Go to DBLP homepageIf you cannot Measure it, you cannot Secure it. A Case Study on Metrics for Informed Choice of Security Controls
Abstract: Information security standards such as the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO) specify hundreds of security controls to protect and defend information systems. However, implementing all the available controls simultaneously can be infeasible for organizations. Controls need to be chosen based on their degree of mitigation over attack techniques. The goal of this research is to help organizations make an informed choice of security controls by proposing a set of metrics for measuring the degree of mitigation of attack techniques. We propose a set of seven metrics to characterize the mitigation by security controls against attack techniques used in cyberattacks. We perform a case study in this paper, where we investigate the 298 NIST SP800-53 security controls and 201 adversarial techniques cataloged in the MITRE ATT&CK. Based on the metrics, we identify that only 107 out of 298 controls are capable of mitigating adversarial techniques. However, we also identify that 50 attack techniques cannot be mitigated by existing controls. We identify 21 critical controls based on the metrics, which also match 90% with NIST-provided priority codes and 70% with NIST-provided baselines, which evaluates the practical relevance of the metrics. Furthermore, we also identify that the critical controls are specified in an abstract manner, which could lead to varying degrees of implementation.
Loading