Affiliation:
1. De Montfort University
2. University Institute of Lisbon
Abstract
Abstract
When it comes to the need to manage cyber security, identifying and utilising good cyber security metrics is essential. This allows organisations to manage their cyber risk more effectively. However, the literature lacks consensus on properties and characteristics of good metrics. We join the current efforts that aim at closing this gap. Hence, the main two objectives of this work are firstly to explore and identify relevant cyber security metrics proposed by researchers in the cyber security domain, and then to assess them against the SMART (Specific, Measurable, Actionable, Relevant, and Timely) criteria to determine their feasibility and improve the quality of the selected security metrics. We identified 100 relevant metrics, of which 22 were able to be assessed against the SMART criteria. The resulting set of metrics can be considered as feasible set of metrics to implement. Additionally, we have identified the properties that a good metric should possess, most of which can be regarded as variants of the SMART criteria. Consequently, we extend the subcategories proposed by [1] to enhance the categorisation of metrics. The proposed subcategories are user, interface-induced, and software vulnerabilities; preventative, reactive, proactive defence strength; zero-day, targeted, botnet, malware, and evasion techniques; and security state, incidents, and investment. We propose to include the following: configuration management, access control management, backup and restore, security audit, security testing, and security training. Additionally, we recommend including two additional elements when assessing metrics wherein the metrics should be inexpensive to gather and independently verifiable via an outside reference.
Publisher
Research Square Platform LLC
Reference35 articles.
1. A survey on systems security metrics;Pendleton M;ACM Computing Surveys.,2016
2. Patrinos, H.: You Can’t Manage What You Don’t Measure. Available at https://blogs.worldbank.org/education/you-can-t-manage-what-you-don-t-measure (2014). Accessed 24 May 2023
3. Boyer, W., McQueen, M.: Ideal based cyber security technical metrics for control systems. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). pp. 246–260 (2008)
4. Abraham, S., Nair, S.: Exploitability analysis using predictive cybersecurity framework. In: Proceedings – 2015 IEEE 2nd International Conference on Cybernetics, CYBCONF 2015. pp. 317–323 (2015)
5. Ahmed, Y., Naqvi, S., Josephs, M.: Cybersecurity Metrics for Enhanced Protection of Healthcare IT Systems. (2019)