Assessing the Feasibility of Security Metrics
Security metrics are used to measure the effectiveness of an organisation's Information Security Management System (ISMS) as well as the sub-processes, activities and controls of the ISMS. Guidelines and example metrics have been published, but it is still difficult for an organisation to select metrics that are feasible for their environment, i.e. their ISMS.Heinzle B, Furnell SM
This paper proposes a self-assessment framework that allows a user to determine security metrics that are feasible specifically for the user's ISMS. To achieve this, a metric catalogue containing 95 metrics from different sources was created. For each metric, requirements that need to be fulfilled in order to be able to use the metric, and ISO 27001 clauses and controls whose effectiveness is being measured by the metric, were ascertained and assigned. By this, a list of requirements was generated that can be used to describe an organisation's ISMS. During an assessment, the user indicates which requirements from the list of requirements are fulfilled. After conducting an assessment, a list of feasible metrics, the number of metrics per ISO 27001 clause and control, and other information are generated as assessment results. A software prototype was created and shows a proof of concept of the self-assessment framework. The results of the study were evaluated by external experts, which has shown the usefulness of the study and helped to identify areas of improvement and future work.