Methodologies and Approaches to Measure Security

Abstract

Security has today become a topic of cardinal interest in many companies and or- ganisations. To deal with security and its management, it is a good idea to be able to quantify it in order to know how secure a given system is, i.e. to metricate security.Many approaches to security metrication have been suggested, but most of them rely upon experts’ subjective judgement rather than being based on objective mea- sures or scientifically sound methodology. Further, there is a large diversity in the existing metrication methods with respect to approach, objectives, goals and result. This calls for a systematisation and structuring of the field in order to get better knowledge of the benefits and usage of different metrication methods. The goal of this work is to study the methodologies and approaches towards metri- cation activities as suggested by various stakeholders. Specifically, we will look at how each approach develops, selects and implements information level measures for the purpose of showing the effectiveness and efficiency of the security objectives and their related activities. We will then analyse how these measures can be used by an organization for the identification of the adequacy of its implemented processes, policies and procedures. Nevertheless, we will propose a systematized model for measuring security and devising security metrics.