Speaker: Mr. Reijo M. Savola, Senior Research Scientist and the Network and Information Security Research Coordinator, VTT (Technical Research Centre of Finland)

Presentation topic: Security Metrics -- how and where they can be used?

Presentation abstract: It is a widely accepted management principle that an activity cannot be managed well if it cannot be measured – but can we apply that principle to security too? How secure is a software product or a communication network, or their fusion? And how secure does it need to be in order to be secure enough? Even though appropriate security solutions can be found, their resulting security strength often remains unknown. If appropriate security metrics (or indicators) can offer a quantitative and close-to-objective basis for security assurance, it would be easier to make business and engineering decisions concerning security. Overall, metrics provide four fundamental benefits – to characterize, to evaluate, to predict and to improve. The field of developing security metrics systematically is young. The problem behind the immaturity of security metrics is that the current practice of security is still a highly diverse field, and holistic and widely accepted approaches are still missing. If the research community is able to develop intelligent and feasible mechanisms for the measurement and information gathering, we might even learn more about the nature of security, trust and dependability. The current limited knowledge of the nature of security-related concepts is hindering us from finding rigorous solutions to the aspects of overall security. In the presentation, we review the state-of-the-art approaches to measure security. The target of the measurement can be e.g. organization, a part of it, a technical system or a service. We investigate the types of metrics available, related standards and how to develop security metrics in practice. We present results from a security measurement survey conducted in Finnish industry and results from three technical Security Metrics research projects carried out by VTT – GEMOM EU FP7 project, €-Confidential ITEA Eureka project and Trust4All ITEA Eureka project. Furthermore, we also discuss about the feasibility vs. infeasibility of measuring security and developing security metrics to present actual security phenomena. In designing a security metric, one has to be conscious of the fact that the metric simplifies a complex socio-technical situation down to numbers or partial orders.

About Reijo Savila: Reijo M. Savola was born in Oulu, Finland, 1969. He received the degree of M.Sc. in Electrical Engineering (with honors) from the University of Oulu, Finland, 1992, and the degree Licentiate of Technology in Computer Science the Tampere University of Technology, 1995. He is currently working as a Senior Research Scientist and the Network and Information Security Research Coordinator of VTT (Technical Research Centre of Finland) in Finland. VTT is the biggest independent multidisciplinary research institute in Northern Europe. He has experience in information and network security, software engineering, telecommunications, multi-technology engineering research topics and in digital processing algorithm design. He has 7 years of industrial experience in telecommunication sector, having worked as a digital signal processing consultant for Elektrobit Group Plc. in Oulu, Finland and in Redmond, WA, United States. Mr. Savola is an author of 60 publications in the field of information security. He is currently preparing a PhD thesis on Security Metrics.