Home // International Journal On Advances in Security, volume 12, numbers 3 and 4, 2019 // View article

Verified Metrics for Continuous Active Defence

Authors:
George O. M. Yee

Keywords: sensitive data, vulnerability, security level, verified metrics, continuous defence

Abstract:
As a sign of the times, headlines today are full of attacks against an organization’s computing infrastructure, resulting in the theft of sensitive data. In response, the organization applies security measures (e.g., encryption) to secure its vulnerabilities. However, these measures are often only applied once, with the assumption that the organization is then protected and no further action is needed. Unfortunately, attackers continuously probe for vulnerabilities and change their attacks accordingly. This means that an organization must also continuously check for new vulnerabilities and secure them, to continuously and actively defend against the attacks. This paper derives metrics that characterize the security level of an organization at any point in time, based on the number of vulnerabilities secured and the effectiveness of the securing measures. The metrics are verified in terms of their soundness using the author’s recently published procedure for deriving good security metrics. The paper then shows how an organization can apply the metrics for continuous active defence.

Pages: 153 to 163

Copyright: Copyright (c) to authors, 2019. Used with permission.

Publication date: December 30, 2019

Published in: journal

ISSN: 1942-2636