In IT Security world, there is lack of available, reliable systems for measuring securitylevels/posture. They lack the range of quantitative measurements and easy and fast deployment,and potentially affects companies of all sizes.Readily available security standards provide qualitative security levels, but not quantitative results– that would be easily comparable. This deficiency makes it hard for companies to evaluate theirsecurity posture accurately. Absence of security metrics makes it complicated for customers toselect the appropriate measures for particular security level needed.The research question for this research project is – “How is it possible to calculate IT securityeffectiveness?”.The aim of this research is to use this reference model to calculate and to optimize majoruniversity’s and a small CSP-s (Cloud Service Provider) security posture and their spending’s onsecurity measures. Aim is to develop a reference model to support IT Security team and businessside to make reasoned and optimal decisions about IT security and all that with a reasonablenumber of manhours.In this Graded Security Expert System (GSES) aka Graded Security Reference Model (GSRM) thequantitative metrics of the graded security approach are used to express the relations betweensecurity goals, security confidence and security costs.What makes this model unique, is the option to use previous customers security templates/models– cutting the implementation time from 500+ manhours to as low as 50 manhours. The firstcustomers 500+ manhours will also be cut down to 50+ manhours on the second yearimplementing the expert system.The Graded Security Reference Model (GSRM) was developed using a combination oftheoretical method and design science research. The model is based on InfoSec (info security)activities and InfoSec spendings from previous year – cost and effectiveness – gathered fromexpert opinionsBy implementing GSRM, user can gather quantitative security levels as no other model, or astandard provides those.GSRM delivers very detailed and accurate (according to university’s IT Security Team)effectiveness levels per spendings brackets.GSRM was created as a graded security reference model on CoCoViLa platform, which is unique asit provides quantitative results corresponding to company’s security posture.Freely available models and standards either provide vague quantitative security postureinformation or are extremely complicated to use – BIS/ISKE (not supported any more).This Graded Security Reference Model has turned theories presented in literature review into afunctional, graphical model.The GSRM was used with detailed data from the 15+k users university and their IT security team(all members have 10+ years of IT security experience) concluded that the model is reasonablysimple to implement/modify, and results are precise and easily understandable. It was alsoobserved that the business side had no problems understanding the results and very fewexplanatory remarks were needed.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:ltu-94969 |
| Date | January 2022 |
| Creators | Kivimaa, Kristjan |
| Publisher | Luleå tekniska universitet, Institutionen för system- och rymdteknik |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0134 seconds