Home > Research > Publications & Outputs > Contextualising and aligning security metrics a...

Links

Text available via DOI:

View graph of relations

Contextualising and aligning security metrics and business objectives: A GQM-based methodology

Research output: Contribution to journalJournal articlepeer-review

Published

Standard

Contextualising and aligning security metrics and business objectives : A GQM-based methodology. / Philippou, E.; Frey, S.; Rashid, A.

In: Computers and Security, Vol. 88, 101634, 31.01.2020.

Research output: Contribution to journalJournal articlepeer-review

Harvard

APA

Vancouver

Author

Bibtex

@article{9fec0001357d488885a5ac2a31fb5176,
title = "Contextualising and aligning security metrics and business objectives: A GQM-based methodology",
abstract = "Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts – domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (1) for the metrics to align with business requirements (2) for decision makers to maintain relevant security goals based on measurements from the field. In this paper we propose Symbiosis, a methodology that defines a goal elicitation and refinement process mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). The novel contribution of Symbiosis is the well-defined process, which enforces that (1) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (2) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. In this paper, we discuss the findings from applying Symbiosis to three case studies of known security incidents. Our analysis shows how the aforementioned pitfalls of security metrics development processes affected the outcome of these high-profile security incidents and how Symbiosis addresses such issues.",
keywords = "Security metrics, Security decision-making, Contextual metrics, Metrics development process, Goal-question-metric (GQM)",
author = "E. Philippou and S. Frey and A. Rashid",
year = "2020",
month = jan,
day = "31",
doi = "10.1016/j.cose.2019.101634",
language = "English",
volume = "88",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Ltd",

}

RIS

TY - JOUR

T1 - Contextualising and aligning security metrics and business objectives

T2 - A GQM-based methodology

AU - Philippou, E.

AU - Frey, S.

AU - Rashid, A.

PY - 2020/1/31

Y1 - 2020/1/31

N2 - Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts – domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (1) for the metrics to align with business requirements (2) for decision makers to maintain relevant security goals based on measurements from the field. In this paper we propose Symbiosis, a methodology that defines a goal elicitation and refinement process mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). The novel contribution of Symbiosis is the well-defined process, which enforces that (1) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (2) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. In this paper, we discuss the findings from applying Symbiosis to three case studies of known security incidents. Our analysis shows how the aforementioned pitfalls of security metrics development processes affected the outcome of these high-profile security incidents and how Symbiosis addresses such issues.

AB - Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts – domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (1) for the metrics to align with business requirements (2) for decision makers to maintain relevant security goals based on measurements from the field. In this paper we propose Symbiosis, a methodology that defines a goal elicitation and refinement process mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). The novel contribution of Symbiosis is the well-defined process, which enforces that (1) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (2) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. In this paper, we discuss the findings from applying Symbiosis to three case studies of known security incidents. Our analysis shows how the aforementioned pitfalls of security metrics development processes affected the outcome of these high-profile security incidents and how Symbiosis addresses such issues.

KW - Security metrics

KW - Security decision-making

KW - Contextual metrics

KW - Metrics development process

KW - Goal-question-metric (GQM)

U2 - 10.1016/j.cose.2019.101634

DO - 10.1016/j.cose.2019.101634

M3 - Journal article

VL - 88

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 101634

ER -