrics and measurements in an industrial pilot study at Ericsson Finland. The pilot focused on risk-driven security design and implementation in the context of an Agile software development process. The pilot target was a well-established telecommunications product of Ericsson and a core component in modern mobile networks. The results of the study demonstrate the practical potential of risk-driven security metrics, particularly in offering some early visibility of security effectiveness and efficiency. Hierarchical metrics models enable the linking of security objectives with detailed measurements. Security metrics visualization was found to play a crucial role in increasing the manageability of metrics. We also found that the practical means of managing larger collections of metrics and measurements are more essential than individual security metrics. A major challenge in the use of risk-driven security metrics is the lack of evidence for security effectiveness evidence in the early phases of product development and Risk Analysis, when the needs for it are at their greatest.

KW - Agile SW Development

KW - risk analysis

KW - security metrics

U2 - 10.3217/jucs-018-12-1679

DO - 10.3217/jucs-018-12-1679

M3 - Article

VL - 18

SP - 1679

EP - 1702

JO - Journal of Universal Computer Science

JF - Journal of Universal Computer Science

SN - 0948-695X

IS - 12

ER -