Security Metrics and the Risks: An Overview

International Journal of Computer Trends and Technology (IJCTT)          
© 2016 by IJCTT Journal
Volume-41 Number-2
Year of Publication : 2016
Authors : Rana Khudhair Abbas Ahmed
DOI :  10.14445/22312803/IJCTT-V41P119


Rana Khudhair Abbas Ahmed  "Security Metrics and the Risks: An Overview". International Journal of Computer Trends and Technology (IJCTT) V41(2):106-112, November 2016. ISSN:2231-2803. Published by Seventh Sense Research Group.

Abstract -
measuring information security is difficult; it is difficult to have one metrics that covers all types of devices. Security metrics is a standard used for measuring any organization’s security. Good metrics are needed for analysts to answer many security related questions. Effective measurement and reporting are required to improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner. This paper provides an overview of the security metrics and its definition, standards, advantages, types, problems, taxonomies, risk assessment methods and also classifies the security metrics and explains its risks.

[1] Deepti Juneja,Kavita Arora, Sonia Duggal, "Developing Security Metrics For Information Security Measurement System", International Journal of Enterprise Computing and Business Systems, Vol. 1 Issue 2 July 2011,
[2] Christina Kormos, et al, "Using Security Metrics To Assess Risk Management Capabilities", 1999.
[3] Kristoffer Lundholm, Jonas Hallberg, Helena Granlund, "Design and Use of Information Security Metrics", Report no FOI-R--3189—SE, Application of the ISO/IEC 27004, 2011.
[4] Rostyslav Barabanov, "Information Security Metrics: State of the Art", DSV Report series No 11-007, Mar 25, 2011.
[5] Rainer B¨ohme , "Security Metrics and Security Investment Models", International Computer Science Institute, Berkeley, California, USA, 2010.
[6] Perpétus Houngbo, Joël Hounsou, "Measuring Information Security: Understanding And Selecting Appropriate Metrics", International Journal of Computer Science and Security (IJCSS), Volume (9) : Issue (2) : 2015.
[10] A. C. S. Associates, Information System Security Attribute Quantification or Ordering (Commonly but improperly known as “Security Metrics”). 2001.
[11] P. E. Black, K. Scarfone, and M. Souppaya, “Cyber security metrics and measures,” Wiley Handb. Sci. Technol. Homel. Secur., 2008.
[12] V. Verendel, “Quantified security is a weak hypothesis: a critical survey of results and assumptions,” in Proceedings of the 2009 workshop on New security paradigms workshop, 2009, pp. 37–50.
[13] S. C. Payne, “A guide to security metrics,” Inst. Inf. Secur. Read. Room, 2006.
[14] Marte Tarnes , "Information Security Metrics: An Empirical Study of Current Practice", Specialization Project, Trondheim, 17th December 2012.
[15] Shirley C. Payne. A Guide to Security Metrics. SANS Institute Information Security Reading Room, June 2006.
[16] Lance Hayden. IT Security Metrics: A Practical Framework For Measuring Security & Protecting Data. McGraw-Hill Osborne Media, first edition, 2010.
[17] Andrew Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional, first edition, 2007.
[18] ISO/IEC 27004:2009(E). Information technology - Security techniques - Information security management - Measurement - First edition. International Organization for Standardization, 2009.
[19] Scott E. Schimkowitsch, et al., " Key Components of an Information Security Metrics Program Plan", capstone report, University of Origon, 2009.
[20] Igli TASHI, Solange GHERNAOUTI-HÉLIE, "Security metrics to improve information security management", In Proceedings of the 6th Annual Security Conference, April 11-12, 2007, Las Vegas, NV,
[21] Manwinder Kaur, Andy Jones, " Security Metrics - A Critical Analysis of Current Methods", Proceedings of the 9th Australian Information Warfare and Security Conference, Symposia and Campus Events, 2008.
[22] D. Hubbard, Measure for measure: The Actuary, official magazine of SIAS and The Actuarial Profession, 2014.
[23] Rostyslav Barabanov, "Information Security Metrics: Research Directions", Stockholm Stewart Kowalski Stockholm, 2011.
[24] T. C. for I. Security, The CIS Security Metrics, 2010.
[25] M. Hoehl, Creating a monthly Information Security Scorecard for CIO and CFO. SANS Institute, 2010.
[26] J. Breier and L. Hudec, “Risk analysis supported by information security metrics,” in Proceedings of the 12th International Conference on Computer Systems and Technologies, pp. 393–398, 2011.
[27] S. C. Payne, “A guide to security metrics,” Inst. Inf. Secur. Read. Room, 2006.
[28] ISO/IEC (2009a). ISO/IEC 27004:2009, Information technology -- Security techniques -- Information security management -- Measurement. Geneva: ISO.
[29] Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008). Performance measurement guide for information security. Gaithersburg, MD: National Institute of Standards and Technology,
[30] ISO/IEC (2009a). ISO/IEC 27004:2009, Information technology -- Security techniques -- Information security management -- Measurement. Geneva: ISO.

Security, Metrics, advantages, Problems, Risk management.