Information security metric integrating enterprise objectives

Security is one of the key concerns in the domain of information technology systems. Maintaining the confidentiality, integrity and availability of such systems, mandates a rigorous prior analysis of the security risks that confront these systems. In order to analyze, mitigate and recover from these risks a metrics based approach is essential in prioritizing the response strategies against these risks. In addition to that the enterprise objectives must be focally integrated in the definition, impact calculation and prioritization phases of this analysis to come up with metrics that are useful both for the technical and managerial communities within an organization. Also the inclusion of enterprise objectives in the identification of information assets will act as a preliminary filter to overcome the real life scalability issues inherent with such threat modeling efforts. Within this study an attack tree based approach will be utilized to offer an information security risk metric that integrates the enterprise objectives with the information asset vulnerabilities within an organization. In the essential step of enterprise resource identification, the resource-based view of a company will be utilized.

[1]  Hai Le Vu,et al.  A new approach for network vulnerability analysis , 2008, 2008 33rd IEEE Conference on Local Computer Networks (LCN).

[2]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[3]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[4]  Christopher Wills,et al.  Systemic Holistic Approach to ICT security , 2007 .

[5]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[6]  Victor R. Basili,et al.  A Methodology for Collecting Valid Software Engineering Data , 1984, IEEE Transactions on Software Engineering.

[7]  P. Schoemaker,et al.  Strategic assets and organizational rent , 1993 .

[8]  Jennifer Seberry,et al.  Fundamentals of Computer Security , 2003, Springer Berlin Heidelberg.

[9]  Margaret A. Peteraf The cornerstones of competitive advantage: A resource‐based view , 1993 .

[10]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[11]  A. Hunstad,et al.  A framework for system security assessment , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[12]  Stephen Tyree,et al.  Strata-Gem: risk assessment through mission modeling , 2008, QoP '08.

[13]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[14]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .

[15]  M. Riguidel,et al.  Quantifiable Security Metrics for Large Scale Heterogeneous Systems , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[16]  Reijo Savola,et al.  Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[17]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[18]  Mikael Peterson,et al.  CAESAR : A proposed method for evaluating security in component-based distributed information systems , 2004 .

[19]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[20]  Bruce Schneier,et al.  MODELING SECURITY THREATS , 1999 .

[21]  Robert E. Hoskisson,et al.  BOARD OF DIRECTOR INVOLVEMENT IN RESTRUCTURING: THE EFFECTS OF BOARD VERSUS MANAGERIAL CONTROLS , 1993 .

[22]  K. Clark,et al.  Security risk metrics: fusing enterprise objectives and vulnerabilities , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.