Utilizing a risk-driven operational security assurance methodology and measurement architecture

Experiences from a case study

Reijo Savola, Teemu Kanstren, Heimo Pentikäinen, Petri Jurmu, Mauri Myllyaho, Kimmo Hätönen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

Abstract

Practical measurement of information security of
telecoms services is a remarkable challenge because of the lack
of applicable generic tools and methods, the difficult-to-predict
nature of security risks, the complexity of the systems, and the
low observability of security issues in them.
We discuss our experiences in utilizing a risk-driven methodology and
associated measurement architecture in a practical case study.
Effectiveness and efficiency are of main interest to
stakeholders responsible for security. We note, however, that
security configuration correctness and compliance with
requirements are, in practice, the core objectives from an
operational perspective. For these objectives there is more
evidence available and it is easier to attain it. Our findings in
this case study show a need for a wide range of security metrics
to offer sufficient evidence of the design, implementation, and
deployment of security controls. The case study also shows how
visualization tools can be used efficiently to support the
management of collections of these metrics.
Original languageEnglish
Title of host publicationProceedings of the 8th International Conference on Networking and Services, ICNS 2012
EditorsT. Nguyen
PublisherInternational Academy, Research, and Industry Association IARIA
Pages134-142
ISBN (Print)978-1-6120-8186-1, 978-1-6183-9976-2
Publication statusPublished - 2012
MoE publication typeB3 Non-refereed article in conference proceedings
EventEighth International Conference on Networking and Services 2012, ICNS 2012 - St. Maarten, Netherlands
Duration: 25 Mar 201230 Mar 2012

Conference

ConferenceEighth International Conference on Networking and Services 2012, ICNS 2012
Abbreviated titleICNS 2012
CountryNetherlands
CitySt. Maarten
Period25/03/1230/03/12

Fingerprint

Observability
Security of data
Compliance

Cite this

Savola, R., Kanstren, T., Pentikäinen, H., Jurmu, P., Myllyaho, M., & Hätönen, K. (2012). Utilizing a risk-driven operational security assurance methodology and measurement architecture: Experiences from a case study. In T. Nguyen (Ed.), Proceedings of the 8th International Conference on Networking and Services, ICNS 2012 (pp. 134-142). International Academy, Research, and Industry Association IARIA.
Savola, Reijo ; Kanstren, Teemu ; Pentikäinen, Heimo ; Jurmu, Petri ; Myllyaho, Mauri ; Hätönen, Kimmo. / Utilizing a risk-driven operational security assurance methodology and measurement architecture : Experiences from a case study. Proceedings of the 8th International Conference on Networking and Services, ICNS 2012. editor / T. Nguyen. International Academy, Research, and Industry Association IARIA, 2012. pp. 134-142
@inproceedings{71cd710ce14e4898aa3dc10e893045f8,
title = "Utilizing a risk-driven operational security assurance methodology and measurement architecture: Experiences from a case study",
abstract = "Practical measurement of information security oftelecoms services is a remarkable challenge because of the lackof applicable generic tools and methods, the difficult-to-predictnature of security risks, the complexity of the systems, and thelow observability of security issues in them. We discuss our experiences in utilizing a risk-driven methodology andassociated measurement architecture in a practical case study.Effectiveness and efficiency are of main interest tostakeholders responsible for security. We note, however, thatsecurity configuration correctness and compliance withrequirements are, in practice, the core objectives from anoperational perspective. For these objectives there is moreevidence available and it is easier to attain it. Our findings inthis case study show a need for a wide range of security metricsto offer sufficient evidence of the design, implementation, anddeployment of security controls. The case study also shows howvisualization tools can be used efficiently to support themanagement of collections of these metrics.",
author = "Reijo Savola and Teemu Kanstren and Heimo Pentik{\"a}inen and Petri Jurmu and Mauri Myllyaho and Kimmo H{\"a}t{\"o}nen",
year = "2012",
language = "English",
isbn = "978-1-6120-8186-1",
pages = "134--142",
editor = "T. Nguyen",
booktitle = "Proceedings of the 8th International Conference on Networking and Services, ICNS 2012",
publisher = "International Academy, Research, and Industry Association IARIA",
address = "United States",

}

Savola, R, Kanstren, T, Pentikäinen, H, Jurmu, P, Myllyaho, M & Hätönen, K 2012, Utilizing a risk-driven operational security assurance methodology and measurement architecture: Experiences from a case study. in T Nguyen (ed.), Proceedings of the 8th International Conference on Networking and Services, ICNS 2012. International Academy, Research, and Industry Association IARIA, pp. 134-142, Eighth International Conference on Networking and Services 2012, ICNS 2012, St. Maarten, Netherlands, 25/03/12.

Utilizing a risk-driven operational security assurance methodology and measurement architecture : Experiences from a case study. / Savola, Reijo; Kanstren, Teemu; Pentikäinen, Heimo; Jurmu, Petri; Myllyaho, Mauri; Hätönen, Kimmo.

Proceedings of the 8th International Conference on Networking and Services, ICNS 2012. ed. / T. Nguyen. International Academy, Research, and Industry Association IARIA, 2012. p. 134-142.

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

TY - GEN

T1 - Utilizing a risk-driven operational security assurance methodology and measurement architecture

T2 - Experiences from a case study

AU - Savola, Reijo

AU - Kanstren, Teemu

AU - Pentikäinen, Heimo

AU - Jurmu, Petri

AU - Myllyaho, Mauri

AU - Hätönen, Kimmo

PY - 2012

Y1 - 2012

N2 - Practical measurement of information security oftelecoms services is a remarkable challenge because of the lackof applicable generic tools and methods, the difficult-to-predictnature of security risks, the complexity of the systems, and thelow observability of security issues in them. We discuss our experiences in utilizing a risk-driven methodology andassociated measurement architecture in a practical case study.Effectiveness and efficiency are of main interest tostakeholders responsible for security. We note, however, thatsecurity configuration correctness and compliance withrequirements are, in practice, the core objectives from anoperational perspective. For these objectives there is moreevidence available and it is easier to attain it. Our findings inthis case study show a need for a wide range of security metricsto offer sufficient evidence of the design, implementation, anddeployment of security controls. The case study also shows howvisualization tools can be used efficiently to support themanagement of collections of these metrics.

AB - Practical measurement of information security oftelecoms services is a remarkable challenge because of the lackof applicable generic tools and methods, the difficult-to-predictnature of security risks, the complexity of the systems, and thelow observability of security issues in them. We discuss our experiences in utilizing a risk-driven methodology andassociated measurement architecture in a practical case study.Effectiveness and efficiency are of main interest tostakeholders responsible for security. We note, however, thatsecurity configuration correctness and compliance withrequirements are, in practice, the core objectives from anoperational perspective. For these objectives there is moreevidence available and it is easier to attain it. Our findings inthis case study show a need for a wide range of security metricsto offer sufficient evidence of the design, implementation, anddeployment of security controls. The case study also shows howvisualization tools can be used efficiently to support themanagement of collections of these metrics.

M3 - Conference article in proceedings

SN - 978-1-6120-8186-1

SN - 978-1-6183-9976-2

SP - 134

EP - 142

BT - Proceedings of the 8th International Conference on Networking and Services, ICNS 2012

A2 - Nguyen, T.

PB - International Academy, Research, and Industry Association IARIA

ER -

Savola R, Kanstren T, Pentikäinen H, Jurmu P, Myllyaho M, Hätönen K. Utilizing a risk-driven operational security assurance methodology and measurement architecture: Experiences from a case study. In Nguyen T, editor, Proceedings of the 8th International Conference on Networking and Services, ICNS 2012. International Academy, Research, and Industry Association IARIA. 2012. p. 134-142