The SMART approach to develop good cyber security metrics

Abstract

Abstract When it comes to the need to manage cyber security, identifying and utilising good cyber security metrics is essential. This allows organisations to manage their cyber risk more effectively. However, the literature lacks consensus on properties and characteristics of good metrics. We join the current efforts that aim at closing this gap. Hence, the main two objectives of this work are firstly to explore and identify relevant cyber security metrics proposed by researchers in the cyber security domain, and then to assess them against the SMART (Specific, Measurable, Actionable, Relevant, and Timely) criteria to determine their feasibility and improve the quality of the selected security metrics. We identified 100 relevant metrics, of which 22 were able to be assessed against the SMART criteria. The resulting set of metrics can be considered as feasible set of metrics to implement. Additionally, we have identified the properties that a good metric should possess, most of which can be regarded as variants of the SMART criteria. Consequently, we extend the subcategories proposed by [1] to enhance the categorisation of metrics. The proposed subcategories are user, interface-induced, and software vulnerabilities; preventative, reactive, proactive defence strength; zero-day, targeted, botnet, malware, and evasion techniques; and security state, incidents, and investment. We propose to include the following: configuration management, access control management, backup and restore, security audit, security testing, and security training. Additionally, we recommend including two additional elements when assessing metrics wherein the metrics should be inexpensive to gather and independently verifiable via an outside reference.