Abstract
It has always been a struggle for information security professionals to measure “the effectiveness” of IT security controls. In the 1980s, “orange books” were released for security professionals as a standard to set basic requirements for assessing the effectiveness of security controls built into a computer system (Figure 7-1), which was a part of the Rainbow Series published by the US National Computer Security Center. The most well-known orange book is the Trusted Computer System Evaluation Criteria (TCSEC) and its European counterpart, Information Technology Security Evaluation Criteria (ITSEC). The Common Criteria for Information Technology Security Evaluation (in short, ISO/IEC 15408) replaced those books. It created a framework for defining security levels for systems (hardware, software, or firmware) and determining acceptable testing methods and certifying system compliance to defined assurance levels.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
Kaspersky IT Security Economics 2020_Executive Summary.pdf
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature
About this chapter
Cite this chapter
Viegas, V., Kuyucu, O. (2022). Security Metrics. In: IT Security Controls. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-7799-7_7
Download citation
DOI: https://doi.org/10.1007/978-1-4842-7799-7_7
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-7798-0
Online ISBN: 978-1-4842-7799-7
eBook Packages: Professional and Applied ComputingApress Access BooksProfessional and Applied Computing (R0)