Security Metrics Links Page, Maintained by Almerindo Graziano
Conference and workshop paper
Kajava J, Savola R 2005. Towards Better Information Security Management by Understanding Security Metrics and Measuring Processes. Eunis Conference 2005 [Online]
Available from:
http://www.manchester.ac.uk/eunis2005/medialibrary/papers/paper_154.pdf
[Accessed on 17 July 2006]
Henning R 2001. Applied Computer Security Associates, 2001. Proceedings of Workshop on Information Security System Scoring and Ranking
Information System Security Attribute Quantification or Ordering (Commonly but improperly known as .Security Metrics.) May 21-23, 2001 [Online]
Available from:
http://www.acsac.org/measurement/proceedings/wisssr1-proceedings.pdf
[Accessed on 19 July 2006]
Bayuk, J. L. 2000. Information Security Metrics: An Audited-based Approach.
NIST
and CSSPAB Workshop,
Available from:
http://www.bayuk.com/publications/BayukNIST.zip
[Accessed on 23 July 2006]
Bayuk, J. L. 2001. Measuring Security.
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.bayuk.com/publications/BayukMeasure.pdf
[Accessed on 23 July 2006]
Bayuk, J. L. 2003. Metrics for Due Diligence. Best in Class Security and Operations Roundtable Conference, Carnegie Mellon Software Engineering Institute [Online]
Available from:
http://www.bayuk.com/publications/BayukBICSORT.doc
[Accessed on 23 July 2006]
Deswarte, Y., Ka�iche M. & Ortalo, R. 2001. Experimental Validation of a Security Metrics. . Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Deswarte.pdf
[Accessed on 23 July 2006]
Katzke, S. 2001. Security Metrics.
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Katzke.pdf
[Accessed on 23 July 2006]
Abrams, D. 2001 - Coming To Acceptance Of Ways For Measuring And Ranking Security Properties.
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Abrams.pdf
[Accessed on 24 July 2006]
Alger,
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Alger.pdf
[Accessed on 24 July 2006]
Bartol, N. 2001. IA Metrics Development and Implementation
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Bartol.pdf
[Accessed on 24 July 2006]
Bicknell, P. 2001 Security Assertions, Criteria, and Metrics Developed for the IRS
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Bicknell.pdf
[Accessed on 24 July 2006]
Bodeau, D. J. 2001 Information Assurance Assessment: Lessons-Learned and Challenges
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Bodeau.pdf
[Accessed on 24 July 2006]
Bouchard, J. F. and Wood, B. J 2001 Red Team Work Factor as a Security Measurement
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Bouchard.pdf
[Accessed on 24 July 2006]
Connolly, J. 2001 - Information Assurance Operational Readiness Metrics
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Connolly.pdf
[Accessed on 24 July 2006]
Downs,
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Haddad.pdf
[Accessed on 24 July 2006]
Greenwald, S J. 2001 - How I Lost and then Regained My Faith in Metrics
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Greenwald.pdf
[Accessed on 24 July 2006]
Hallberg, J.; and Hunstad, A. 2001- Towards quantifying computer security: System structure and system security models
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Hallberg.pdf
[Accessed on 24 July 2006]
Leighton, R.. 2001 - Decision Support Metrics Framework
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Leighton.pdf
[Accessed on 24 July 2006]
Luzwick, P. G. 2001 - Whats a Pound of Your Information Worth? Constructs for Collaboration and Consistency
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Luzwick.pdf
[Accessed on 24 July 2006]
Martins, A.; Eloff, JHP. 2001 - Measuring Information Security
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Martins.pdf
[Accessed on 24 July 2006]
Maxion, R A. 2001- Dependable Measurement
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Maxion.pdf
[Accessed on 24 July 2006]
McCallam, D. 2001 - The Case Against Numerical Measures for Information Assurance
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/McCallam.pdf
[Accessed on 24 July 2006]
McHugh, J. 2001 - Quantitative Measures of Assurance: Prophecy, Process, or Pipedream?
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/McHugh.pdf
[Accessed on 24 July 2006]
Peeples, D. R. 2001 - Information Assurance Risk Metric Tree
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Peeples.pdf
[Accessed on 24 July 2006]
Rader, J. 2001 - A Look at Measures of Computer Security from an Insurance Premium Perspective
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Rader.pdf
[Accessed on 24 July 2006]
Rogers, G and Stauffer, B. 2001 - An Approach To INFOSEC Program Metrics
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Rogers.pdf
[Accessed on 24 July 2006]
Rubel, P; and Pal, P 2001 Assessing Adaptation in the Context of Security and Survivability
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Rubel.pdf
[Accessed on 24 July 2006]
Schneider, E. 2001 - Measurements of System Security
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/schneider.pdf
[Accessed on 24 July 2006]
Shapiro,
S. 2001 - The Bull in the
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Shapiro.pdf
[Accessed on 24 July 2006]
Skroch, M. J. 2001 - Assessments for Rating and Ranking Information Assurance
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Skroch.pdf
[Accessed on 24 July 2006]
Yee S. B 2001 - Security Metrology and the Monty Hall Problem
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Yee.pdf
[Accessed on 24 July 2006]
Vaughn, Rayford B. (Jr.). (
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Vaughn.pdf
[Accessed on 24 July 2006]
McDermott, M; and Dobry, R 2001. The Perception of Assurance
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Dobry.pdf
[Accessed on 24 July 2006]
Freeman, J. 2001. Which Way is Up? Input On Improving the Technical Basis within the Security Risk Management Process.
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Freeman.pdf
[Accessed on 24 July 2006]
Kahn, J. 2001. Certification of Intelligence Community Systems and Measurement of Residual Risks
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Kahn.pdf
[Accessed on 24 July 2006]
Kuhlmann, D. 2001. IT Assurance - A Matter of Trust
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Kuhlmann.pdf
[Accessed on 24 July 2006]
Stoneburner, G. 2001 High Assurance != (Is Not Equal To) More Secure
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Stoneburner.pdf
[Accessed on 24 July 2006]
Villasenor, P. V. 2001. DoD Operational IA Metrics
Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]
Available from:
http://www.cs.msstate.edu/~ia/IA_PAPERS/Villasenor.pdf
[Accessed on 24 July 2006]
Kormos, C., Givans, N., Gallagher, L. & Bartol, N.
1999. Using Security Metrics to Assess Risk Management Capabilities. [Online]
22nd National Information Systems Security Conference October 18-21, 1999
Available from:
http://csrc.ncsl.nist.gov./nissc/1999/proceeding/papers/p29.pdf
[Accessed on 23 July 2006]
Vaughn R. B., Jr., Henning R, and Siraj A 2003. Information Assurance Measures and Metrics
State of
36th
Annual
Available from:
http://csdl2.computer.org/comp/proceedings/hicss/2003/1874/09/187490331c.pdf
[Accessed on 26 July 2006]
Naqvi, S and Riguidel, M. 2006. Security Measurement Model for Large Scale Dynamic Systems.
Workshop
on Security in Autonomous Systems.
Available from:
http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-183/paper1.pdf
[Accessed on 21 July 2006]
Henning R. R. 2000. Information Assurance Metrics: Prophecy, Process or Pipedream?
23rd National Information Systems Security Conference October 16-19, 2000
Available from:
http://csrc.nist.gov/nissc/2000/proceedings/papers/201.pdf
[Accessed on 21 July 2006]
Chaula. J. A. 2004. Security Metrics and Evaluation of Information Systems Security
Enabling
Tomorrow Conference - 4th Annual Conference on Information Security for
Available from:
http://icsa.cs.up.ac.za/issa/2004/Proceedings/Research/048.pdf
[Accessed on 25 July 2006]
Bellovin S, 2006. On the Brittleness of Software and the Infeasibility of Security Metrics
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Jaquith A. 2006. Metrics are nifty
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Chess
B, Tsipenyuk K. 2006 A Metric for
Evaluating Static Analysis Tools
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Epstein J. 2006 "Good enough" Metrics
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Huygens C. 2006 Software Security Patterns and Risk
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Manadhata P, Wing J. 2006. An Attack Surface Metric
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Chandra P. 2006. Code Metrics
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Walsh C. 2006. Measurement Efforts and Issues
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Opacki D. 2006.The Human Side of Security Metrics
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Quarterman J. S, Phillips G. K. 2006. No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Nye J. 2006. Leading Indicators in Information Security
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Solem V. 2006. Top Network Vulnerabilities Over Time
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Hallberg J, Hunstad A. 2006. Assessment of IT Security in Networked Information Systems
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Geer D. 2006. The only metrics that matter are for decision support
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Ware B, Digital Sandbox Model Concepts for Consideration and Discussion
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Daguio K 2006.
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Blakley B 2006.Measuring Information Security Risk
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Jansen W 2006. Information Assurance Metrics Taxonomy
Metricon Security Metrics Conference August 2006-09-03
Available from
http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip
[Accessed on 12 August 2006]
Journal papers
Pete Herzog 2006. The Size of Security The evolution and history of OSSTMM Operation Security Metrics. [IN]SECURE Magazine Issue 6 March 2006 [Online] pp 22-28
Available from:
http://dreamlab.net/download/INSECURE-Mag-6.pdf
[Accessed on 19 July 2006]
Berinato S, 2005. CSO Magazine. A Few Good Metrics. [Online]
Available from:
http://www.csoonline.com/read/070105/metrics.html
[Accessed on 19 July 2006]
Bayuk, J. L. 2001. Security Metrics. The Computer Security Journal, January 2001[Online]
Available from:
http://www.bayuk.com/publications/publications.html
[Accessed on 23 July 2006]
Hancock
B. 2000.
Computers & Security, Volume 19, Issue 7, 1 November 2000, Page 580
Solms, B. 2000 Information Security The Third Wave?
Computers & Security, Volume 19, Issue 7, 1 November 2000, Pages 615-620
Kovacich, G. 1997 Information systems security metrics management
Computers & Security, Volume 16, Issue 7, 1997, Pages 610-618
Abrams M. D. and Zelkowitz M V.. Striving for correctness
Computers & Security, Volume 14, Issue 8, 1995, Pages 719-738
Slides
Bowers T, 2005. Real-world security metrics. Slides [Online]
Available from:
http://searchsecurity.techtarget.com/searchSecurity/downloads/Bowers.EDITED.ppt
[Accessed on 19 July 2006]
Guenther M, 2004. Creating a zero incident culture. [Online] Slides
Available from:
http://www.iwar.org.uk/comsec/resources/sa-tools/SA-Perception-Survey-and-Measurement.ppt
[Accessed on 19 July 2006]
Lindstrom P, 2005c. Metrics: Practical ways to measure security success. Slides [Online]
Available from:
http://searchsecurity.techtarget.com/searchSecurity/downloads/EDITED_LINDSTROM_METRICS.pdf
[Accessed on 19 July 2006]
Savola
R. Measuring the Information Security Level A Survey of Practice in
Available from:
http://iplu.vtt.fi/digitalo/iplu_savola.pdf
[Accessed on 19 July 2006]
Nymoen L. O 2005, Using Security Metrics to Determine the Best Configuration in Wireless Devices. Slides for an MSc Thesis.
Available from:
http://www.hig.no/imt/index.php?id=280
[Accessed on 25 July 2006]
Llorens, C. 2004 Measurement of security in IP multi-services networks (a network provider approach) 2004 SAR Conference Slides
Available from:
http://www.hds.utc.fr/sar04/files/llorens-pres.pdf
[Accessed on 22 July 2006]
Jarzombek, J. 2005. Security Measurement: Supporting Information Needs for Securing Cyberspace. July 20, 2005.
Available from:
http://www.psmsc.com/UG2005/Presentations/14_Jarzombek_SwAssurance_NeedMeasurement.pdf
[Accessed on 22 July 2006]
Guo,
W. A Method of Security Measurement of the Network Data Transmission.
The 1st International Workshop on Security in Systems and Networks (SSN2005), April 4-8, 2005
Available from:
http://www.cs.uccs.edu/~SNS/talks/SSN05_HUST.ppt
[Accessed on 26 July 2006]
Barker W. C. Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels - NIST Computer Security Division
Available from:
http://csrc.nist.gov/ispab/2003-09/Sept-2003.html
[Accessed on 26 July 2006]
Snouffer R. 2003. NIST Security Testing & Metrics Group Program. , Computer Security Division, NIST
Available from:
http://csrc.nist.gov/ispab/2003-12/Dec-2003.htm
[Accessed on 26 July 2006]
Whitepaper
Chew E, Clay A, Hash J, Bartol N, Brown A 2006 Guide for Developing Performance Metrics for Information Security. NIST Draft Special Publication 800-80.
Available from:
http://csrc.nist.gov/publications/nistpubs/
[Accessed on 19 July 2006]
Information Technology Security Evaluation Criteria (ITSEC). Version 1.2 published by the European Commission in 1991
Available from:
http://www.iwar.org.uk/comsec/resources/standards/itsec.htm
[Accessed on 19 July 2006]
Swanson M, Bartol N, Sabato J, Hash J, Graffo L 2003. Security Metrics Guide for Information Technology Systems [Online] NIST special publications 800-55.
http://csrc.nist.gov/publications/nistpubs/
[Accessed on 19 July 2006]
Trusted Computer Evaluation Criteria (TCSEC) Orange Book. U.S. Department of Defense DOD standard 5200.28-STD, December, 1985
Available from:
http://www.iwar.org.uk/comsec/resources/standards/rainbow/5200.28-STD.html
[Accessed on 19 July 2006]
Payne, S. 2006. A Guide to Security Metrics [Online]
Available from:
http://www.sans.org/reading_room/whitepapers/auditing/55.php
[Accessed on 23 July 2006]
Security Measurement - White Paper V3.0 13 January 2006
Prepared on behalf of the PSM Safety & Security TWG
Available from:
http://www.psmsc.com/Prod_TechPapers.asp
[Accessed on 26 July 2006]
Dave Zubrow, D, McCurley J and Dekkers C. 2005. Last Updated on April 2006. Measures and Measurement for Secure Software Development
Available from:
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/measurement/227.pdf
[Accessed on 24 July 2006]
FIPS 199 - February 2004, Standards for Security Categorization of Federal Information and Information Systems
Available from:
http://csrc.nist.gov/publications/fips/
[Accessed on 26 July 2006]
FIPS 200 - March 2006, Minimum Security Requirements for Federal Information and Information Systems
Available from:
http://csrc.nist.gov/publications/fips/
[Accessed on 26 July 2006]
Corporate Information Security Working Group 2004 Revised 2005. Report of the best practices and Metrics Teams
Available from:
http://www.issa.org/publications/BPMetricsTeamReportFinal111704Rev11095.pdf
[Accessed on 26 July 2006]
Stoddard M, Bodeau D, Carlson R, Glantz C, Haimes Y, Lian C, Santos J and Shaw J 2005.
Process
Control System Security Metrics State of
Available from:
http://www.thei3p.org/about/researchreport1.pdf
[Accessed on 24 July 2006]
Chapple M, 2005. Four ways to measure security success [Online]
Available from:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1070102,00.html?bucket=ETA
[Accessed on 19 July 2006]
Conspectus 2005. Business & Technology Markets 2005 Conspectus Special Report January 2005. [Online].
Available from:
http://www.conspectus.com/2005/specialreport/downloads/ITinfrastructuresystems_Jan05.pdf
[Accessed on 19 July 2006]
Lindstrom P, 2005a. Security: Measuring Up [Online]
Available from:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1060349,00.html?bucket=ETA
[Accessed on 19 July 2006]
Lindstrom P, 2005b. Three techniques for measuring information systems risk [Online]
Available from:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1060169,00.html?bucket=ETA [Accessed on 19 July 2006]
Vijayan J, 2006. Push for broader user of security metrics [Online]
Available from:
http://www.computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=3763&pubid=4&issueid=88
[Accessed on 19 July 2006]
Hinson G. 2006 Seven myths about information security metrics[Online]
Available from:
http://www.noticebored.com/IsecT_paper_on_7_myths_of_infosec_metrics.pdf
[Accessed on 1 August 2006]
Information Security Management Systems[Online]
[Accessed on 5 August 2006]
Books and Manuals
Pete Herzog 2005. OSSTMM Version 2.1.1 September 12, 2005 [Online]
Available from:
[Accessed on 19 July 2006]
Kovacich G. L., 2003. Chapter 9, Establishing a Metrics Management System. The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program. Butterworth-Heinemann
Available from:
http://searchsecurity.techtarget.com/searchSecurity/downloads/KovacichCh09_sample.pdf
[Accessed on 19 July 2006]
Basili, V.R., Caldiera G. & Rombach, H.D. 1994. The
Goal Question Metric Approach [Online]
Encyclopedia of Software Engineering. Wiley 1994
Available from:
http://www.cs.umd.edu/projects/SoftEng/ESEG/papers/gqm.pdf
[Accessed on 23 July 2006]
Thesis
Sademies, A., 2004 Process Approach to Information Security
Metrics in Finnish Industry and State Institutions. Masters Thesis.
Available from:
http://www.vtt.fi/inf/pdf/publications/2004/P544.pdf
[Accessed on 19 July 2006]
Mathisen, J. 2004 Measuring Information Security
Awareness - MSc Thesis. Royal Institute of
Available from:
http://www.hig.no/imt/index.php?id=231
[Accessed on 25 July 2006]
Belsaas
J, 2005. Measuring security in a grid computing environment. Masters Thesis,
Available from:
http://www.hig.no/imt/index.php?id=231
[Accessed on 25 July 2006]
Botnen
S, 2005.. Metric for Measuring Security in Peer-to-Peer Software. Masters
Thesis,
Available from:
http://www.hig.no/imt/index.php?id=231
[Accessed on 25 July 2006]
Karppinen
K. 2005 Security Measurement based on Attack Trees in a Mobile Ad Hoc Network
Environment. Masters Thesis.
Available from:
http://www.vtt.fi/inf/pdf/publications/2005/P580.pdf
[Accessed on 25 July 2006]
2 - Conferences/workshops/events addressing security
metrics
Workshop on Information-Security-System Rating and Ranking (WISSRR) May 2001
Available from:
http://www.acsac.org/measurement/
MetriCon 1.0 Convention August 2006
Available from:
http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0
First Workshop on Quality of Protection -
(Workshop co-located with ESORICS
& METRICS)
Available from:
http://dit.unitn.it/~qop/QoP2005/index.htm
Second Workshop on Quality of Protection -
(Workshop co-located with CCS-2006 )
Available from:
http://dit.unitn.it/~qop/index.htm
11th IEEE International Software Metrics Symposium -
Available from:
http://metrics2005.di.uniba.it/
CSI 32nd Annual Computer Security Conference and Exhibition
Available from:
https://www.cmpevents.com/CSI32/a.asp?option=C&V=11&SessID=810
Information Assurance. Computer special topics course material on metrics
http://www.cs.msstate.edu/~ia/
3 - Major organizations/people
working on security metrics
National
Available from:
OSSTMM Pete Herzog
Available from:
The Security Metrics Consortium, or SecMet
Available from:
A community website on security metrics
Available from:
http://www.securitymetrics.org/
Information Security and Privacy Advisory Board(ISPAB)
Available from:
http://csrc.nist.gov/ispab/index.html
Information Systems Security Association (ISSA)
Available from:
http://www.issa.org/publications.html
ISO 27004 standard on Information Security Management Measurements.
Available from: