On the Brittleness of Software and the Infeasibility of Security Metrics
IEEE Security and Privacy
Common Vulnerability Scoring System
IEEE Security and Privacy
Estimating Software Vulnerabilities
IEEE Security and Privacy
Impact Analysis of Faults and Attacks in Large-Scale Networks
IEEE Security and Privacy
Security Metrics Foundations for Computer Security
The Computer Journal
| Hi-index | 0.00 |
While user dependence on ICT is rising and the information security situation is worsening at an alarming rate, IT industry is not able to answer accurately and in time questions like "How secure is our information system?" Consequently, information security risk management is reactive and is lagging behind incidents. To overcome this problem, risk management paradigm has to change from reactive to active and from qualitative to quantitative. In this section, we present a computerized risk management approach that enables active risk management and is aligned with the leading initiative to make security measurable and manageable. Furthermore, we point out qualitative methods deficiencies and argue about the importance of use of quantitative over qualitative methods in order to improve accuracy of information security feedback information. Finally, we present two quantitative metrics, used together in the model, and enabling a quantitative risk assessment and support risk treatment decision making.