A critical survey of security indicator approaches

To better control IT security in software engineering and IT management, we need to assess security qualities in the different phases of a system's lifecycle. To this end, various security indicators, measures, and metrics have been proposed by scientists and practitioners, but few have gained general acceptance. We surveyed the current state of the art in qualitative and quantitative security measurement to characterize the available measurement strategies, their maturity, and the conceptual or technical obstacles preventing further progress in this field of research. We classified the proposed security indicators with respect to their characteristic properties and derived a classification tree delineating the different security assessment strategies and their derived security measures. Based on this overview, we analyzed the relative merits and deficiencies of current approaches, and we suggested future steps towards better security metrics. This paper summarizes the main results of our survey.