Developing Security Metrics for Automated Compliance Checking
摘要
To automatically check for compliance with security-related standards, prose requirements must be translated to technical properties to make them measurable. A multitude of metrics have been proposed in past literature, but they are lacking a systematic methodology for their elicitation. Without such a methodology, metrics remain inconsistent in their data models and abstraction levels, they exhibit considerable overlaps and are difficult to combine to comprehensively cover a standard’s requirement. In this paper, we develop a data model for security metrics based on a systematization of compliance requirements, and we propose a methodology for their elicitation. The method is based on an ontology that enables a systematic development of metrics with a comparable degree of abstraction. We also present our initial work on an open-source effort that demonstrates that our approach also supports a collaborative development of metrics.