Abstract
The evolution of ICT and the accelerated adoption process in all sectors of activity have revealed immense cybersecurity threats, which can definitively compromise this evolution and with a heavy impact. The problem, the technological and human vulnerabilities, and the possible solutions have been intensely studied and standardised, and it is now widely recognised that cybersecurity is, in essence, a risk management activity. However, to manage something, it is necessary to have metrics, and only a few aspects of cybersecurity are easily and understandably measurable. This article presents a systematic approach to cybersecurity and risk management, emphasising how to obtain appropriate security metrics and focusing on the industrial sector. For this, we use the most well-known standards illustrated with examples extracted from a typical industrial environment. An outline of a taxonomy of metrics and a framework for their identification and application are presented. It also discusses a continuous certification model that derives from the metrics model and aligns with one of the emerging standards to address cybersecurity in industrial environments (ISA/IEC 62443). The article ends by discussing some of the challenges facing the adoption of a metrics program suitable for organisations’ information security objectives.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahmed Y, Naqvi S, Josephs M (2019) Cybersecurity metrics for enhanced protection of healthcare it systems. In: 2019 13th International Symposium on Medical Information and Communication Technology (ISMICT), Oslo, Norway, IEEE, pp 1–9
Aldya AP, Sutikno S, Rosmansyah Y (2019) Measuring effectiveness of control of information security management system based on sni iso/iec 27004: 2013 standard. IOP Conference Series
Amran AR, Phan RCW, Parish DJ (2009) Metrics for network forensics conviction evidence. In: 2009 International Conference for Internet Technology and Secured Transactions, (ICITST), London, UK, IEEE, pp 1–8. Materials Science and Engineering 550:012020, https://doi.org/10.1088/1757-899X/550/1/012020.
Anu V (2021) Information security governance metrics: a survey and taxonomy. Inform Secur J Glob Persp:1–13. https://doi.org/10.1080/19393555.2021.1922786
Barabanov R, Kowalski S, Yngström L, Yngstrom L (2011) Information security metrics state of the art. Tech. Rep., Stockholm University, DSV Report series No 11-007, https://www.diva-portal.org/smash/record.jsf?pid=diva2:469570, cit. 2 Scholar 4/2021
Bodnar GH, Hopwood WS (2001) Accounting information systems, vol 8. Prentice Hall, London
Casola V, De Benedictis A, Rak M, Villano U (2018) A security metric catalogue for cloud applications. In: Complex, Intelligent, and Software Intensive Systems: Proceedings of the 11th International Conference on Complex, Intelligent, and Software Intensive Systems (CISIS- 2017), Springer, pp 854–863
Chew E, Swanson M, Stine K, Bartol N, Brown A, Robinson W (2008) Nist sp 800-55 revision 1 - performance measurement guide for information security. Tech. rep., NIST National Institute of Standards and Technology, https://csrc.nist.rip/CSRC/media/Events/ISPAB-SEPTEMBER-2007-MEETING/documents/Barker_ISPAB_Sept2007-SP800-55R1.pdf
da Silva Oliveira A, Santos H (2022) Continuous industrial sector cybersecurity assessment paradigm: Proposed model of cybersecurity certification. In: 2022 18th International Conference on the Design of Reliable Communication Networks (DRCN), Vilanova i la Geltrú, Spain, IEEE, pp 1–6, https://doi.org/10.1109/DRCN53993.2022.9758022
EDUCAUSE (2017) Effective security metrics. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/toolkits/effective-security-metrics. Accessed 22 Apr 2022
Fielding J (2020) The people problem: how cyber security’s weakest link can become a formidable asset. Comput Fraud Secur 2020(1):6–9. https://doi.org/10.1016/S1361-3723
Hou J, Li Y, Yu J, Shi W (2020) A survey on digital forensics in internet of things. IEEE Internet Things J 7:1–15. https://doi.org/10.1109/JIOT.2019.2940713
Houngbo PJ, Hounsou JT, Houngbo PJ, Hounsou JT (2015) Measuring information security: understanding and selecting appropriate metrics. Int J Comput Sci Secur (IJCSS) 9(108–120):q4
ISA (2022) Quick start guide: An overview of isasecure certification. https://www.isasecure.org/en-US/Documents/0920-ISASecure-QuickStart-Guide-FINAL. Accessed 15 Mar 2022
ISASecure (2019) System security assurance (ssa) certification. https://isasecure.org/certification/iec-62443-ssa-certification. Accessed 10 Mar 2022
ISO/IEC (2013) Iso/iec 27001:2013, information technology – security techniques – information security management systems – requirements. Tech. rep., ISO/IEC, https://www.iso.org/standard/54534.html https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
ISO/IEC (2016) Information technology-security techniques–information security management systems–overview and vocabulary (international standard iso/iec 27000). Tech. rep., ISO/IEC, URL www.iso.org
ISO/IEC (2018) Iso 31000:2018 risk management – guidelines. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en. Accessed 20 Apr 2022
Kalman L (2019) New european data privacy and cyber security laws. Commun ACM 62:38–38. https://doi.org/10.1145/3310326
Leander B, Čaušević A, Hansson H (2019) Applicability of the iec 62443 standard in industry 4.0 / iiot. In: Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES’19). ACM, Canterbury CA, UK, pp 1–8. https://doi.org/10.1145/3339252.3341481
Leszczyna R (2018) Standards on cyber security assessment of smart grid. Int J Crit Infrastruct Protect 22:70–89. https://doi.org/10.1016/j.ijcip.2018.05.006
Lu Y (2017) Industry 4.0: a survey on technologies, applications and open research issues. J Ind Inf Integr 6:1–10. https://doi.org/10.1016/j.jii.2017.04.005. 1468 cit (5/2022)
Masip-Bruin X, Marín-Tordera E, Ruiz J, Jukan A, Trakadas P, Cernivec A, Lioy A, López D, Santos H, Gonos A, Silva A, Soriano J, Kalogiannis G (2021) Cybersecurity in ict supply chains: key challenges and a relevant architecture. Sensors 21:6057. https://doi.org/10.3390/s21186057
Morrison P, Moye D, Pandita R, Williams L (2018) Map** the field of software life cycle security metrics. Inf Softw Technol 102:146–159. https://doi.org/10.1016/j.infsof.2018.05.011
NA (2020) Nist sp 800-53 rev. 5 security and privacy controls for information systems and organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final, accessed 20 April 2022 (nd) CC (2018) Cis – center for internet security. https://www.cisecurity.org/controls. Accessed 20 Apr 2022
Olsen D (2022) Three-quarters of security pros believe current cybersecurity strategies will shortly be obsolete. https://www.infosecurity-magazine.com/news/security-pros-cybersecurity/. Accessed 26 May 2022
Payne SC (2006) A guide to security metrics. Tech. rep., SANS Institute, https://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55
Pendleton M, Garcia-Lebron R, Cho JH, Xu S (2016) A survey on systems security metrics. ACM Comput Surv 49:1–35. https://doi.org/10.1145/3005714
Pereira T (2012) A conceptual framework to support information security risk management. PhD thesis, University of Minho, Portugal., https://hdl.handle.net/1822/20869
Roy PP (2020) A high-level comparison between the nist cyber security framework and the iso 27001 information security standard. In: 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications (NCETSTEA), Durgapur, India, IEEE, pp 1–3, https://doi.org/10.1109/NCETSTEA48365.2020.9119914
Santos H (2022) Cybersecurity: a practical engineering approach. CRC Press
Santos H, Oliveira A, Soares L, Satis A, Santos A (2021) Information security assessment and certification within supply chains. In: The 16th International Conference on Availability, Re- liability and Security (ARES 21), Vienna, Austria, August 17–20, 2021, ACM, pp 1–6. https://doi.org/10.1145/3465481.3470078
Savola RM (2013) Quality of security metrics and measurements. Comput Secur 37:78–90. https://doi.org/10.1016/j.cose.2013.05.002
Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical guide to information security testing and assessment. Tech. rep., National Institute of Standards and Technology, https://doi.org/10.6028/NIST.SP.800-115., https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Setzler T, Mountrouidou X (2021) Iot metrics and automation for security evaluation. In: 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC), IEEE, pp 1–4, https://doi.org/10.1109/CCNC49032.2021.9369533
Wang L, Jajodia S, Singhal A (2017) Network security metrics. Springer International Publishing. https://doi.org/10.1007/978-3-319-66505-4
Yusuf SE, Hong JB, Ge M, Kim DS (2017) Composite metrics for network security analysis. Softw Netw 2017:137–160. https://doi.org/10.13052/jsn2445-9739.2017.007
Zaber M, Nair S (2020) A framework for automated evaluation of security metrics. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, ACM, vol 2020, pp 1–11, https://doi.org/10.1145/3407023.3409197
Acknowledgements
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 952644. Additionally, this work has been supported by FCT – Fundação para a Ciência e Tecnologia within the R&D Units Project Scope: UIDB/00319/2020.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Santos, H., Pereira, T., Oliveira, A. (2024). Information Security Metrics: Challenges and Models in an All-Digital World. In: Carneiro Pacheco de Andrade, F.A., Fernandes Freitas, P.M., de Sousa Covelo de Abreu, J.R. (eds) Legal Developments on Cybersecurity and Related Fields. Law, Governance and Technology Series, vol 60. Springer, Cham. https://doi.org/10.1007/978-3-031-41820-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-41820-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41819-8
Online ISBN: 978-3-031-41820-4
eBook Packages: Law and CriminologyLaw and Criminology (R0)