Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metrics
Information and Computer Security
ISSN: 2056-4961
Article publication date: 16 October 2023
Issue publication date: 17 April 2024
Abstract
Purpose
This paper aims to propose a new method to derive custom dynamic cyber risk metrics based on the well-known Goal, Question, Metric (GQM) approach. A framework that complements it and makes it much easier to use has been proposed too. Both, the method and the framework, have been validated within two challenging application domains: continuous risk assessment within a smart farm and risk-based adaptive security to reconfigure a Web application firewall.
Design/methodology/approach
The authors have identified a problem and provided motivation. They have developed their theory and engineered a new method and a framework to complement it. They have demonstrated the proposed method and framework work, validating them in two real use cases.
Findings
The GQM method, often applied within the software quality field, is a good basis for proposing a method to define new tailored cyber risk metrics that meet the requirements of current application domains. A comprehensive framework that formalises possible goals and questions translated to potential measurements can greatly facilitate the use of this method.
Originality/value
The proposed method enables the application of the GQM approach to cyber risk measurement. The proposed framework allows new cyber risk metrics to be inferred by choosing between suggested goals and questions and measuring the relevant elements of probability and impact. The authors’ approach demonstrates to be generic and flexible enough to allow very different organisations with heterogeneous requirements to derive tailored metrics useful for their particular risk management processes.
Keywords
Acknowledgements
This research has been partially supported by a research and innovation contract with DeNexus Tech (art.83 M2554). Miguel Calvo is supported by grants from the Rey Juan Carlos University (ref. C-PREDOC21-007).
Citation
Calvo, M. and Beltrán, M. (2024), "Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metrics", Information and Computer Security, Vol. 32 No. 2, pp. 133-158. https://doi.org/10.1108/ICS-03-2023-0043
Publisher
:Emerald Publishing Limited
Copyright © 2023, Emerald Publishing Limited