Towards integration of risk-driven and evidence-driven information security measurement

Abstract

Carefully designed information security metrics enable informed and effective decision making. However, the current state of the art of developing security metrics is not sufficiently advanced. A major challenge is that typically the risk-driven (top-down modelling) and evidence-driven (bottom-up monitoring) metrics approaches are not aligned, and often used separately. Consequently, it is not possible to understand the impact of monitored evidence to actual security risk. A crosscut model for risk-driven and evidence-driven security metrology is needed. We analyze the concepts needed to be able to integrate these two main approaches.