Security Indicators - a State of the Art Survey Public Report
Measurement is one of the foundations of sound engineering practices, be-cause-as Tom DeMarco put it-you cannot control what you can't measure. This principle should also apply to software security engineering. However, providing useful metrics or at least indicators for characterizing the security properties of a software system is surprisingly challenging. The research community is well aware of the urgent need for security metrics, and it has put significant research effort into this field. Numerous qualitative and quantitative security measures have been proposed in the scientific literature, but few of them found wide-spread adoption by practitioners. Due to the significant body of work, it has become increasingly difficult to overlook the state of the art in specifying, determining, comparing, or predicting security qualities. This report surveys the published work on security indicators. In the context of this survey, a security indicator is understood as an observable characteristic that correlates with a desired security property. Our survey covers current re-search into qualitative and quantitative security indicators as well as applied key performance indicators and security standards. We developed a uniform classification scheme for categorizing and comparing the indicators that we elicited. Based on this classification, our survey reveals trends and deficiencies in security research and security practice. It also suggests explanations for the apparent difficulties in providing meaningful security indicators. Moreover, our classification can guide practitioners to adequate methods for the specification of security requirements and for the measurement of relevant security attributes of their products and processes.