Abstract
In order to better understand the information security performance in products, processes, technical systems or organizations as a whole, and to plan, control, and improve it, security engineers, system developers and business managers must be able to get early feedback information from the achieved security situation. Systematic security metrics provides the means for managing security-related measurements comprehensively. We reflect on the use of information security metrics by presenting the results of an interview study carried out in Finnish industrial companies and State institutions. Furthermore, we discuss the application of security measurements from the business process and technical points of view. The role of technical security metrics is analyzed using mobile ad hoc networks as a case example.
Chapter PDF
Key words
References
BS 7799-2., 2002, Information Security Management Systems — Specification with Guidance for Use. Part 2. British Standards Institution, London.
Henning, R. (ed.)., 2001, Workshop on Information Security Scoring and Ranking — Information System Security Attribute Quantification or Ordering (Commonly but Improperly Known as “Security Metrics”), Applied Computer Security Associates.
ISO 9000. 2000, Quality Management Standards. International Standardization Organization, Geneva, Switzerland.
ISO/IEC 15939. 2002, Software Engineering — Software Measurement Process, International Standardization Organization, Geneva, Switzerland.
ISO/IEC 17799., 2001, Information Technology — Code of Practice for Information Security Management, International Standardization Organization, Geneva, Switzerland.
ISO/IEC 21827., 2002, Information Technology — Systems Security Engineering — Capability Maturity Model (SSE-CMM), International Standardization Organization, Geneva, Switzerland.
Jonsson, E., 2003, Dependability and Security Modelling and Metrics, Lecture Slides, Chalmers University of Technology, Sweden.
Internet Engineering Task Force (IETF) MANET Working Group; www.ietf.org/html.charters/manet-charter.html.
Ministry of Finance of Finland, 2004, Valtionhallinnon tietoturvallisuuden kehitysohjelma 2004–2006 (The Finnish Government Information Security Development Programme 2004–2006). In Finnish, English summary available.
Sademies, A., 2004, Process Approach to Information Security Metrics in Finnish Industry and State Institutions. VTT Publications 544, Technical Research Centre of Finland, Espoo.
Sademies A. and Savola R., 2004, Measuring the Information Security Level — A Survey of Practice in Finland. In: 5th Annual International Systems Security Engineering Association (ISSEA) Conference, Arlington, Virginia, October 13–15. 10 p.
Savola R. and Holappa J., 2005, Self-Measurement of the Information Security Level in a Monitoring System Based on Mobile Ad Hoc Networks. In: Proceedings of the 2005 IEEE Int. Workshop on Homeland Security, Contraband Detection and Personal Safety, Orlando, FL, 29–30 March, 8 p.
Trusted Computer System Evaluation Criteria (TCSEC) “Orange Book”, 1985, U.S. Department of Defense Standard, DoD 5200.28-std.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Savola, R., Anttila, J., Sademies, A., Kajava, J., Holappa, J. (2005). Measurement of Information Security in Processes and Products. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_16
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_16
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)