Performance measurement guide for information security

Chew, Elizabeth; Swanson, Marianne; Stine, Kevin; Bartol, Nadya; Brown, Arthur; Robinson, WH

doi:10.6028/nist.sp.800-55r1

Cited by 90 publications

(50 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In [42], the Center for Internet Security (CIS) divided security metrics into three groups which are Management, Operations, or both. Chew et al [43] grouped security metrics by Implementation, Effectiveness and Efficiency, and Business Impact. Savola [44] differentiated metrics into Management, Operational, and Technical.…”

Section: Cyber Security Metricsmentioning

confidence: 99%

Capability Maturity Model and Metrics Framework for Cyber Cloud Security

Le¹,

Hoang²

2017

SCPE

View full text Add to dashboard Cite

Abstract. Cyber space is affecting all areas of our life. Cloud computing is the cutting-edge technology of this cyber space and has established itself as one of the most important resources sharing technologies for future on-demand services and infrastructures that support Internet of Things (IOTs), big data platforms and software-defined systems/services. More than ever, security is vital for cloud environment. There exist several cloud security models and standards dealing with emerging cloud security threats. However, these models are mostly reactive rather than proactive and they do not provide adequate measures to assess the overall security status of a cloud system. Out of existing models, capability maturity models, which have been used by many organizations, offer a realistic approach to address these problems using management by security domains and security assessment on maturity levels. The aim of the paper is twofold: first, it provides a review of cyber space, cyber security, cloud security models and standards, cyber security capability maturity models and security metrics; second, it proposes a cloud security capability maturity model (CSCMM) that extends existing cyber security models with a security metric framework. CSCMM aims to present a credible overall security assessment of a cloud system to senior managers and to enable security experts to predict and identify necessary security measures.

show abstract

Section: Cyber Security Metricsmentioning

confidence: 99%

Capability Maturity Model and Metrics Framework for Cyber Cloud Security

Le¹,

Hoang²

2017

SCPE

View full text Add to dashboard Cite

show abstract

“…The purpose of NIST SP 800-39 is to provide a guide for an organizationwide program for managing information security risk. NIST SP 800-55 (Revision 1) [37] provides performance measurement guide for information security. NIST SP 800-30 [36] presents a risk management guide for information technology systems.…”

Section: Transparencymentioning

confidence: 99%

Security risk analysis of enterprise networks using probabilistic attack graphs

Singhal¹,

Ou²

2011

View full text Add to dashboard Cite

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Internal Report discusses ITL's research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Interagency Report 7788 # pages (August 2011) SECURITY RISK ANALYSIS OF ENTERPRISE NETWORKS USING PROBABILISTIC ATTACK GRAPHSiii AcknowledgementsThe authors Anoop Singhal and Ximming Ou would like to thank their colleagues who reviewed drafts of this document and contributed to its development. A special note of thanks goes to Peter Mell, Harold Booth, Ron Boisvert, Ramaswamy Chandramouli, and Kevin Stine of NIST for serving as reviewers for this document. The authors also acknowledge Elizabeth Lennon for her technical editing and administrative support. SECURITY RISK ANALYSIS OF ENTERPRISE NETWORKS USING PROBABILISTIC ATTACK GRAPHS iv Executive SummaryToday's information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks. AudienceThis document is intended for three primary audiences:Federal agencies seeking information on how to use probabilistic attack graphs for security risk analysi...

show abstract

“…And we have no non-functional requirement security model as a model for developing a system and have no security assessment [11] model of security level after developing the system. When we develop a system, we don't think about the security and after developing the system, then the customer change the security requirement then we face some problems.…”

Section: Current Problemsmentioning

confidence: 99%

Model for Identifying the Security of a System: A Case Study of Point Of Sale System

Sagar¹

2013

IOSR-JCE

View full text Add to dashboard Cite

Performance measurement guide for information security

Cited by 90 publications

References 0 publications

Capability Maturity Model and Metrics Framework for Cyber Cloud Security

Capability Maturity Model and Metrics Framework for Cyber Cloud Security

Security risk analysis of enterprise networks using probabilistic attack graphs

Model for Identifying the Security of a System: A Case Study of Point Of Sale System

Contact Info

Product

Resources

About