Security Metrics

Security Metrics Links Page, Maintained by Almerindo Graziano

Conference and workshop paper

Kajava J, Savola R 2005. Towards Better Information Security Management by Understanding Security Metrics and Measuring Processes. Eunis Conference 2005 [Online]

Available from:

http://www.manchester.ac.uk/eunis2005/medialibrary/papers/paper_154.pdf

[Accessed on 17 July 2006]

Henning R 2001. Applied Computer Security Associates, 2001. Proceedings of Workshop on Information Security System Scoring and Ranking

Information System Security Attribute Quantification or Ordering (Commonly but improperly known as .Security Metrics.) May 21-23, 2001 [Online]

Available from:

http://www.acsac.org/measurement/proceedings/wisssr1-proceedings.pdf

[Accessed on 19 July 2006]

Bayuk, J. L. 2000. Information Security Metrics: An Audited-based Approach.

NIST and CSSPAB Workshop, Washington, D.C., 14 June 2000. [Online]

Available from:

http://www.bayuk.com/publications/BayukNIST.zip

[Accessed on 23 July 2006]

Bayuk, J. L. 2001. Measuring Security.

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.bayuk.com/publications/BayukMeasure.pdf

[Accessed on 23 July 2006]

Bayuk, J. L. 2003. Metrics for Due Diligence. Best in Class Security and Operations Roundtable Conference, Carnegie Mellon Software Engineering Institute [Online]

Available from:

http://www.bayuk.com/publications/BayukBICSORT.doc

[Accessed on 23 July 2006]

Deswarte, Y., Ka�iche M. & Ortalo, R. 2001. Experimental Validation of a Security Metrics. . Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Deswarte.pdf

[Accessed on 23 July 2006]

Katzke, S. 2001. Security Metrics.

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Katzke.pdf

[Accessed on 23 July 2006]

Abrams, D. 2001 - Coming To Acceptance Of Ways For Measuring And Ranking Security Properties.

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Abrams.pdf

[Accessed on 24 July 2006]

Alger, I. 2001 On Assurance, Measures, and Metrics: Definitions and Approaches

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Alger.pdf

[Accessed on 24 July 2006]

Bartol, N. 2001. IA Metrics Development and Implementation

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Bartol.pdf

[Accessed on 24 July 2006]

Bicknell, P. 2001 Security Assertions, Criteria, and Metrics Developed for the IRS

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Bicknell.pdf

[Accessed on 24 July 2006]

Bodeau, D. J. 2001 Information Assurance Assessment: Lessons-Learned and Challenges

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Bodeau.pdf

[Accessed on 24 July 2006]

Bouchard, J. F. and Wood, B. J 2001 Red Team Work Factor as a Security Measurement

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Bouchard.pdf

[Accessed on 24 July 2006]

Connolly, J. 2001 - Information Assurance Operational Readiness Metrics

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Connolly.pdf

[Accessed on 24 July 2006]

Downs, D. D. and Haddad, R. 2001 - Penetration Testing The Gold Standard for Security Rating and Ranking

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Haddad.pdf

[Accessed on 24 July 2006]

Greenwald, S J. 2001 - How I Lost and then Regained My Faith in Metrics

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Greenwald.pdf

[Accessed on 24 July 2006]

Hallberg, J.; and Hunstad, A. 2001- Towards quantifying computer security: System structure and system security models

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Hallberg.pdf

[Accessed on 24 July 2006]

Leighton, R.. 2001 - Decision Support Metrics Framework

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Leighton.pdf

[Accessed on 24 July 2006]

Luzwick, P. G. 2001 - Whats a Pound of Your Information Worth? Constructs for Collaboration and Consistency

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Luzwick.pdf

[Accessed on 24 July 2006]

Martins, A.; Eloff, JHP. 2001 - Measuring Information Security

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Martins.pdf

[Accessed on 24 July 2006]

Maxion, R A. 2001- Dependable Measurement

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Maxion.pdf

[Accessed on 24 July 2006]

McCallam, D. 2001 - The Case Against Numerical Measures for Information Assurance

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/McCallam.pdf

[Accessed on 24 July 2006]

McHugh, J. 2001 - Quantitative Measures of Assurance: Prophecy, Process, or Pipedream?

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/McHugh.pdf

[Accessed on 24 July 2006]

Peeples, D. R. 2001 - Information Assurance Risk Metric Tree

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Peeples.pdf

[Accessed on 24 July 2006]

Rader, J. 2001 - A Look at Measures of Computer Security from an Insurance Premium Perspective

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Rader.pdf

[Accessed on 24 July 2006]

Rogers, G and Stauffer, B. 2001 - An Approach To INFOSEC Program Metrics

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Rogers.pdf

[Accessed on 24 July 2006]

Rubel, P; and Pal, P 2001 Assessing Adaptation in the Context of Security and Survivability

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Rubel.pdf

[Accessed on 24 July 2006]

Schneider, E. 2001 - Measurements of System Security

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/schneider.pdf

[Accessed on 24 July 2006]

Shapiro, S. 2001 - The Bull in the China Shop: The Merrill Lynch IA Assessment Manifesto

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Shapiro.pdf

[Accessed on 24 July 2006]

Skroch, M. J. 2001 - Assessments for Rating and Ranking Information Assurance

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Skroch.pdf

[Accessed on 24 July 2006]

Yee S. B 2001 - Security Metrology and the Monty Hall Problem

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Yee.pdf

[Accessed on 24 July 2006]

Vaughn, Rayford B. (Jr.). (Mississippi State University) - Are Measures and Metrics for Trusted Information Systems Possible?

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Vaughn.pdf

[Accessed on 24 July 2006]

McDermott, M; and Dobry, R 2001. The Perception of Assurance

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Dobry.pdf

[Accessed on 24 July 2006]

Freeman, J. 2001. Which Way is Up? Input On Improving the Technical Basis within the Security Risk Management Process.

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Freeman.pdf

[Accessed on 24 July 2006]

Kahn, J. 2001. Certification of Intelligence Community Systems and Measurement of Residual Risks

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Kahn.pdf

[Accessed on 24 July 2006]

Kuhlmann, D. 2001. IT Assurance - A Matter of Trust

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Kuhlmann.pdf

[Accessed on 24 July 2006]

Stoneburner, G. 2001 High Assurance != (Is Not Equal To) More Secure

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Stoneburner.pdf

[Accessed on 24 July 2006]

Villasenor, P. V. 2001. DoD Operational IA Metrics

Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA) Workshop. May 21-23, 2001 [Online]

Available from:

http://www.cs.msstate.edu/~ia/IA_PAPERS/Villasenor.pdf

[Accessed on 24 July 2006]

Kormos, C., Givans, N., Gallagher, L. & Bartol, N. 1999. Using Security Metrics to Assess Risk Management Capabilities. [Online]

22nd National Information Systems Security Conference October 18-21, 1999

Available from:

http://csrc.ncsl.nist.gov./nissc/1999/proceeding/papers/p29.pdf

[Accessed on 23 July 2006]

Vaughn R. B., Jr., Henning R, and Siraj A 2003. Information Assurance Measures and Metrics

State of Practice and Proposed Taxonomy

36th Annual Hawaii International Conference on System Sciences (HICSS'03) - January 2003

Available from:

http://csdl2.computer.org/comp/proceedings/hicss/2003/1874/09/187490331c.pdf

[Accessed on 26 July 2006]

Naqvi, S and Riguidel, M. 2006. Security Measurement Model for Large Scale Dynamic Systems.

Workshop on Security in Autonomous Systems. Freiburg, Germany, June 6-9, 2006

Available from:

http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-183/paper1.pdf

[Accessed on 21 July 2006]

Henning R. R. 2000. Information Assurance Metrics: Prophecy, Process or Pipedream?

23rd National Information Systems Security Conference October 16-19, 2000

Available from:

http://csrc.nist.gov/nissc/2000/proceedings/papers/201.pdf

[Accessed on 21 July 2006]

Chaula. J. A. 2004. Security Metrics and Evaluation of Information Systems Security

Enabling Tomorrow Conference - 4th Annual Conference on Information Security for South Africa. July 2004.

Available from:

http://icsa.cs.up.ac.za/issa/2004/Proceedings/Research/048.pdf

[Accessed on 25 July 2006]

Bellovin S, 2006. On the Brittleness of Software and the Infeasibility of Security Metrics

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Jaquith A. 2006. Metrics are nifty

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Chess B, Tsipenyuk K. 2006 A Metric for Evaluating Static Analysis Tools
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Epstein J. 2006 "Good enough" Metrics
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Huygens C. 2006 Software Security Patterns and Risk
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Manadhata P, Wing J. 2006. An Attack Surface Metric
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Chandra P. 2006. Code Metrics
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Walsh C. 2006. Measurement Efforts and Issues
Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Opacki D. 2006.The Human Side of Security Metrics

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Quarterman J. S, Phillips G. K. 2006. No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Butler S. 2006. What are the Business Security Metrics?

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Nye J. 2006. Leading Indicators in Information Security

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Solem V. 2006. Top Network Vulnerabilities Over Time

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Sudbury A. 2006. Metrics IAM Metrics Case Study

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Hallberg J, Hunstad A. 2006. Assessment of IT Security in Networked Information Systems

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Geer D. 2006. The only metrics that matter are for decision support

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Ware B, Digital Sandbox Model Concepts for Consideration and Discussion

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Daguio K 2006. Mission and Metrics from Different Views: Firm/Agency, Industry, and Profession

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Blakley B 2006.Measuring Information Security Risk

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Jansen W 2006. Information Assurance Metrics Taxonomy

Metricon Security Metrics Conference August 2006-09-03

Available from

http://www.securitymetrics.org/content/attach/Metricon1.0/metricon-1.0-presentations.zip

[Accessed on 12 August 2006]

Journal papers

Pete Herzog 2006. The Size of Security The evolution and history of OSSTMM Operation Security Metrics. [IN]SECURE Magazine Issue 6 March 2006 [Online] pp 22-28

Available from:

http://dreamlab.net/download/INSECURE-Mag-6.pdf

[Accessed on 19 July 2006]

Berinato S, 2005. CSO Magazine. A Few Good Metrics. [Online]

Available from:

http://www.csoonline.com/read/070105/metrics.html

[Accessed on 19 July 2006]

Bayuk, J. L. 2001. Security Metrics. The Computer Security Journal, January 2001[Online]

Available from:

http://www.bayuk.com/publications/publications.html

[Accessed on 23 July 2006]

Hancock B. 2000. US Government Board Setting Up Security Metrics

Computers & Security, Volume 19, Issue 7, 1 November 2000, Page 580

Solms, B. 2000 Information Security The Third Wave?

Computers & Security, Volume 19, Issue 7, 1 November 2000, Pages 615-620

Kovacich, G. 1997 Information systems security metrics management

Computers & Security, Volume 16, Issue 7, 1997, Pages 610-618

Abrams M. D. and Zelkowitz M V.. Striving for correctness

Computers & Security, Volume 14, Issue 8, 1995, Pages 719-738

Slides

Bowers T, 2005. Real-world security metrics. Slides [Online]

Available from:

http://searchsecurity.techtarget.com/searchSecurity/downloads/Bowers.EDITED.ppt

[Accessed on 19 July 2006]

Guenther M, 2004. Creating a zero incident culture. [Online] Slides

Available from:

http://www.iwar.org.uk/comsec/resources/sa-tools/SA-Perception-Survey-and-Measurement.ppt

[Accessed on 19 July 2006]

Lindstrom P, 2005c. Metrics: Practical ways to measure security success. Slides [Online]

Available from:

http://searchsecurity.techtarget.com/searchSecurity/downloads/EDITED_LINDSTROM_METRICS.pdf

[Accessed on 19 July 2006]

Savola R. Measuring the Information Security Level A Survey of Practice in Finland.

Available from:

http://iplu.vtt.fi/digitalo/iplu_savola.pdf

[Accessed on 19 July 2006]

Nymoen L. O 2005, Using Security Metrics to Determine the Best Configuration in Wireless Devices. Slides for an MSc Thesis.

Available from:

http://www.hig.no/imt/index.php?id=280

[Accessed on 25 July 2006]

Llorens, C. 2004 Measurement of security in IP multi-services networks (a network provider approach) 2004 SAR Conference Slides

Available from:

http://www.hds.utc.fr/sar04/files/llorens-pres.pdf

[Accessed on 22 July 2006]

Jarzombek, J. 2005. Security Measurement: Supporting Information Needs for Securing Cyberspace. July 20, 2005.

Available from:

http://www.psmsc.com/UG2005/Presentations/14_Jarzombek_SwAssurance_NeedMeasurement.pdf

[Accessed on 22 July 2006]

Guo, W. A Method of Security Measurement of the Network Data Transmission. Huazhong University of Science and Technology.

The 1st International Workshop on Security in Systems and Networks (SSN2005), April 4-8, 2005

Available from:

http://www.cs.uccs.edu/~SNS/talks/SSN05_HUST.ppt

[Accessed on 26 July 2006]

Barker W. C. Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels - NIST Computer Security Division

Available from:

http://csrc.nist.gov/ispab/2003-09/Sept-2003.html

[Accessed on 26 July 2006]

Snouffer R. 2003. NIST Security Testing & Metrics Group Program. , Computer Security Division, NIST

Available from:

http://csrc.nist.gov/ispab/2003-12/Dec-2003.htm

[Accessed on 26 July 2006]

Whitepaper

Chew E, Clay A, Hash J, Bartol N, Brown A 2006 Guide for Developing Performance Metrics for Information Security. NIST Draft Special Publication 800-80.

Available from:

http://csrc.nist.gov/publications/nistpubs/

[Accessed on 19 July 2006]

Information Technology Security Evaluation Criteria (ITSEC). Version 1.2 published by the European Commission in 1991

Available from:

http://www.iwar.org.uk/comsec/resources/standards/itsec.htm

[Accessed on 19 July 2006]

Swanson M, Bartol N, Sabato J, Hash J, Graffo L 2003. Security Metrics Guide for Information Technology Systems [Online] NIST special publications 800-55.

Available from:

http://csrc.nist.gov/publications/nistpubs/

[Accessed on 19 July 2006]

Trusted Computer Evaluation Criteria (TCSEC) Orange Book. U.S. Department of Defense DOD standard 5200.28-STD, December, 1985

Available from:

http://www.iwar.org.uk/comsec/resources/standards/rainbow/5200.28-STD.html

[Accessed on 19 July 2006]

Payne, S. 2006. A Guide to Security Metrics [Online]

Available from:

http://www.sans.org/reading_room/whitepapers/auditing/55.php

[Accessed on 23 July 2006]

Security Measurement - White Paper V3.0 13 January 2006

Prepared on behalf of the PSM Safety & Security TWG

Available from:

http://www.psmsc.com/Prod_TechPapers.asp

[Accessed on 26 July 2006]

Dave Zubrow, D, McCurley J and Dekkers C. 2005. Last Updated on April 2006. Measures and Measurement for Secure Software Development

Available from:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/measurement/227.pdf

[Accessed on 24 July 2006]

FIPS 199 - February 2004, Standards for Security Categorization of Federal Information and Information Systems

Available from:

http://csrc.nist.gov/publications/fips/

[Accessed on 26 July 2006]

FIPS 200 - March 2006, Minimum Security Requirements for Federal Information and Information Systems

Available from:

http://csrc.nist.gov/publications/fips/

[Accessed on 26 July 2006]

Corporate Information Security Working Group 2004 Revised 2005. Report of the best practices and Metrics Teams

Available from:

http://www.issa.org/publications/BPMetricsTeamReportFinal111704Rev11095.pdf

[Accessed on 26 July 2006]

Stoddard M, Bodeau D, Carlson R, Glantz C, Haimes Y, Lian C, Santos J and Shaw J 2005.

Process Control System Security Metrics State of Practice. Research Report 1. August 2005.

Available from:

http://www.thei3p.org/about/researchreport1.pdf

[Accessed on 24 July 2006]

Chapple M, 2005. Four ways to measure security success [Online]

Available from:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1070102,00.html?bucket=ETA

[Accessed on 19 July 2006]

Conspectus 2005. Business & Technology Markets 2005 Conspectus Special Report January 2005. [Online].

Available from:

http://www.conspectus.com/2005/specialreport/downloads/ITinfrastructuresystems_Jan05.pdf

[Accessed on 19 July 2006]

Lindstrom P, 2005a. Security: Measuring Up [Online]

Available from:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1060349,00.html?bucket=ETA

[Accessed on 19 July 2006]

Lindstrom P, 2005b. Three techniques for measuring information systems risk [Online]

Available from:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1060169,00.html?bucket=ETA [Accessed on 19 July 2006]

Vijayan J, 2006. Push for broader user of security metrics [Online]

Available from:

http://www.computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=3763&pubid=4&issueid=88

[Accessed on 19 July 2006]

Hinson G. 2006 Seven myths about information security metrics[Online]

Available from:

http://www.noticebored.com/IsecT_paper_on_7_myths_of_infosec_metrics.pdf

[Accessed on 1 August 2006]

Information Security Management Systems[Online]

http://www.xisec.com/

[Accessed on 5 August 2006]

Books and Manuals

Pete Herzog 2005. OSSTMM Version 2.1.1 September 12, 2005 [Online]

Available from:

http://www.isecom.org/osstmm/

[Accessed on 19 July 2006]

Kovacich G. L., 2003. Chapter 9, Establishing a Metrics Management System. The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program. Butterworth-Heinemann

Available from:

http://searchsecurity.techtarget.com/searchSecurity/downloads/KovacichCh09_sample.pdf

[Accessed on 19 July 2006]

Basili, V.R., Caldiera G. & Rombach, H.D. 1994. The Goal Question Metric Approach [Online]

Encyclopedia of Software Engineering. Wiley 1994

Available from:

http://www.cs.umd.edu/projects/SoftEng/ESEG/papers/gqm.pdf

[Accessed on 23 July 2006]

Thesis

Sademies, A., 2004 Process Approach to Information Security Metrics in Finnish Industry and State Institutions. Masters Thesis. University of Oulu and VTT Finland.[Online]

Available from:

http://www.vtt.fi/inf/pdf/publications/2004/P544.pdf

[Accessed on 19 July 2006]

Mathisen, J. 2004 Measuring Information Security Awareness - MSc Thesis. Royal Institute of Technology, Sweden, 2004 [Online]

Available from:

http://www.hig.no/imt/index.php?id=231

[Accessed on 25 July 2006]

Belsaas J, 2005. Measuring security in a grid computing environment. Masters Thesis, Gjvik University College, 2005.

Available from:

http://www.hig.no/imt/index.php?id=231

[Accessed on 25 July 2006]

Botnen S, 2005.. Metric for Measuring Security in Peer-to-Peer Software. Masters Thesis, Gjvik University College, 2005.

Available from:

http://www.hig.no/imt/index.php?id=231

[Accessed on 25 July 2006]

Karppinen K. 2005 Security Measurement based on Attack Trees in a Mobile Ad Hoc Network Environment. Masters Thesis. University of Oulu and VTT Finland

Available from:

http://www.vtt.fi/inf/pdf/publications/2005/P580.pdf

[Accessed on 25 July 2006]

2 - Conferences/workshops/events addressing security metrics

Workshop on Information-Security-System Rating and Ranking (WISSRR) May 2001

Available from:

http://www.acsac.org/measurement/

MetriCon 1.0 Convention August 2006

Available from:

http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0

First Workshop on Quality of Protection -Milan, Italy - September 15, 2005.
(Workshop co-located with ESORICS & METRICS)

Available from: