08-08-2014, 12:29 PM
Towards Better Information Security Management by Understanding Security Metrics and Measuring Processes
[attachment=66745]
Abstract
In order to better understand the achieved information
security level in a product, system or organisation,
information security managers must be able to get input from
security objects. The use of information security metrics in
certain Finnish industrial companies and State institutions,
and its relation to the literature is studied. The techniques
used in the implementation and analysis of metrics, as well as
their usefulness and future targets are studied. The results of
the interviews clearly show that measuring information
security is considered important, but the benefits of such
measurements can only be seen when the use of metrics is
applied as a process with the experience gained from the use
of history data
Introduction
Information security management and paper production do
not seem to have much in common. Nowadays paper machine
technology is able to produce high-quality multi-layer
laminate paper. In the near future, printed solar cells,
semiconductor devices or RFID tags will become reality
using the same technological basis. Production and products
can only be managed using well-organised control processes.
Paper production factories, like many other automation
factories, are deploying a large collection of production
processes where measurement information from different
parts of the processes forms the basis for controlling
decisions. Sensors and other measurement devices are vital to
the processes. It is a widely accepted principle that an activity
cannot be managed well if it cannot be measured.
If the automation industry can achieve the required level of
quality by measuring the production processes, could
organisations use appropriate measurements and control to
reach the desired level of security? In 2004, we carried out a
survey in some Finnish industrial companies and
Methods of Measurement
Jonsson (2003) [7] sorts the methods of security measurement
into the following techniques: risk analysis, certification and
measures of the intrusion process;
Risk analysis is an estimation of the probability of
specific intrusions and their consequences and costs, and it can
be thought of as a trade-off to the corresponding costs for
protection,
Cerofication is the classification of the system in classes
based on design characteristics and security mechanisms. "The
'better' the design is, the more secure the system.", and
Measures of the intrusion process means statistical
measurement of a system based on the effort it takes to make
an intrusion. "The harder it is to make an intrusion, the more
secure the system".
In addition to these methods, it is justifiable to consider
auditing as a measurement technique for information security.
Furthermore, we could add the following remarks to
Jonsson' s classification:
components:
The object being measured,
The security objectives, i.e. the "measuring rod" the
object is being measured against, and
The method of measurement.
The security objectives typically consist of security
requirements, such as specifications or standards, e.g.
Common Criteria (CC) [1] Protection Profiles.
Despite the advances in the field, the research lacks proposals
to measure the overall information security. Common sense
tells us that in reality there is only one kind of security —
whether or not the system as a whole is secure at the required
level.
Nature of Information Security
Information security is a concept that still lacks unambiguous
definitions_ It is important to understand the nature of
information security when developing methods for measuring
it- A common way to try to understand information security is
to find different dimensions of it, such as confidentiality,
integrity and availability. However, only rarely it is noted that
the value of this classification is only to help us to handle the
abstract phenomena involved in information security in a
concrete way. We might see an information security event in
one dimension. However, other events might contribute to
this event a lot. Consequently, cross-relationships between
Interview Study
The goal of our interview study was to find out how Finnish
industrial companies and State institutions measure their
information security management. During the first half of
2004, we conducted eight interviews during the first half of
2004 in different types of major industrial companies and
institutions, and then analyzed the results using the
interpretative analysis method [10, 11]. All interviewees were
responsible or at least aware of their own organisations'
practices in the field of information security management.
The questions used in the interview are shown in Table
Some Results
The interview study clearly shows that the use of information
security metrics is most beneficial when applied as a process.
Personnel behaviour is one of the most critical issues to be
measured. However, there are restricting factors: privacy
protection and the requirements of legislation. Some specific
needs for measurements discovered in the interview are
summarised in Table 2.
There is a need for knowledgeable management that
understands the importance of managing information security
and providing information security managers with enough
authority to improve metrics development. Allocation of
responsibility is considered an important factor that affects
the quality of the implemented metrics.
Conclusions
There are no well-established processes or methods to
measure information security. To a great extent, different
organisations have developed and deployed their own
methods in measurements. However, the normal conduct of
business includes several collaborative organisations and
information security management is a common goal for all of
them. Therefore, standard methods to offer feedback for
decisions are needed.The research related here was the starting point for broader
work. When a single organisation improves its security, it has
positive implications for all of society. But on the other hand,
this only means better security for a single organisation. Only
after developing a common approach to better security for all
organisations does it have valuable meaning for business.