research-article

Contextualising and aligning security metrics and business objectives: : A GQM-based methodology

Authors:

Eleni Philippou,

Awais RashidAuthors Info & Claims

Volume 88, Issue C

https://doi.org/10.1016/j.cose.2019.101634

Published: 01 January 2020 Publication History

Abstract

Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts – domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (1) for the metrics to align with business requirements (2) for decision makers to maintain relevant security goals based on measurements from the field. In this paper we propose Symbiosis, a methodology that defines a goal elicitation and refinement process mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). The novel contribution of Symbiosis is the well-defined process, which enforces that (1) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (2) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. In this paper, we discuss the findings from applying Symbiosis to three case studies of known security incidents. Our analysis shows how the aforementioned pitfalls of security metrics development processes affected the outcome of these high-profile security incidents and how Symbiosis addresses such issues.

References

[1]

V. Basili, A. Trendowicz, M. Kowalczyk, J. Heidrich, C. Seaman, J. Münch, D. Rombach, GQM+ strategies in a nutshell, Aligning Organizations Through Measurement, Springer, 2014, pp. 9–17.

[2]

V.R. Basili, D.M. Weiss, A methodology for collecting valid software engineering data, Softw. Eng. IEEE Trans. (6) (1984) 728–738.

[3]

Bayuk, J., 2013. Metricon 8 formal proceedings. http://www.securitymetrics.org/attachments/Metricon-8-Proceedings-DraftForReview.pdf.

[4]

J.S. Cheney, Heartland payment systems: lessons learned from a data breach, FRB of Philadelphia-Payment Cards Center Discussion Paper, 2010.

[5]

CIS, 2010. The cis security metrics. https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf.

[6]

CISWG, 2004. Report of the best practices and metrics teams. https://net.educause.edu/ir/library/pdf/CSD3661.pdf.

[7]

P. DSS, Payment card industry (PCI) data security standard, PCI Security Standards Council, 2006.

[8]

R. Ford, M. Carvalho, L. Mayron, M. Bishop, Towards metrics for cyber security, Proc. of the 21st EICAR Annual Conference, 2012, pp. 151–159.

[9]

S. Frey, A. Rashid, P. Anthonysamy, M. Pinto-Albuquerque, S.A. Naqvi, The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game, IEEE Transa. Softw. Eng. 45 (5) (2019) 521–536.

[10]

S. Ghanavati, D. Amyot, L. Peyton, A requirements management framework for privacy compliance, Proc. of the 10th Workshop on Requirements Engineering (WER’07, 2007, pp. 149–159.

[11]

M. Goldstein, N. Perlroth, Luck Played Role in Discovery of Data Breach at JP Morgan Affecting Millions, DealBook, 2014.

[12]

N.P. Goldstein, M. Corkery, Neglected Server Provided Entry for JP Morgan Hackers, DealBook, 2014.

[13]

L. Hayden, IT Security Metrics : A Practical Framework for Measuring Security & Protecting Data, McGraw Hill, 2011.

[14]

U.S. Department of Health Human Services, 2010. Guidance on risk analysis requirements under the HIPAA security rule.

[15]

D.S. Herrmann, Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI, CRC Press, 2007.

[16]

ISO/IEC27004, ISO/IEC 27004: Information Technology-Security Techniques-Information Security Management-Measurement, International Organization for Standardization, 2009.

[17]

A. Jaquith, Security Metrics, Pearson Education, 2007.

[18]

A. Jeng, Minimizing Damage from J.P. Morgan, Data Breach, SANS Institute InfoSec Reading Room, 2015.

[19]

M.G. Jessica Silver-Greenberg, N. Perlroth, JP Morgan Chase Hacking Affects 76 Million Households, DealBook, 2014.

[20]

A. van Lamsweerde, Requirements engineering: from craft to discipline, Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ACM, New York, NY, USA, 2008, pp. 238–249,.

Digital Library

[21]

R.E. Park, W.B. Goethert, W.A. Florac, Goal-Driven Software Measurement. A Guidebook, Technical Report, DTIC Document, 1996.

[22]

Redhead, S., 2015. Anthem data breach: how safe is health information under HIPAA?CRS Insight IN10235.

[23]

Standards, H.S., 2007. Security standards: technical safeguards. HIPAA Security Series.

[24]

K.C. Stewart, J.H. Allen, M.A. Valdez, L. Young, Measuring what matters workshop report, 2015.

[25]

Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L., 2003. NIST 800-55-security metrics guide for information technology systems.

[26]

E.S.K. Yu, Towards modeling and reasoning support for early-phase requirements engineering, Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, IEEE Computer Society, Washington, DC, USA, 1997.

[27]

A. Zanutto, B. Shreeve, K. Follis, J.S. Busby, A. Rashid, The shadow warriors: in the no man’s land between industrial control systems and enterprise IT systems, Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017, Santa Clara, CA, USA, July 12–14, 2017, 2017.

Cited By

Oruma S(2023)Towards a User-centred Security Framework for Social Robots in Public SpacesProceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering10.1145/3593434.3593446(292-297)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3593434.3593446

Index Terms

Contextualising and aligning security metrics and business objectives: A GQM-based methodology

Index terms have been assigned to the content through auto-classification.

Recommendations

Addressing misalignment between information security metrics and business-driven security objectives
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and Metrics

Companies, which approach information security management from a business perspective, invest in using security metrics to measure the degree to which their security objectives are being met.

The decision however, on which particular security metrics to ...
Designing Sound Security Metrics

This article begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The article ...
Security metrics for source code structures
SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systems

Software security metrics are measurements to assess security related imperfections (or perfections) introduced during software development. A number of security metrics have been proposed. However, all the perspectives of a software system have not ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 88, Issue C

Jan 2020

602 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 January 2020

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Oruma S(2023)Towards a User-centred Security Framework for Social Robots in Public SpacesProceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering10.1145/3593434.3593446(292-297)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3593434.3593446

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents