Context: While more traditional engineering disciplines such as construction and civil engineering can measure quality and robustness via methods such as building codes, materials standards and modelling techniques, the PACs domain is far less mature and hence it is much more difficult to quantify and evaluate the security level of a given system. Such metrics are increasingly demanded by security managers and professionals who strive to communicate such metrics with both technical and non-technical stakeholders, to support continuous improvement, and to benchmark against peers. The insurance industry is also aiming to understand such metrics in order to develop appropriate cyber-insurance actuarial models that support appropriate and quantifiable risk transfer.
Rapid technological progress, increased interconnectedness and complexity of computing systems, and the predominantly malicious nature of security threats are all barriers to generating such accurate measures.
Existing attempts to develop such metrics are founded on the Confidentiality, Integrity and Availability (CIA) triad, whereby metrics goals and objectives are defined, key metrics are selected and generated, goals and targets are defined (ideally against existing benchmarks) and a formal process for implementing, reviewing and refinement of performance against such metrics is created.
Challenges – Research Gaps: A wide range of existing security metrics development initiatives have already been highlighted by NIS WG3 activities, indicating progression in this area. Examples include the SSE-CMM initiative developed by the International Systems Security Engineering Association, NIST’s “IT Security Assessment Framework” and “Security Metrics Guide for Information Technology Systems”, ISO’s Common Criteria, and US DoD’s Information Assurance Readiness Project. Such initiatives are aiming towards increased standardisation towards security metrics that are measurable, attainable, repeatable and time dependent in particular. . In the Seconomics project attention is being paid to industry case studies in the physical world trying to develop and further state of the art in modelling security problems.
Return to SOTA
