Page 173 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 173

Unit 12: Security Metrics and Privacy




              Risk Management: Metrics that calculate threat probability, vulnerability, Counter measure  Notes
               coverage and asset value capitulate consequences that can be used to model risk.

              Budget Management: Metrics that determine level of effort, impact, and obtainable can be
               transformed into dollar values for the reason of establishing budgets as well as computing
               return on investment.

              Audit &  Compliance Assessment (Internal or  External): Metrics  that compute  policy
               compliance for individual in addition to groups of definitions capitulate results that can
               enhance reports generated by compliance tools.
              Security Operations: Metrics that collect data over time can be used to recognize trends
               that suggest particular actions to be taken by data center functions staff.

          12.2.3 Issues/Aspects of Security Measurement


          Approaching into some significant aspects of security measurement are illustrated below. The
          idea is not to give a list of general drawbacks rather the objective is to emphasize those factors
          that are supposed to be related to a research attempt in security metrics.

          1.   Correctness and Effectiveness: Correctness signifies assurance that the security-enforcing
               techniques have been rightly executed (i.e., they do accurately what they are proposed to do,
               like performing some calculation). Effectiveness signifies assurance that the security-enforcing
               techniques of the system meet the declared security objectives (i.e., they do not do anything
               other than what is proposed for them to do, while fulfilling expectations for resiliency).
          2.   Leading versus Lagging Indicators: Leading and covering indicators reproduce security
               circumstances that exist correspondingly before or after a shift in security. A covering
               security metric with a short latency phase or lag time is favored over one with a long
               latency phase. Many security metrics can be observed as lagging marker.
          3.   Organizational Security Objectives: Organizations subsist  for different reasons, hold
               different assets, have dissimilar exposure to the public, face dissimilar threats, and have
               dissimilar tolerances to risk. Due to these and other differences, their security purposes
               can  vary  considerably.  Security  metrics  are  usually  used  to  resolve  how  well  an
               organization is fulfilling its security objectives.
          4.   Qualitative and Quantitative Properties: Qualitative  assignments can be accessed to
               symbolize  quantitative  procedures  of  security  properties  (e.g.,  low  means  no
               vulnerabilities instituted; medium, between one and five found; and high, more than five
               found). Quantitative valuations of numerous security properties may also be weighted
               and shared to derive a compound value.
          5.   Measurements of the Large Versus the Small: Security measurements have confirmed to be
               much more victorious when the target of evaluation is small and simple instead of large
               and complex. As the number of components in a system enlarges, the number of probable
               interactions grows with the square of the number of components.



             Did u know?  Greater difficulty and functionality usually relate inversely to security and
             need more scrutiny to evaluate.





              Task  Make distinction between qualitative and Quantitative properties.




                                           LOVELY PROFESSIONAL UNIVERSITY                                   167
   168   169   170   171   172   173   174   175   176   177   178