Quantitative security models, Security metrics, Validation
To understand the actions that lead to successful attacks and also how they can be mitigated, researchers should identify and measure the factors that influence both attackers and victims. Quantifying security is particularly important to construct relevant metrics that support the decisions that need to be made to protect systems and networks. In this work, we aimed at investigating the lack of validation in security quantification methods. Different approaches to security quantification were examined and 57 papers are classified. The results show that most of papers seek to measure generic and complex targets like measuring network security or the security of an entire organization, however, the incidence of validation attempts is higher in works that propose the quantification of specific targets.
Miani, Rodrigo Sanches; Zarpelão, Bruno Bogaz; and Mendes, Leonardo de Souza, "An Investigation About the Absence of Validation on Security Quantification Methods" (2015). Proceedings of the XI Brazilian Symposium on Information Systems (SBSI 2015). 59.
This paper is in Portuguese (Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação)