An Investigation About the Absence of Validation on Security Quantification Methods

To understand the actions that lead to successful attacks and also how they can be mitigated, researchers should identify and measure the factors that influence both attackers and victims. Quantifying security is particularly important to construct relevant metrics that support the decisions that need to be made to protect systems and networks. In this work, we aimed at investigating the lack of validation in security quantification methods. Different approaches to security quantification were examined and 57 papers are classified. The results show that most of papers seek to measure generic and complex targets like measuring network security or the security of an entire organization, however, the incidence of validation attempts is higher in works that propose the quantification of specific targets.

[1]  Piotr Trzesniak,et al.  Indicadores quantitativos: reflexões que antecedem seu estabelecimento , 1998 .

[2]  Danielle Chrun,et al.  Model-Based Support for Information Technology Security Decision Making , 2011 .

[3]  Bill G. Horne,et al.  On Computing Enterprise IT Risk Metrics , 2011, SEC.

[4]  Miles A. McQueen,et al.  Ideal Based Cyber Security Technical Metrics for Control Systems , 2007, CRITIS.

[5]  Mario Piattini,et al.  Towards a Classification of Security Metrics , 2004, WOSIS.

[6]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[7]  F. Dressler,et al.  A Comprehensive and Comparative Metric for Information Security , 2005 .

[8]  Robert K. Cunningham,et al.  Why Measuring Security Is Hard , 2010, IEEE Security & Privacy.

[9]  Gregory White,et al.  An Empirical Study on the Effectiveness of Common Security Measures , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[10]  William H. Sanders,et al.  Learning from Early Attempts to Measure Information Security Performance , 2012, CSET.

[11]  M. Asif Khan,et al.  Cyber security quantification model , 2010, SIN.

[12]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[13]  Reinhard Schwarz,et al.  A Critical Survey of Security Indicator Approaches , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[14]  Graciela L. Kaminsky Leading Indicators of Currency Crises , 1997 .

[15]  Osman Balci,et al.  Verification, validation, and accreditation , 1998, 1998 Winter Simulation Conference. Proceedings (Cat. No.98CH36274).

[16]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[17]  Erland Jonsson,et al.  A Framework for Security Metrics Based on Operational System Attributes , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[18]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[19]  InduShobha N. Chengalur-Smith,et al.  Metrics for characterizing the form of security policies , 2010, J. Strateg. Inf. Syst..

[20]  Salvatore J. Stolfo,et al.  Measuring Security , 2011, IEEE Security & Privacy.