Log In Sign Up

Contextualising and Aligning Security Metrics and Business Objectives: a GQM-based Methodology

by   Eleni Philippou, et al.

Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts - domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (1) for the metrics to align with business requirements (2) for decision makers to maintain relevant security goals based on measurements from the field. In this paper we propose SYMBIOSIS, a methodology that defines a goal elicitation and refinement process mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). The novel contribution of SYMBIOSIS is the well-defined process, which enforces that (1) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (2) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. In this paper, we discuss the findings from applying SYMBIOSIS to three case studies of known security incidents. Our analysis shows how the aforementioned pitfalls of security metrics development processes affected the outcome of these high-profile security incidents and how SYMBIOSIS addresses such issues.


page 1

page 2

page 3

page 4


Aligning Technical Debt Prioritization with Business Objectives: A Multiple-Case Study

Technical debt (TD) is a metaphor to describe the trade-off between shor...

Composite Metrics for Network Security Analysis

Security metrics present the security level of a system or a network in ...

Data-driven Analytics for Business Architectures: Proposed Use of Graph Theory

Business Architecture (BA) plays a significant role in helping organizat...

Stochastic model of business process decomposition

Decomposition is the basis of works dedicated to business process modell...

Focus Areas, Themes, and Objectives of Non-Functional Requirements in DevOps: A Systematic Mapping Study

Software non-functional requirements address a multitude of objectives, ...

Incentive Alignment of Business Processes: a game theoretic approach

Many definitions of business processes refer to business goals, value cr...

Towards Measuring the Adaptability of an AO4BPEL Process

Adaptability is a significant property which enables software systems to...