The Computer Journal Advance Access published online on November 3, 2009
The Computer Journal, doi:10.1093/comjnl/bxp094
Security Metrics Foundations for Computer Security
ek*
Faculty of Computer and Information Science, University of Ljubljana, Tr
a
ka c. 25, 1000 Ljubljana, Slovenia
* Corresponding author: denis.trcek{at}fri.uni-lj.si
Received 11 February 2009; revised 20 August 2009
Security has been among top priority in computer information systems for more than a decade. Despite the importance of this area, it is interesting to note that the area still lacks (completeness of) one of its basic elements of scientific arsenal, which is metric. This paper therefore presents the situation in this field by giving an analysis of existing metrics that could serve the above-mentioned purpose. Further, it presents a generic risk management model, and gives an analysis of possibilities for application of these existing metrics to the model. It also introduces new metric elements, where these are lacking. As a result, means are provided that enable evaluation of security in information technology systems in a tangible way. Such an approach is essential for every organization in business areas ranging from economical justifications for new security implementations to customized security services with appropriate service costs calculations, and even development of new business models.
Key Words: computer security • risk management • security metrics • economics of security