No file available
To read the file of this research,
you can request a copy directly from the author.
Validation of AHP pairwise comparisons from ISO/IEC 27002 controls
Preprints and early-stage research may not have been peer reviewed yet.
Abstract
Validate the weighting of an AHP criteria & sub criteria (input: ISO/IEC 27002 controls) pairwise comparison
ResearchGate has not been able to resolve any citations for this publication.
measuring information security is difficult; it is difficult to have one metrics that covers all types of devices. Security metrics is a standard used for measuring any organization's security. Good metrics are needed for analysts to answer many security related questions. Effective measurement and reporting are required to improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner. This paper provides an overview of the security metrics and its definition, standards, advantages, types, problems, taxonomies, risk assessment methods and also classifies the security metrics and explains its risks.
One of the major challenges of information warfare is how to effectively combat existing and future cyber threats and vulnerabilities. In this paper, a quantifiable and rigorous approach for entities (governments, organizations, etc.) is proposed to better assess their ‘cyber maturity’ level. The authors also propose to examine the reliability and security of networks in terms of scientific-based risk metrics. The risk metrics are built upon (1) a ‘modified’ CVSS Base Score using the Analytic Hierarchy Process (AHP), and (2) the foundation of repeatable quantitative characteristics (‘for example’ vulnerabilities). A case study is examined which highlights the resulting benefits and challenges.
T here is a good reason why searching for meaningful security metrics continues despite the abundance of purportedly effective ones: because many traditional approaches just do not measure up. They gauge the functionality and efficiency of preventive security measures. Doing such, they are wrong-headed and frequently lead to inappropriate security decisions. Instead, the effectiveness of security programs, 1 taking into account value and uncertainty, should be measured. This is a much more difficult challenge because it depends on the measurement of the value of something not happening (i.e., a bad outcome that has been deterred, avoided or prevented). But how can one be certain that bad things are not happening due to the security tools and services in place? Is the lack of bad events a matter of chance? Or, were there unrealistic expectations about the existence of threats and the degree of vulnerability? The reality is that total certainty is not attainable. 2 However, that does not preclude the need to deploy security. It is better to make good security decisions based upon less-precise estimates of value and risk than to make poor security decisions supported by precise, though inaccurate, metrics. Consequently, it is postulated that it is better to try to improve how to estimate value loss and uncertainty rather than seek out an increasing number of less meaningful, readily measured metrics. It is important to recognize, however, that the techniques described here are not a panacea and there are challenges in measuring less-tangible characteristics such as value loss and uncertainty. Nevertheless, there has been substantial progress recently in the measurement of the value of intangibles, 3 which should serve to enhance the practicality of this approach. Some of the numerous definitions of the terms "metrics" or "security metrics" must be considered. In the US National Institute of Standards and Technology (NIST) publication Security Metrics Guide for Information Technology Systems, 4 the word "metrics" is defined as follows: Metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements.
This paper examines the application of AHP in evaluating information security policy decision making with respect to Indonesian e-government systems. We suggest a new model based on four aspects of information security (management, technology, economy and culture) and three information security components (confidentiality, integrity and availability). AHP methodology was applied to analyze the decision making process. It is found that management and technology were the dominant aspects of information security, while availability was the main concern of information security elements for e-government information systems.
The term " assurance" has been used for decades in trusted system development as an expression of confidence that one has in the strength of mechanisms or countermeasures. One of the unsolved problems of security engineering is the adoption of measures or metrics that can reliably depict the assurance associated with a specific hardware and software system. This paper reports on a recent attempt to focus requirements in this area by examining those currently in use. It then suggests a categorization of Information Assurance (IA) metrics that may be tailored to an organization's needs1. We believe that the provision of security mechanisms in systems is a subset of the systems engineering discipline having a large software-engineering correlation. There is general agreement that no single system metric or any "one-prefect" set of IA metrics applies across all systems or audiences. The set most useful for an organization largely depends on their IA goals, their technical, organizational and operational needs, and the financial, personnel, and technical resources that are available.