Quality of security metrics and measurements

Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2013-09, Vol.37, p.78-90
Main Author: Savola, Reijo M.
Format: Article
Language:English
Subjects:
Applied sciences
Computer information security
Computer programs
Computer science
control theory
systems
Computer simulation
Computer systems and distributed systems. User interface
Construction
Criteria
Data integrity
Decision support systems
Exact sciences and technology
Expert opinion survey
Information systems. Data bases
Mathematical models
Memory and file management (including protection and security)
Memory organisation. Data processing
Metrology
Quality of security metrics
Security effectiveness
Security management
Security metrics
Security quantification
Software
Software quality
Validation studies
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quantitative security metrics expert survey of 141 respondents, and an associated interview study, regarding the prioritization of 19 quality criteria of security metrics identified in the literature. The interviews were used to validate the survey results and to obtain further information on the findings. The results identified three foundational quality criteria of security metrics: correctness, measurability, and meaningfulness. These criteria form the basis for credibility and sufficiency for security metrics and associated measurements. Moreover, usability was seen as an important criterion. The paper analyzes the foundational and related quality criteria and proposes a model of them. •The results for prioritization of security metrics quality criteria are presented.•A conceptual security metrics quality criteria model is proposed.•The results derive from a security metrics expert study and an interview study.•Correctness, measurability, and meaningfulness are the foundational criteria.•In addition to the foundational criteria, usability should be emphasized.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2013.05.002