If you cannot Measure it, you cannot Secure it. A Case Study on Metrics for Informed Choice of Security Controls

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-05-09 DOI:10.1016/j.jisa.2025.104056

Md Rayhanur Rahman , Imranur Rahman , Laurie Williams

{"title":"If you cannot Measure it, you cannot Secure it. A Case Study on Metrics for Informed Choice of Security Controls","authors":"Md Rayhanur Rahman , Imranur Rahman , Laurie Williams","doi":"10.1016/j.jisa.2025.104056","DOIUrl":null,"url":null,"abstract":"<div><div>Information security standards such as the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO) specify hundreds of security controls to protect and defend information systems. However, implementing all the available controls simultaneously can be infeasible for organizations. Controls need to be chosen based on their degree of mitigation over attack techniques. <em>The goal of this research is to help organizations make an informed choice of security controls by proposing a set of metrics for measuring the degree of mitigation of attack techniques.</em> We propose a set of seven metrics to characterize the mitigation by security controls against attack techniques used in cyberattacks. We perform a case study in this paper, where we investigate the 298 NIST SP800-53 security controls and 201 adversarial techniques cataloged in the MITRE ATT&CK. Based on the metrics, we identify that only 107 out of 298 controls are capable of mitigating adversarial techniques. However, we also identify that 50 attack techniques cannot be mitigated by existing controls. We identify 21 critical controls based on the metrics, which also match 90% with NIST-provided priority codes and 70% with NIST-provided baselines, which evaluates the practical relevance of the metrics. Furthermore, we also identify that the critical controls are specified in an abstract manner, which could lead to varying degrees of implementation.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"92 ","pages":"Article 104056"},"PeriodicalIF":3.8000,"publicationDate":"2025-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000936","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Information security standards such as the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO) specify hundreds of security controls to protect and defend information systems. However, implementing all the available controls simultaneously can be infeasible for organizations. Controls need to be chosen based on their degree of mitigation over attack techniques. The goal of this research is to help organizations make an informed choice of security controls by proposing a set of metrics for measuring the degree of mitigation of attack techniques. We propose a set of seven metrics to characterize the mitigation by security controls against attack techniques used in cyberattacks. We perform a case study in this paper, where we investigate the 298 NIST SP800-53 security controls and 201 adversarial techniques cataloged in the MITRE ATT&CK. Based on the metrics, we identify that only 107 out of 298 controls are capable of mitigating adversarial techniques. However, we also identify that 50 attack techniques cannot be mitigated by existing controls. We identify 21 critical controls based on the metrics, which also match 90% with NIST-provided priority codes and 70% with NIST-provided baselines, which evaluates the practical relevance of the metrics. Furthermore, we also identify that the critical controls are specified in an abstract manner, which could lead to varying degrees of implementation.

查看原文本刊更多论文

如果你不能衡量它，你就不能确保它。安全控制的知情选择度量的案例研究

信息安全标准，如美国国家标准与技术研究院（NIST）和国际标准化组织（ISO）规定了数百种安全控制措施来保护和防御信息系统。然而，同时实现所有可用的控制对于组织来说是不可行的。需要根据减轻攻击技术的程度来选择控制。本研究的目标是通过提出一组度量攻击技术缓解程度的度量标准，帮助组织做出明智的安全控制选择。我们提出了一组七个指标，以表征安全控制对网络攻击中使用的攻击技术的缓解。我们在本文中执行了一个案例研究，其中我们调查了MITRE att&； CK中编目的298种NIST SP800-53安全控制和201种对抗性技术。基于度量，我们确定298个控制中只有107个能够减轻对抗性技术。然而，我们也确定了50种攻击技术不能通过现有的控制来减轻。我们根据指标确定了21个关键控制，其中90%与nist提供的优先级代码匹配，70%与nist提供的基线匹配，后者评估了指标的实际相关性。此外，我们还确定了关键控制是以抽象的方式指定的，这可能导致不同程度的实现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.