Abstract:Technical security metrics provide measurements in ensuring the effectiveness of technical security controls or technology devices/objects that are used in protecting the information systems. However, lack of understanding and method to develop the technical security metrics may lead to unachievable security control objectives and incompetence of the implementation. This paper proposes a model of technical security metric to measure the effectiveness of network security management. The measurement is based on the effectiveness of security performance for (1) network security controls such as firewall, Intrusion Detection Prevention System (IDPS), switch, wireless access point, wireless controllers and network architecture; and (2) network services such as Hypertext Transfer Protocol Secure (HTTPS) and virtual private network (VPN). We use the Goal-Question-Metric (GQM) paradigm [1] which links the measurement goals to measurement questions and produce the metrics that can easily be interpreted in compliance with the requirements. The outcome of this research method is the introduction of network security management metric as an attribute to the Technical Security Metric (TSM) model. Apparently, the proposed TSM model may provide guidance for organizations in complying with effective measurement requirements of ISO/IEC 27001 Information Security Management System (ISMS) standard. The proposed model will provide a comprehensive measurement and guidance to support the use of ISO/IEC 27004 ISMS Measurement template.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is the development and application of technical security metrics in network security management. Specifically, the author points out that there are currently deficiencies in understanding and developing technical security metrics, which may lead to the inability to achieve security control goals and impotence in implementation. To meet this challenge, the paper proposes a Technical Security Metric Model (TSMM) aiming to measure the effectiveness of network security management. ### Specific problems include: 1. **Lack of understanding and methods**: How to develop effective technical security metrics to ensure the effectiveness of technical security controls or devices. 2. **Inadequate measurement**: Existing measurement methods may be too simple and lack relevance, limiting the value of reported information. 3. **Compliance and standard requirements**: How to ensure that an organization can meet the requirements of the ISO/IEC 27001 Information Security Management System (ISMS) standard, especially regarding effective measurement requirements. ### Solutions: - **Propose the TSMM model**: Based on eight criteria for effective security metrics such as effectiveness, quantification, simplicity, and comparability, a technical security metric model is proposed. - **Use the GQM paradigm**: Through the Goal - Question - Metric (GQM) paradigm, the measurement goals are linked to specific problems, thereby generating metric indicators that are easy to interpret and meet the requirements. - **Cover network controls and services**: This model not only considers network control devices such as firewalls, intrusion detection and prevention systems (IDPS), and switches, but also covers the security performance of network services such as HTTPS and virtual private networks (VPN). ### Goals: - Provide a comprehensive measurement framework to help organizations assess their network security and ensure compliance with the requirements of the ISO/IEC 27001 ISMS standard. - Support the use of the ISO/IEC 27004 ISMS measurement template and provide specific measurement guidelines. Through these measures, the paper aims to improve the effectiveness and compliance of organizations in network security management.

Effective Measurement Requirements for Network Security Management

Research of United Platform of Network Security Management Model

Quantifiable Network Security Measurement - A Study Based on an Index System.

Security management for large computer networks

Model-Based Quantitative Network Security Metrics: A Survey

A Systematic Analysis of Security Metrics for Industrial Cyber–Physical Systems

Composite Metrics for Network Security Analysis

How to Quantify the Security Level of Embedded Systems? A Taxonomy of Security Metrics

Security Metrics in Industrial Control Systems

Technical Research on Computer Network Security Automatic Evaluation

Study of Security Metrics of Software System for Comparative Evaluation

An risk measurement model for assessing information systems

Development of an Information Security Management Model for Enterprise Automated Systems

A survey of cyber security management in industrial control systems

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

Towards Quantifying the (in)security of Networked Systems.

Contextualising and aligning security metrics and business objectives: A GQM-based methodology

A Formal Model of Security Controls' Capabilities and Its Applications to Policy Refinement and Incident Management

Integrated Solution Modeling Software: A New Paradigm on Information Security Review

Computational Study of Security Risk Evaluation in Energy Management and Control Systems Based on a Fuzzy MCDM Method

The industrial security management model for SMBs in smart work