Ontology-based generation of IT-security metrics

Authors:
Stefan Fenz
Affiliations:
Vienna University of Technology, Vienna, Austria
Venue:
Proceedings of the 2010 ACM Symposium on Applied Computing
Year:
2010

Citing 7
Cited 3

Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security

IEEE Transactions on Software Engineering
Security Metrics: Replacing Fear, Uncertainty, and Doubt

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Improved security through information security governance

Communications of the ACM - Rural engineering development
The risks with security metrics

Proceedings of the 4th ACM workshop on Quality of protection
Formalizing information security knowledge

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Security compliance: the next frontier in security research

Proceedings of the 2008 workshop on New security paradigms
SP 800-55 Rev. 1. Performance Measurement Guide for Information Security

SP 800-55 Rev. 1. Performance Measurement Guide for Information Security

An application of integral engineering technique to information security standards analysis and refinement

Proceedings of the 3rd international conference on Security of information and networks
Basis for an integrated security ontology according to a systematic review of existing proposals

Computer Standards & Interfaces
Architecting a security strategy measurement and management system

Proceedings of the Workshop on Model-Driven Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Legal regulations and industry standards require organizations to measure and maintain a specified IT-security level. Although several IT-security metrics approaches have been developed, a methodology for automatically generating ISO 27001-based IT-security metrics based on concrete organization-specific control implementation knowledge is missing. Based on the security ontology by Fenz et al., including information security domain knowledge and the necessary structures to incorporate organization-specific facts into the ontology, this paper proposes a methodology for automatically generating ISO 27001-based IT-security metrics. The conducted validation has shown that the research results are a first step towards increasing the degree of automation in the field of IT-security metrics. Using the introduced methodology, organizations are enabled to evaluate their compliance with information security standards, and to evaluate control implementations' effectiveness at the same time.