Abstract
Security metrics are usually defined informally and, therefore, the rigourous analysis of these metrics is a hard task. This analysis is required to identify the existing relations between the security metrics, which try to quantify the same quality: security.
Risk, computed as Annualised Loss Expectancy, is often used in order to give the overall assessment of security as a whole. Risk and security metrics are usually defined separately and the relation between these indicators have not been considered thoroughly. In this work we fill this gap by providing a formal definition of risk and formal analysis of relations between security metrics and risk.
This work is partially supported by FP7-ICT-2009-5 NESSOS and FP7-ICT-2009-5 ANIKETOS projects.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bae, S.J., et al.: Degradation models and implied lifetime distributions. Reliability Engineering & System Safety 92(5), 601–608 (2007)
Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering (ICSE 2002), pp. 232–240. ACM Press, New York (2002)
Casola, V., et al.: A SLA evaluation methodology in Service Oriented Architectures. In: Proceedings of the 1st Workshop on Quality of Protection, Milan, Italy. Springer, Heidelberg (2005)
Eloff, M.M., von Solms, S.H.: Information security management: An approach to combine process certification and product evaluation. Computers & Security 19(8), 609–698 (2000)
Gordon, L., Loeb, M.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2003)
Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: a Cost-Benefit Analysis. McGraw-Hill, New York (2006)
Herrmann, D.S.: Complete Guide to Security and Privacy Metrics. Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications (2007)
ISO/IEC. ISO/IEC 27002:2005 Information technology – Security techniques – Code of Practice for Information Security Management (2005)
Jansen, W.: Directions in security metric research. Technical Report NISTIR 7564, National institute of Standards and Technology (2009)
Jaquith, A.: Security metrics: replacing fear, uncertainty, and doubt. Addison-Wesley, Reading (2007)
Jonsson, E., Olovsson, T.: A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering 23(4), 235–245 (1997)
Karjoth, G., et al.: Service-oriented assurance comprehensive security by explicit assurances. In: Proceedings of the 1st Workshop on Quality of Protection, Milan, Italy, Springer, Heidelberg (2005)
Krautsevich, L., et al.: Formal approach to security metrics. what does “more secure” mean for you? In: Proceedings of the 1st International Workshop on Measurability of Security in Software Architectures, ACM Press, New York (2010)
Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluatin Journal 4(56), 167–186 (2004)
Manadhata, P., Wing, J.: Measuring a system’s attack surface. Technical Report CMU-TR-04-102, Carnegie Mellon University (2004)
Manadhata, P., Wing, J.M.: An attack surface metric. Technical Report CMU-CS-05-155, School of Computer Science. Carnegie Mellon University (2005)
Manadhata, P.K., et al.: An approach to measuring a systems attack surface. Technical Report CMU-CS-07-146, School of Computer Science. Carnegie Mellon University (2007)
Mullen, R.: The lognormal distribution of software failure rates: application to software reliability growth modeling. In: The Ninth International Symposium on Software Reliability Engineering, pp. 134–142 (November 1998)
Ortalo, R., et al.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25(5), 633–650 (1999)
Pamula, J., et al.: A weakest-adversary security metric for network configuration security analysis. In: QoP 2006: Proceedings of the 2nd ACM workshop on Quality of Protection, pp. 31–38. ACM Press, New York (2006)
Schechter, S.E.: How to buy better testing. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 73–87. Springer, Heidelberg (2002)
Stewart, A.: On risk: perception and direction. Computers & Security 23(5), 362–370 (2004)
Stoneburner, G., et al.: Risk management guide for information technology systems. Technical Report 800-30, National Institute of Standards and Technology (2001)
Swanson, M., et al.: Security metrics guide for information technology systems. Technical Report 800-55, National Institute of Standards and Technology (2003)
Vaughn, R.B., et al.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (January 2003)
Wang, L., et al.: An attack graph-based probabilistic security metric. In: Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security, pp. 283–296. Springer-, Heidelberg (2008)
Wang, L., et al.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812–3824 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Krautsevich, L., Martinelli, F., Yautsiukhin, A. (2011). Formal Analysis of Security Metrics and Risk. In: Ardagna, C.A., Zhou, J. (eds) Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. WISTP 2011. Lecture Notes in Computer Science, vol 6633. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21040-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-21040-2_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21039-6
Online ISBN: 978-3-642-21040-2
eBook Packages: Computer ScienceComputer Science (R0)