Improving residual risk management through the use of security metrics

Jonathan Pagett

(2010)

Jonathan Pagett (2010) Improving residual risk management through the use of security metrics.

Our Full Text Deposits

Full text access: Open

Full Text - 1.16 MB

Links to Copies of this Item Held Elsewhere


Abstract

Introduction Reported security breaches over the last 3 years suggest that a large number of security procedures are not currently operating at full effectiveness. Security breaches have ranged from the loss of personal details of 25 million UK citizens to the disclosure of national security information assets. It is highly likely that the organisations involved in these security breaches performed risk assessments for their information assets and implemented a range of security controls to manage these risks, leading to the resulting residual risks being within acceptable risk appetites. But as investigations into security breaches have shown, these controls are often ignored, bypassed or incorrectly implemented [ICO07]. Organisations may not currently understand how ineffectively their security controls are being managed, resulting in higher levels of risk exposure through controls operating at below optimal effectiveness. By introducing real world effectiveness measurements into an organisation’s risk management activities, organisations can improve their understanding of their current risk exposure. Research We have found that a number of organisational issues exist with the use of security metrics in measuring control effectiveness, which can be summarised as follows: * Metrics that measure effectiveness can be difficult to define. * Resulting measurements can be difficult to interpret by non-security professionals. * Effectiveness metrics cannot be easily compared to allow benchmarking of an organisation’s performance. Our research has concluded that there is a gap in current IT governance models and management best practices for the definition of how to measure the effectiveness of security controls. While these standards do recognise the requirement for continual assessment of operational effectiveness, the definition of these measurements and how to interpret the results are left to the organisation. Information Security Effectiveness Framework (ISEF) This project introduces ISEF, a framework that assists organisations in defining, visualising and comparing security metrics. The framework uses the concept of grouping controls based on their implementation type and temporal objectives to present common characteristics that can be measured. The framework uses the relationship between controls and risks to align security metrics against organisational risk, and visualises these to support the direction of remedial efforts. The ISEF is designed to complement current IT governance models and standards such as COBIT and ISO27002. This is provided by its alignment with these ‘what’ should be done models and standards by providing the ‘how’. The ISEF provides a method of comparing security metrics based on the financial stock markets indices. This allows the comparison of security control management between organisations and allows the organisations to benchmark themselves against peers without revealing specific security control information. Conclusion A case study using ISEF has shown that the framework provides a method for defining metrics in order to obtain real world data to modify current residual risk levels. For organisations with a risk management approach, the framework can visualise effectiveness in the context of risk allowing resources to be focused on improving security management where it will make the greatest risk reduction.

Information about this Version

This is a Published version
This version's date is: 31/03/2010
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/ec5d2dad-6a7d-8f77-b56b-e5794cad8320/1/

Item TypeMonograph (Technical Report)
TitleImproving residual risk management through the use of security metrics
AuthorsPagett, Jonathan
DepartmentsFaculty of Science\Mathematics

Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[BS05] B Solms, Information Security governance: COBIT or ISO 17799 or both?, Computers
& Security, Volume: 24, Issue: 2, March 2005, Page: 99-104

[NIST09] W Jansen, Directions in Security Metrics Research, NIST 7564, March 2009

[OGC08] Aligning Cob iT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit, Office of
Government Commerce, 2008

[FRANKLAND08] Frankland, IT security metrics: implementation and standards compliance,
Network security, 2008, Volume: 8, Issue: 6 Page: 6 -9

[LORD04] Lord, ISACA model curricula 2004, International journal of accounting information
systems, 2004, Volume: 5 Issue: 2 Page: 251 -265

[NOSWORTHY00] Nosworthy, A Practical Risk Analysis Approach: Managing BCM Risk,
Computers & security 2000 Volume: 19, Issue: 7 Page: 596 -614

[GVIB06] GvIB Expert Letter, Henk Bel, September 2006, ISSN 1872-4884, Volume: 1 - No. 2

[BERR08] Department of Business Enterprise & Regulatory Reform, 2008 Information
Security Breaches Survey, Technical Report, April 2008

[ISO05] International Organisation for Standardization, ISO/IEC 27002:2005(E) Information
technology – Security techniques – Code of practice for information security management,
First Edition, 2005-10-15, 4.2.2d

[NIST03] M Swanson, N Bartol, J Sabato, J Hash, L Graffo, Computer Security - Security
Metrics Guide for Information Technology Systems, NIST Special Publication 800-55, July
2003

[JAQUITH07] A Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Addison-
Wesley Professional; 1st Edition, 5th April 2007

[NEW08] A Shostack, A Steward, The New School of Information Security, Addison-Wesley,
2008

[WRIGHT08] C Wright, The IT Regulatory and Standards Compliance Handbook - How to
Survive Information Systems Audit and Assessments, Syngress, 2008

[HAB00] R B Haber and D A McNabb, “Visualization Idioms: A Conceptual Model for Scientific
Visualization Systems”, Visualization in Scientific Computing, IEEE, Page: 74-93, 1990

[ITGI07] COBIT 4.1 Excerpt, Executive Summary Framework, IT Governance Institute, 2007
Page 44 of 45

[ISS08] SSE-CMM: Systems Security Engineering Capability Maturity Model,
International Systems Security Engineering Association (ISSEA), http://www.ssecmm.
org/metric/metric.asp - Visited 20th July 2009.

[CUNNINGHAM05] C Cunningham, Enterprise Risk Management: The COSO Framework,
Ethics Resource Centre, 31st December 2005

[SOX02] Sarbanes-Oxley Act of 2002, 107th Congress of the United States of America, H.R.
3763, 23rd January 2002

[ISO07] ISO 15939:2007- Systems and software engineering - Measurement process,
International Standards Organisation, 2007

[EPA] Environmental Protection Agency, United States,
http://www.epa.gov/evaluate/glossary/e-esd.htm - Visited 20th July 2009.

[FRANCIS04] Business mathematics and statistics, Andy Francis, Cengage Learning EMEA; Ed.6
2004 Pg 259

[NASDAQ05] Ground Rules for the Management of the FTSE NASDAQ Index Series, NASDAQ
FTSE, Version 1, June 2005

[ICO07] Confidential details lost by Revenue and Customs, Richard Thomas, Information
Commissioners Office, 20th November 2007

[ISO09] International Organisation for Standardization, Draft ISO/IEC 27004 Information
technology – Security techniques – Information security management - Measurements, Final
committee draft, Version 8.0, 2009


Details