An Investigation About the Absence of Validation on Security Quantification Methods

Authors

Rodrigo Sanches Miani, Universidade Federal de Uberlândia (UFU)Follow
Bruno Bogaz Zarpelão, Londrina State UniversityFollow
Leonardo de Souza Mendes, Universidade Estadual de Campinas (UNICAMP)Follow

Document Type

Article

Publication Date

5-2015

Keywords

Quantitative security models, Security metrics, Validation

Abstract

To understand the actions that lead to successful attacks and also how they can be mitigated, researchers should identify and measure the factors that influence both attackers and victims. Quantifying security is particularly important to construct relevant metrics that support the decisions that need to be made to protect systems and networks. In this work, we aimed at investigating the lack of validation in security quantification methods. Different approaches to security quantification were examined and 57 papers are classified. The results show that most of papers seek to measure generic and complex targets like measuring network security or the security of an entire organization, however, the incidence of validation attempts is higher in works that propose the quantification of specific targets.

Comments

This paper is in Portuguese (Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação)

Recommended Citation

Miani, Rodrigo Sanches; Zarpelão, Bruno Bogaz; and Mendes, Leonardo de Souza, "An Investigation About the Absence of Validation on Security Quantification Methods" (2015). Proceedings of the XI Brazilian Symposium on Information Systems (SBSI 2015). 59.
https://aisel.aisnet.org/sbis2015/59