Measuring cyber essentials security policies

Sándor Bartha; Russell Ballantine; David Aspinall

doi:10.1145/3675741.3675747

Measuring cyber essentials security policies

Sándor Bartha, Russell Ballantine, David Aspinall

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The design and maintenance of high-level security policies is an important starting point governing the implementation of security controls for a business. The choice of which security controls to implement is inherently a cost-benefit analysis that could greatly benefit from repeatable and adjustable quantitative methods, but defining a security policy is based on informal domain knowledge. In this paper we focus on security policies aimed to achieve a Cyber Essentials certification, a government backed scheme in the UK. We present a simple and transparent measure for such security policies, assigning them a numerical score to estimate their benefits for a particular network, allowing to compare them and to make them subject of a quantitative cost-benefit analysis. The score for policies is based on the CVSS scores for vulnerabilities, estimating how would a policy affect CVSS scores.

Original language	English
Title of host publication	Proceedings of the 17th Cyber Security Experimentation and Test Workshop
Publisher	ACM
Pages	17-26
Number of pages	10
ISBN (Electronic)	9798400709579
DOIs	https://doi.org/10.1145/3675741.3675747
Publication status	Published - 13 Aug 2024
Event	17th Cyber Security Experimentation and Test Workshop - Philadelphia, United States Duration: 13 Aug 2024 → 13 Aug 2024

Workshop

Workshop	17th Cyber Security Experimentation and Test Workshop
Abbreviated title	CSET 2024
Country/Territory	United States
City	Philadelphia
Period	13/08/24 → 13/08/24

Keywords / Materials (for Non-textual outputs)

security

Access to Document

10.1145/3675741.3675747Licence: Creative Commons: Attribution (CC-BY)

BarthaEtalCSET2024MeasuringCyberEssentialsFinal published version, 696 KBLicence: Creative Commons: Attribution (CC-BY)

Cite this

@inproceedings{55d97aa9a1fe4fea9e093f4d7a5c2792,

title = "Measuring cyber essentials security policies",

abstract = "The design and maintenance of high-level security policies is an important starting point governing the implementation of security controls for a business. The choice of which security controls to implement is inherently a cost-benefit analysis that could greatly benefit from repeatable and adjustable quantitative methods, but defining a security policy is based on informal domain knowledge. In this paper we focus on security policies aimed to achieve a Cyber Essentials certification, a government backed scheme in the UK. We present a simple and transparent measure for such security policies, assigning them a numerical score to estimate their benefits for a particular network, allowing to compare them and to make them subject of a quantitative cost-benefit analysis. The score for policies is based on the CVSS scores for vulnerabilities, estimating how would a policy affect CVSS scores.",

keywords = "security",

author = "S{\'a}ndor Bartha and Russell Ballantine and David Aspinall",

year = "2024",

month = aug,

day = "13",

doi = "10.1145/3675741.3675747",

language = "English",

pages = "17--26",

booktitle = "Proceedings of the 17th Cyber Security Experimentation and Test Workshop",

publisher = "ACM",

note = "17th Cyber Security Experimentation and Test Workshop, CSET 2024 ; Conference date: 13-08-2024 Through 13-08-2024",

}

TY - GEN

T1 - Measuring cyber essentials security policies

AU - Bartha, Sándor

AU - Ballantine, Russell

AU - Aspinall, David

PY - 2024/8/13

Y1 - 2024/8/13

N2 - The design and maintenance of high-level security policies is an important starting point governing the implementation of security controls for a business. The choice of which security controls to implement is inherently a cost-benefit analysis that could greatly benefit from repeatable and adjustable quantitative methods, but defining a security policy is based on informal domain knowledge. In this paper we focus on security policies aimed to achieve a Cyber Essentials certification, a government backed scheme in the UK. We present a simple and transparent measure for such security policies, assigning them a numerical score to estimate their benefits for a particular network, allowing to compare them and to make them subject of a quantitative cost-benefit analysis. The score for policies is based on the CVSS scores for vulnerabilities, estimating how would a policy affect CVSS scores.

AB - The design and maintenance of high-level security policies is an important starting point governing the implementation of security controls for a business. The choice of which security controls to implement is inherently a cost-benefit analysis that could greatly benefit from repeatable and adjustable quantitative methods, but defining a security policy is based on informal domain knowledge. In this paper we focus on security policies aimed to achieve a Cyber Essentials certification, a government backed scheme in the UK. We present a simple and transparent measure for such security policies, assigning them a numerical score to estimate their benefits for a particular network, allowing to compare them and to make them subject of a quantitative cost-benefit analysis. The score for policies is based on the CVSS scores for vulnerabilities, estimating how would a policy affect CVSS scores.

KW - security

UR - https://www.scopus.com/pages/publications/85201364186

U2 - 10.1145/3675741.3675747

DO - 10.1145/3675741.3675747

M3 - Conference contribution

AN - SCOPUS:85201364186

SP - 17

EP - 26

BT - Proceedings of the 17th Cyber Security Experimentation and Test Workshop

PB - ACM

T2 - 17th Cyber Security Experimentation and Test Workshop

Y2 - 13 August 2024 through 13 August 2024

ER -

Measuring cyber essentials security policies

Abstract

Workshop

Keywords / Materials (for Non-textual outputs)

Access to Document

Other files and links

Fingerprint

AISEC: AI Secure and Explainable by Construction

Cite this

Measuring cyber essentials security policies

Abstract

Workshop

Keywords / Materials (for Non-textual outputs)

Access to Document

Other files and links

Fingerprint

Projects

AISEC: AI Secure and Explainable by Construction

Cite this