O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

391
Appendix E: SABSA
Security Attributes Table
Business
Attribute Attribute Explanation
Metric
Type
Suggested
Measurement
Approach
User
Attributes
These attributes are related to the user’s experience of
interacting with the business system.
Accessible Information to which the
user is entitled to gain access
should be easily found and
accessed by that user.
Soft Search tree depth
necessary to find the
info.
Accurate The information provided to
users should be accurate
within a range that has been
pre-agreed upon as being
applicable to the service
being delivered.
Hard Acceptance testing
on key data to
demonstrate
compliance with
design rules.
Anonymous For certain specialized types
of service, the anonymity of
the user should be
protected.
Hard Rigorous proof of
system functionality.
Soft Red team review.*
Consistent The way in which login,
navigation, and target services
are presented to the user
should be consistent across
different times, locations, and
channels of access.
Hard Conformance with
design style guides.
Soft Red team review.
*
A red team review is an objective appraisal by an independent team of experts
who have been briefed to think either like the user or like an opponent or
attacker, whichever is appropriate to the objectives of the review.
392 ◾  Appendix E
Business
Attribute Attribute Explanation
Metric
Type
Suggested
Measurement
Approach
Current Information provided to
users should be current and
kept up to date within a range
that has been pre-agreed
upon as being applicable for
the service being delivered.
Hard Refresh rates at the
data source and
replication of
refreshed data to the
destination.
Duty-
segregated
For certain sensitive tasks, the
duties should be segregated,
so no user has access to both
aspects of the task.
Hard Functional testing.
Educated and
aware
The user community should
be educated and trained so
that they can embrace the
security culture and so as to
have sufficient user
awareness of security issues
that behavior of users is
compliant with security
policies.
Soft Competence
surveys.
Informed The user should be kept fully
informed about services,
operating procedures,
operational schedules,
planned outages, and so on.
Soft Focus groups or
satisfaction surveys.
Motivated The interaction with the
system should add positive
motivation to the user to
complete the business tasks
in hand.
Soft Focus groups or
satisfaction surveys.
Protected The user’s information and
access privileges should be
protected against abuse by
other users or by intruders.
Soft Penetration test
(could be regarded
as “hard” but only if
a penetration is
achieved; failure to
penetrate does not
mean that
penetration is
impossible).
Appendix E ◾  393
Business
Attribute Attribute Explanation
Metric
Type
Suggested
Measurement
Approach
Reliable The services provided to the
user should be delivered at
a reliable level of quality.
Soft A definition of
quality” is needed
against which to
compare.
Responsive The users obtain a response
within a satisfactory period
of time that meets their
expectations.
Hard Response time
Supported When a user has problems
or difficulties in using the
system or its services, there
should be a means by which
the user can receive advice
and support, so the
problems can be resolved to
the satisfaction of the user.
Soft Focus groups or
satisfaction surveys,
independent audit
and review against
security architecture
capability maturity
model.*
Timely Information is delivered or
made accessible to the user
at the appropriate time or
within the appropriate time
period.
Hard Refresh rates at the
data source and
replication of
refreshed data to the
destination
Transparent Providing full visibility to the
user of the logical process
but hiding the physical
structure of the system (as a
URL hides the actual
physical locations of Web
servers)
Soft Focus groups or
satisfaction surveys,
independent audit
and review against
security architecture
capability maturity
model.
Usable The system should provide
easy-to-use interfaces that can
be navigated intuitively by a
user of average intelligence
and training level (for the given
system). The user’s experience
of these interactions should
be at best interesting and at
worst neutral.
Soft Numbers of clicks or
keystrokes required.
Conformance with
industry standards—
for example, color
palettes—feedback
from focus groups.
*
The type of architectural capability maturity model referred to is based upon the
ideas of capability maturity models.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required