Research Paper: Security Metrics Governance of Information

Pages: 9 (2440 words)  ·  Style: APA  ·  Bibliography Sources: 10  ·  Level: Doctorate  ·  Topic: Business - Management  ·  Buy This Paper


[. . .] (2005) reports that a key aspect of the information security program is that of 'governance' and that the Corporate Governance Task Force report (CGTF 2004) "includes an information security governance (ISG) assessment questionnaire, intended to be useful to both private and public sectors. The ISG assessment tool focuses on the "people" and "process" components of an information security program and may be useful to some SCADA stakeholder organizations." (Pronto, 2008, p.19)

The Corporate Information Security Working Group (CISWG 2005), building on NIST SP 800-55 and the ISG assessment tool, is reported to have identified "best practices and supporting metrics for enterprise security programs. Most of the metrics take the form of percentages (systems, procedures, personnel) that conform to a given best practice. The CISWG best practices and supporting metrics are intended to be used by (or tailored to) enterprises of all sizes, both public and private sector. The CISWG report identifies an initial minimum baseline set of security metrics based on enterprise size." (Pronto, 2008, p.19) In addition, Stoddard et al. (2005) report that the United States Computer Emergency Readiness Team's (U.S.-CERT) Task Force on Best Practices and Standards: Corporate Governance plans to '…consider cyber security roles and responsibilities within the corporate management structure, referencing and combining best practices and metrics that bring accountability to three key elements of a cybersecurity system: people, process, and technology'." ( Pironti, 2008, p.19)

V. Technological Metrics

Technological metrics are stated to include: (1) the number of security events; (2) the number of patches or fixes deployed; (3) the number of technological vulnerabilities enumerated; (4) the number of media mentions and media types; (5) the cost of incident investigation and remediation; and (6) cost of controls; (7) elapsed time from identification of incident to remediation; (8) the number of attacks identified; (9) the number of policy exceptions requested; (10) the number of policy exceptions granted; and (11) the effectiveness of controls. (Pronto, 2008, p.19)

Stoddard et al. (2005) reports that technical metrics activities are inclusive of: (1) common criteria evaluation assurance level (EAL); (2) NIST SP 800-53; (3) DoDI 8500 2; (4) IDS Comparison Metrics; (5) SAMATE; (6) ISECOM Risk Assessment Values; and (7) OWASP DREAD. (p.16) Major elements of technological metrics include asset classification and control and systems development and maintenance. (p.6)

Tools for technical metrics include: (1) Common Criteria Evaluation Assurance Level (EAL) which is based on Security Standard Assurance and is used to assess level of assurance that security requirements have been met; (2) NIST SP 800-53 which is based on security standard functional assurance and defines the strength of security controls as low, moderate or high; (3) DoDI 8500.2 which is based on Security Standard Function plus Assurance and defines the robustness of security control as basic medium or high; (4) IDS Comparison metrics which are comparison metrics which serve to "enable comparison of IDS products based on performance and other measures"; (5) SAMATE technical assurance providing ongoing effort to define metrics for software security assurance tools; (6) ISECOM Risk Assessment Values technical assurance that defines level of risk associated with a system or application and prioritizes testing level of effort; (7) OWASP DREAD metric technical assurance for definitive level of risk associated with a Web application and for prioritizing the level of effort in assuring its security. (Stoddard, 2005, p. 6)

VI. Limitations

The work of Brotby (nd) states that there are solutions in the use of metrics where limitations exist and this includes some of the proprietary solutions since these provide what is "a snapshot in time as opposed to an ongoing "real-time measure" of technical security effectiveness that is able to capture the changes as they occur. The work of McQueen (2008) reports that the measurement of security "…is an extremely difficult problem partly because the technology is complex and because security is aimed at protecting against an unpredictable intelligent adversary. The value of the proposed security ideals and technical metrics now need to be applied over time in an industrial setting and correlated with actual attacks on the associated control systems." (p.10)

In addition, it is reported by McQueen et al. (2008) that there has been shown a "need for more control system security research into security models and measurement tools. The research should include the development of more technical metrics that would provide either greater coverage of security issues or improved correlation to security. Measures we are considering for investigation include the extension of attack surface concepts to control system and facility level security, improved measures and models of detection performance, and the value of various security testing processes." (p.11)

Summary and Conclusion

This study has examined governance metrics and technical metrics and reported the various metrics in each of these areas that are used to measure information security in the organization. There has been found to be an increase in the interest in security metrics and the focus on governance in the organization has highlighted the need for measurement and reporting that is accurate. Metrics and measures are held as standards for measurement that affect decision making and that are supported by quantifying relevant data, where measurement refers to the process by which they are obtained. The characteristics of good metrics has been examined and specifically the two dimensions of metrics including governance and technical metrics. While these metrics are needed and useful, this study has found that these metrics alone are not enough to ensure organizational security due to inherent limitations in the present methods of measurement.


Barabanov, R.; Kowalski, S.; and Yngstrom, L. (20111) Information Security Metrics: State of the Art. Retrieved from:

Brotby, K (nd) Information Security… [END OF PREVIEW]

Four Different Ordering Options:

Which Option Should I Choose?

1.  Buy the full, 9-page paper:  $28.88


2.  Buy + remove from all search engines
(Google, Yahoo, Bing) for 30 days:  $38.88


3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)


4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Information Security in Cloud Computing Platforms Research Paper

Information Technology an Effective Project Manager Needs Essay

Corporate Governance in Australia Term Paper

Poor Infrastructure Security Essay

Cases in Corporate Governance Case Study

View 57 other related papers  >>

Cite This Research Paper:

APA Format

Security Metrics Governance of Information.  (2012, September 28).  Retrieved May 19, 2019, from

MLA Format

"Security Metrics Governance of Information."  28 September 2012.  Web.  19 May 2019. <>.

Chicago Format

"Security Metrics Governance of Information."  September 28, 2012.  Accessed May 19, 2019.