Security risk metrics: fusing enterprise objectives and vulnerabilities

Automated scanners are unable to generate the information required to properly assess a network's risk. Although scanners may identify high risk exposures, they fail to determine how those exposures affect an organization's objectives. Such an assessment requires an auditor to identify the objectives and their relationship to network hosts. Mission trees allow security auditors to map relationships between an organization's objectives and its assets. Synthesizing this data with a vulnerability scanner lends itself to creating meaningful enterprise security metrics.

[1]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[2]  J. Hallberg,et al.  Measuring IT security - a method based on common criteria's security functional requirements , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[3]  John Hale,et al.  A systematic approach to multi-stage network attack analysis , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[4]  Ioannis Lambadaris,et al.  Current Trends and Advances in Information Assurance Metrics , 2004, Conference on Privacy, Security and Trust.

[5]  Bennet S. Yee Security Metrology and the Monty Hall Problem , 2001 .

[6]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.