Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Improved security through information security governance
Communications of the ACM - Rural engineering development
The risks with security metrics
Proceedings of the 4th ACM workshop on Quality of protection
Formalizing information security knowledge
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Security compliance: the next frontier in security research
Proceedings of the 2008 workshop on New security paradigms
SP 800-55 Rev. 1. Performance Measurement Guide for Information Security
SP 800-55 Rev. 1. Performance Measurement Guide for Information Security
Proceedings of the 3rd international conference on Security of information and networks
Basis for an integrated security ontology according to a systematic review of existing proposals
Computer Standards & Interfaces
Architecting a security strategy measurement and management system
Proceedings of the Workshop on Model-Driven Security
Hi-index | 0.00 |
Legal regulations and industry standards require organizations to measure and maintain a specified IT-security level. Although several IT-security metrics approaches have been developed, a methodology for automatically generating ISO 27001-based IT-security metrics based on concrete organization-specific control implementation knowledge is missing. Based on the security ontology by Fenz et al., including information security domain knowledge and the necessary structures to incorporate organization-specific facts into the ontology, this paper proposes a methodology for automatically generating ISO 27001-based IT-security metrics. The conducted validation has shown that the research results are a first step towards increasing the degree of automation in the field of IT-security metrics. Using the introduced methodology, organizations are enabled to evaluate their compliance with information security standards, and to evaluate control implementations' effectiveness at the same time.