Risk-driven security metrics in agile software development - An industrial pilot study

Journal of Universal Computer Science

Volumn 18, Issue 12, 2012, Pages 1679-1702

  Savola, Reijo M ^a   Frühwirth, Christian ^b   Pietikäinen, Ari ^c  

^a VTT TECHNICAL RESEARCH CENTRE OF FINLAND   (Finland)

^b AALTO UNIVERSITY   (Finland)

^c Ericsson Finland   (Finland)

Author keywords

Agile SW Development; Risk Analysis; Security metrics

Indexed keywords

EID: 84866244993     PISSN: 0958695X     EISSN: 09486968     Source Type: Journal    
DOI: None     Document Type: Article

References (37)

1. [Anderson and Reinertsen 2010] Anderson, D.J., Reinertsen, D.G., "Kanban - Successful Evolutionary Change for Your Technology Business," Blue Hole Press, Sequiem, WA.
2. [Baldwin et al. 2010] Balwin, J., Ewert, J., Yamen, S., "Evolution of the Voice Interconnect," Ericsson Review No. 2, 2010, 10-15.
3. [Barrett et al. 2009] Barrett, M., Johnson, C., Mell, P., Quinn, S., Scarfone, K., "Guide to Adopting and Using the Security Content Automation Protocol (SCAP)," NIST Special Publication 800-117 (Draft), U.S. National Institute of Standards and Technology, 2009.
4. [Bartol et al. 2009] Bartol, N., Bates, B., Goertzel, K. M., Winograd, T., "Measuring Cyber Security and Information Assurance: a State-of-the-Art Report," Information Assurance Technology Analysis Center IATAC, May 2009.
5. [Basili et al. 1994] Basili, V., Caldiera, G., Rombach, H.D., "The Goal Question Metric Approach," 1994.
6. [Burr 2008] Burr, W.E. et al. 2008. "Electronic Authentication Guideline," National Institute of Standards and Technology, U.S. Department of Commerce, NIST SP 800-63-1, Draft.
7. [Card et al. 1999] Card, S.K., Mackinlay, J.D., Shneiderman, B., "Readings in Information Visualization: Using Vision to Think," Morgan Kaufmann Publishers, San Francisco, CA, 1999, 686 p.
8. [Haddad et al. 2011] Haddad, S., Dubus, S., Hecker, A., Kanstrén, T., Marquet, B., Savola, R., "Operational Security Assurance Evaluation in Open Infrastructures", Proc. CRiSIS 2011, pp. 100-105.
9. [Ericsson 2009] "Efficient Softswitching," Whitepaper, Ericsson, 2009. 11 p.
10. [Eschenbrücher et al. 2004] Eschenbrücher, D., Mellberg, J., Niklander, S., Näslund, M., Palm, P., Sahlin, B., "Security Architectures for Mobile Networks", Ericsson Review No. 2, 2004, 68-81.
11. [Frühwirth et al. 2010] Frühwirth C., Biffl S., Tabatabai M., Weippl E., "Addressing Misalignment between Information Security Metrics and Business-driven Security Objectives," Proc. MetriSec'10.
12. [Hermann 2007] Herrmann, D. S., "Complete Guide to Security and Privacy Metrics - Measuring Regulatory Compliance, Operational Resilience and ROI," Auerbach Publications, 2007, 824 p.
13. [Howard and LeBlanc 2003] Howard, M. and LeBlanc, D., "Writing Secure Code," Microsoft, 2003.
14. [ISO/IEC 15408] ISO/IEC 15408-1:2005, "Common Criteria for Information Technology Security Evaluation - Part 1: Introduction and General Model," ISO/IEC, 2005.
15. [ISO/IEC 27000] ISO/IEC 27000:2009: Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. ISO/IEC, 2009.
16. [ITSEC 1991] Information Technology Security Evaluation Criteria (ITSEC), Version 1.2, Commission for the European Communities, 1991.
17. [ITU-T 2005] International Telecommunication Union, Telecommunication Standardization Sector (ITU-T), "Series H: Audiovisual and Multimedia Systems - Infrastructure of Audiovisual Services - Communication Procedures - Gateway Control Protocol: Version 3," ITU-T Recommendation H.248.1, Geneva, Switzerland, 2005, 195 p.
18. [Jaquith 2007] Jaquith, A., "Security Metrics: Replacing Fear, Uncertainty and Doubt," Addison-Wesley, 2007.
19. [Kanstrén et al. 2011] Kanstrén, T., Savola, R., Haddad, S., Hecker, A., "An Adaptive and Dependable Distributed Monitoring Framework," Int. Journal on Advances in Security, 4(1&2), 1-19.
20. [Kanter 2004] Kanter, R. M., "Confidence: Leadership and the Psychology of Turnarounds," Random House, London, 2004.
21. [Kuusijärvi 2010] Kuusijärvi, J. "Interactive Visualization of Quality Variability at Run-Time", VTT Technical Research Centre of Finland, VTT Publications 746, 2010, 111 p.
22. [Marty 2008] Marty, R., "Applied Security Visualization", Addison-Wesley, 2008, 552 p.
23. [McGraw 2006] McGraw, G., "Software Security - Building Security In," Addison-Wesley, 2006.
24. [McPherson et al. 2004] McPherson, J., Ma, K.-L., Krystosk, P., Bartoletti, T., Christensen, M., "PortVis: A Tool for Port-Based Detection of Security Events", Proc. VizSE'04, 73-81.
25. [Ouedraogo et al. 2008] Ouedraogo, M., Khadraoui, D., de Rémont, B., Dubois, E., Mouratidis, H., "Deployment of a Security Assurance Monitoring Framework for Telecommunication Service Infrastructure on a VoIP System," Proc. NTMS'08.
26. [Savola 2007] Savola, R., "A Taxonomical Approach for Information Security Metrics Development," Nordsec'07 Supplemental Booklet of Short Papers, Reykjavik, Iceland, 11 p.
27. [Savola 2009] Savola, R., "A Security Metrics Taxonomization Model for Software-Intensive Systems," Journal of Information Processing Systems, Vol. 5, No. 4, Dec. 2009, 197-206.
28. [Savola 2010] Savola, R., "On the Feasibility of Utilizing Security Metrics in Software-Intensive Systems," Int. Journal of Computer Science and Network Security, 10(1), 230-239.
29. [Savola and Abie 2010] Savola, R., Abie, H., "Development of Measurable Security for a Distributed Messaging System," Int. Journal on Advances in Security, 2(4), 358-380.
30. [Savola and Heinonen 2011a] Savola, R., Heinonen, P., "Increasing Measurability and Meaningfulness of Adaptive Security Monitoring by System Architectural Design and Mechanisms," Int. Journal on Advances in Systems and Measurements, 4(1&2), 1-19.
31. [Savola and Heinonen 2011b] Savola, R., Heinonen, P., "A Visualization and Modeling Tool for Security Metrics and Measurements Management," Proc. ISSA 2011, 8 p.
32. [Savola, Pentikäinen and Ouedraogo 2010] Savola, R., Pentikäinen, H. and Ouedraogo, M., "Towards Security Effectiveness Measurement Utilizing Risk-Based Security Assurance," Proc. ISSA 2010, 8 p.
33. [Schwaber and Beedle 2001] Schwaber, K., Beedle, M., "Agile Software Development with Scrum," Prentice Hall, 2001.
34. [SecViz 2011] Security Visualization. http://www.secviz.org/node/89 [Jan. 15, 2012].
35. [Verendel 2009] Verendel, V., "Quantified Security is a Weak Hypothesis: a Critical Survey of Results and Assumptions," New Security Paradigms Workshop, Oxford, U.K., 2009, 37-50.
36. [Verendel 2010] Verendel, V., "Some Problems in Quantified Security," Licentiate Thesis, Chalmers University of Technology, Göteborg, Sweden, 2010.
37. th National Information Systems Security Conference, 522-533.