Addressing misalignment between information security metrics and business-driven security objectives

Companies, which approach information security management from a business perspective, invest in using security metrics to measure the degree to which their security objectives are being met. The decision however, on which particular security metrics to use, is surprisingly often based on an uninformed process and disregards the company's security goals and capabilities. Like a factory owner, who bought a new tool, without considering which business goals it should support and whether the staff is actually equipped to operate it, introducing metrics without considering security goals and security capabilities can lead to ineffective operation. Practitioners complain in this context about their security metrics being too complex to use, requiring data that is expensive to gather, or simply measuring the wrong thing. Existing frameworks such as the SSE-CMM or ISO 27000 series provide generic guidance on choosing security objectives and metrics, but lack a method to guide companies in choosing the security metrics that best fit their unique security objectives and capabilities. In response to this problem we present a method with a tool that supports matching security metrics with the objectives and capabilities of a company. Our method helps companies in deciding which metric best suits their particular context, by determining which metric is 1.) efficient to apply using a companies given capabilities and 2.) provides the maximum contribution to the company's security objectives. The method is supported by existing research in the field of value-based software engineering and has been developed based on the established "Quality Function Deployment" (QFD) approach. Initial experiences from applying the method suggest that the method improves the selection process off security metrics.

[1]  S. B. Kiselev,et al.  The capability maturity model: guidelines for improving the software process , 1995 .

[2]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[3]  Stefan Biffl,et al.  Business process-based valuation of IT-security , 2005, ACM SIGSOFT Softw. Eng. Notes.

[4]  Xiaoqing Frank Liu,et al.  QFD application in software process management and improvement based on CMM , 2005, WoSQ@ICSE.

[5]  Ehab Al-Shaer,et al.  Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[6]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[7]  Myeonggil Choi,et al.  Managing Quality Level for Developing Information Security System Adopting QFD , 2008, 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing.

[8]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[9]  Ita Richardson,et al.  Development of a Generic Quality Function Deployment Matrix , 2002 .

[10]  Louis Cohen,et al.  Quality Function Deployment: How to Make QFD Work for You , 1995 .

[11]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[12]  Christian Frühwirth On Business-Driven IT Security Management and Mismatches between Security Requirements in Firms, Industry Standards and Research Work , 2009, PROFES.

[13]  Susan Carlson Skalak House of Quality , 2002 .

[14]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[15]  Antonia Stefani,et al.  Meta-metric Evaluation of E-Commerce-related Metrics , 2009, SQM@CSMR.

[16]  Nancy R. Mead,et al.  Experiences in Eliciting Security Requirements , 2006 .

[17]  Michael Power,et al.  The risk management of everything: rethinking the politics of uncertainty , 2004 .

[18]  Barry W. Boehm,et al.  EasyWinWin: a groupware-supported methodology for requirements negotiation , 2001, ESEC/FSE-9.

[19]  O. Sami Saydjari Is risk a good security metric? , 2006, QoP '06.