An Empirical Study of Connections Between Measurements and Information Security

This paper presents an investigation of factors that are likely to affect the security of an organization, in particular, the number of security incidents. Using Intrusion Prevention Systems (IPS) data, provided by the University of Maryland, we derive three potential factors (attackers, corrupted computers and attack types) and their respective measurements. Based on empirical studies and information security literature, we examine the effects of selected factors on the number of security incidents. We use a regression model to test the hypotheses empirically and also to study how those factors are affected over time. We found that the number of potential corrupted computers is positively related to the security incidents while the number of potential attackers and range of attack types does not significantly affect the number of security incidents. We also found empirical evidence that factors could significantly change over time. Keywords-Network and Security Management; Security Metrics; Empirical Study; Security Incidents; Intrusion Prevention Systems.

[1]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[2]  Kevin M. Stine,et al.  Performance Measurement Guide for Information Security , 2008 .

[3]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[4]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[5]  Michel Cukier,et al.  Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data , 2008, SAFECOMP.

[6]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[7]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[8]  Jingguo Wang,et al.  Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures , 2010, TMIS.

[9]  Richard Tewksbury,et al.  PREDICTING RISKS OF LARCENY THEFT VICTIMIZATION: A ROUTINE ACTIVITY ANALYSIS USING REFINED LIFESTYLE MEASURES , 1998 .

[10]  Michel Cukier,et al.  Analysis of Computer Security Incident Data Using Time Series Models , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[11]  Tao He,et al.  Applying Software Reliability Models on Security Incidents , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[12]  Michel Cukier,et al.  On the Use of Security Metrics Based on Intrusion Prevention System Event Data: An Empirical Analysis , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[13]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[14]  Karen A. Scarfone,et al.  Cyber Security Metrics and Measures , 2008 .

[15]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[16]  Shari Lawrence Pfleeger Useful Cybersecurity Metrics , 2009, IT Professional.

[17]  Michel Cukier,et al.  Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities , 2009, IEEE Security & Privacy Magazine.

[18]  R. H. Myers,et al.  STAT 319 : Probability & Statistics for Engineers & Scientists Term 152 ( 1 ) Final Exam Wednesday 11 / 05 / 2016 8 : 00 – 10 : 30 AM , 2016 .