Towards a Classification of Security Metrics

Carlos Villarrubia, Eduardo Fernández-Medina, Mario Piattini

2004

Abstract

For the generation of trust in the use of information and communications technologies it is necessary to demonstrate security in the use of these technologies. Security metrics or assurance metrics are the most appropriate method to generate that trust. In this article we propose a series of features for classifying security metrics. We present the main conclusions obtained through this classification together with the list of metrics analyzed.

References

  1. Mercuri, R.T.: Analyzing security costs. Communications of the ACM 46 (2003) 15-18
  2. Swanson, M., Bartol, N., Sabato, J., Hash, .J., Graffo, L.: Security metrics guide for information technology systems. Technical Report NIST 800-55, National Institute of Standards and Technology (2003)
  3. Vaughn, Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Hawaii International Conference on Systems Sciences. (2003)
  4. Bouvier, P., Longeon, R.: Le tableau de bord de la sécurité du systeme d'information. Sécurité Informatique (2003)
  5. Nielsen, F.: Approaches of security metrics. Technical report, NIST-CSSPAB (2000)
  6. Payne, S.C.: A guide to security metrics. Technical report, SANS Institute (2001)
  7. ACSA, ed.: Proceedings of the Workshop on Information Security System Scoring and Ranking, Williamsburg, Virginia (2001)
  8. Colado, C., Franco, A.: Métricas de seguridad: una visión actualizada. SIC. Seguridad en Informática y Comunicaciones 57 (2003) 64-66
  9. Swanson, M.: Security self-assessment guide for information technology systems. Technical Report NIST 800-26, National Institute of Standards and Technology (2001)
  10. Calero, C., Martn-Albo, J., Piattini, M., Vallecillo, M.B..A., Cechich, A.: A survey on software component metrics. Submitted to ACM Computing Surveys (2003)
  11. Fenton, N., P eeger, S.: Software Metrics: A Rigorous Approach. 2nd edn. Chapman Hall, London (1997)
  12. Whitmire, S.: Object Oriented Design Measurement. Wiley, New York (1997)
  13. Zuse, H.: A Framework of Software Measurement. Walter de Gruyter, Berlin (1998)
  14. Poels, G., Dedene, G.: Distance-based software measurement: Necessary and suf cient properties for software measures. Information and Software Technology 42 (2000) 35-46
  15. Weyuker, E.J.: Evaluating software complexity measures. IEEE Transactions on Software Engineering 14 (1988) 1357-1365
  16. Briand, L.C., Morasca, S., Basili, V.R.: Property-based software engineering measurement. IEEE Transactions on Software Engineering 22 (1996) 68-86
  17. Briand, L.C., Morasca, S., Basili, V.R.: Property-based software engineering measurement: Re ning the additivity properties. IEEE Transactions on Software Engineering 23 (1997) 196-197
  18. Juristo, N., Moreno, A.: Basics of Software Engineering Experimentation. Kluwer Academic Publishers (2001)
  19. Wohlin, C., Runeson, P., Ohlsson, M., Regnell, B., Wesslen, .A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic Publishers (2000)
  20. Yin, R.: Case Study Research: Design and Methods. 2nd edn. Applied Social Research Methods Series, vol 5 Sage Publications Inc, Thousand Oaks, CA (1994)
  21. P eeger, S., Kitchenham, B.: Principles of survey research. Software Engineering Notes 26 (2001) 16-18
  22. Lavazza, L.: Providing automated support for the gqm measurement process. IEEE Software 17 (2000) 56-62
  23. Departament of the Air Force: AFI33-205. Information Protection Metrics and Measurements Program. (1997)
  24. Calero, C., Piattini, M., Genero, M.: Empirical validation of referential integrity metrics. Information and Software Technology 43 (2001) 949-957
  25. ISO: ISO 7498-2. Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. (1989)
  26. ISO/IEC: ISO/IEC TR 13335-1. Guidelines for the Management of IT Security. Part I: Concepts and Models of IT Security. (1996)
  27. ISO/IEC: ISO/IEC 15408. Evaluation Criteria for IT Security. (1999)
  28. ISO/IEC: ISO/IEC 17799. Code of Practice for Information Security Management. (2000)
  29. King, G.: Best security practices: An overview. In: Proceedings of the 23rd National Information Systems Security Conference, Baltimore, Maryland, NIST (2000)
  30. Marcelo, J.M.: Identi cación y Evaluación de Entidades en un Método AGR. In: Seguridad de las Tecnologas de la Información. AENOR (2003) 69-103
  31. McKnight, W.L.: What is information assurance? CrossTalk. The Journal of Defense Software Engineering (2002) 4-6
  32. Schuedel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Procedings of the New Security Paradigm Workshop, Ballycotton, Ireland (2000) 23-30
  33. Carnegie Mellon University Pittsburgh, Pennsylvania: SSE-CMM Model Description Document. 3.0 edn. (2003)
  34. Vaughn, Jr., R.B., Siraj, A., Dampier, D.A.: Information security system rating and ranking. CrossTalk. The Journal of Defense Software Engineering (2002) 30-32
Download


Paper Citation


in Harvard Style

Villarrubia C., Fernández-Medina E. and Piattini M. (2004). Towards a Classification of Security Metrics . In Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004) ISBN 972-8865-07-4, pages 341-350. DOI: 10.5220/0002688203410350


in Bibtex Style

@conference{wosis04,
author={Carlos Villarrubia and Eduardo Fernández-Medina and Mario Piattini},
title={Towards a Classification of Security Metrics},
booktitle={Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)},
year={2004},
pages={341-350},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002688203410350},
isbn={972-8865-07-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)
TI - Towards a Classification of Security Metrics
SN - 972-8865-07-4
AU - Villarrubia C.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2004
SP - 341
EP - 350
DO - 10.5220/0002688203410350