Addressing Misalignment Between Information Security Metrics and Business-Driven Security Objectives

C. Frühwirth, S. Biffl, M. Tabatabai Irani, E. Weippl:
"Addressing Misalignment Between Information Security Metrics and Business-Driven Security Objectives";
Vortrag: International Workshop on Security Measurement and Metrics (MetriSec), Bolzano-Bozen, Italy; 15.09.2010; in:"Proc. International Workshop on Security Measurement and Metrics (MetriSec)", G. Succi, M. Morisio, N. Nagappan (Hrg.); (2010), ISBN: 978-1-4503-0039-1; S. 1 - 7.

[ Publication Database ]

Abstract:


Companies, which approach information security management
from a business perspective, invest in using security metrics to
measure the degree to which their security objectives are being
met.
The decision however, on which particular security metrics to use,
is surprisingly often based on an uninformed process and
disregards the company´s security goals and capabilities. Like a
factory owner, who bought a new tool, without considering which
business goals it should support and whether the staff is actually
equipped to operate it, introducing metrics without considering
security goals and security capabilities can lead to ineffective
operation. Practitioners complain in this context about their
security metrics being too complex to use, requiring data that is
expensive to gather, or simply measuring the wrong thing.
Existing frameworks such as the SSE-CMM or ISO 27000 series
provide generic guidance on choosing security objectives and
metrics, but lack a method to guide companies in choosing the
security metrics that best fit their unique security objectives and
capabilities.
In response to this problem we present a method with a tool that
supports matching security metrics with the objectives and
capabilities of a company. Our method helps companies in
deciding which metric best suits their particular context, by
determining which metric is 1.) efficient to apply using a
companies given capabilities and 2.) provides the maximum
contribution to the company´s security objectives. The method is
supported by existing research in the field of value-based software
engineering and has been developed based on the established
"Quality Function Deployment"(QFD) approach.
Initial experiences from applying the method suggest that the
method improves the selection process off security metrics.