The capability maturity model: guidelines for improving the software process
The capability maturity model: guidelines for improving the software process
EasyWinWin: a groupware-supported methodology for requirements negotiation
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Information Assurance Measures and Metrics " State of Practice and Proposed Taxonomy
HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
Business process-based valuation of IT-security
EDSER '05 Proceedings of the seventh international workshop on Economics-driven software engineering research
QFD application in software process management and improvement based on CMM
3-WoSQ Proceedings of the third workshop on Software quality
Information security models and metrics
Proceedings of the 43rd annual Southeast regional conference - Volume 2
Vulnerability analysis For evaluating quality of protection of security policies
Proceedings of the 2nd ACM workshop on Quality of protection
Is risk a good security metric?
Proceedings of the 2nd ACM workshop on Quality of protection
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Managing Quality Level for Developing Information Security System Adopting QFD
SNPD '08 Proceedings of the 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing
Meta-metric Evaluation of E-Commerce-related Metrics
Electronic Notes in Theoretical Computer Science (ENTCS)
Risk analysis supported by information security metrics
Proceedings of the 12th International Conference on Computer Systems and Technologies
Hi-index | 0.00 |
Companies, which approach information security management from a business perspective, invest in using security metrics to measure the degree to which their security objectives are being met. The decision however, on which particular security metrics to use, is surprisingly often based on an uninformed process and disregards the company's security goals and capabilities. Like a factory owner, who bought a new tool, without considering which business goals it should support and whether the staff is actually equipped to operate it, introducing metrics without considering security goals and security capabilities can lead to ineffective operation. Practitioners complain in this context about their security metrics being too complex to use, requiring data that is expensive to gather, or simply measuring the wrong thing. Existing frameworks such as the SSE-CMM or ISO 27000 series provide generic guidance on choosing security objectives and metrics, but lack a method to guide companies in choosing the security metrics that best fit their unique security objectives and capabilities. In response to this problem we present a method with a tool that supports matching security metrics with the objectives and capabilities of a company. Our method helps companies in deciding which metric best suits their particular context, by determining which metric is 1.) efficient to apply using a companies given capabilities and 2.) provides the maximum contribution to the company's security objectives. The method is supported by existing research in the field of value-based software engineering and has been developed based on the established "Quality Function Deployment" (QFD) approach. Initial experiences from applying the method suggest that the method improves the selection process off security metrics.