Important: This instance is deprecated and will be closed soon! Please visit this platform
26-29 May 2015
Europe/Berlin timezone
Home > Timetable > Session details > Contribution details

Contribution Complete Research Paper

Fürstenberghaus - F5
31 - Security and Privacy of Information and IS

Requirements for IT Security Metrics - an Argumentation Theory Based Approach


  • Emrah YASASIN
  • Guido SCHRYEN

Primary authors



The demand for measuring IT security performance is driven by regulatory, financial, and organizational factors. While several best practice metrics have been suggested, we observe a lack of consistent requirements against which IT security metrics can be evaluated. We address this research gap by adopting a methodological approach that is based on argumentation theory and an accompanying literature review. As a result, we derive five key requirements: IT security metrics should be (a) bounded, (b) metrically scaled, (c) reliable, valid and objective, (d) context-specific and (e) computed automatically. We illustrate and discuss the context-specific instantiation of requirements by using the practically used "vulnerability scanning coverage" and "mean-time-to-incident discovery" metrics as examples. Finally we summarize further implications of each requirement.