Abstract
Efforts to assure the cybersecurity of an organization's information and systems rely on industry metrics to monitor their current state of play. These, when monitored over time, could also help organizations to determine whether they are improving their stance or lagging behind. We reviewed the literature on metrics and consulted 12 cybersecurity professionals, working in industry, to take a snapshot of the status quo of metric and framework usage. We report on what our respondents told us and conclude by explaining that, although they were aware of metrics, many only used minimal metrics, and few used any existing frameworks. This was primarily due to resource and other business constraints. It seems that we have to encourage and engender more metric usage, and that an automated approach, with an associated dashboard to support reporting, would be the best way to help organizations to benefit from this helpful mechanism.
Original language | English |
---|---|
Title of host publication | eCrime 2024 |
Publication status | Accepted/In press - 12 Aug 2024 |
Event | eCrime 2024 Boston - Boston, United States Duration: 24 Sept 2024 → 26 Sept 2024 https://apwg.org/event/ecrime2024/ |
Conference
Conference | eCrime 2024 Boston |
---|---|
Abbreviated title | eCrime |
Country/Territory | United States |
Period | 24/09/24 → 26/09/24 |
Internet address |
Keywords
- risk metrics
- cybersecurity
- management
- mitigation
- assessment