Abstract:
Lord Kelvin once said that "if you cannot measure it, you cannot improve it". Quantitative security metrics has been a challenging area so far. Defining enterprise level security metrics has been listed as one of the hard problems in the Infosec Research Council’s hard problems list. Almost all the efforts in defining absolute security metrics for the enterprise security have not been proved fruitful. However, with the maturity of the security industry, there has been a continuous emphasis from the regulatory bodies on establishing measureable security metrics. Security metrics help to make functional and business decisions for improving the performance and cost of the security controls. This thesis proposes a relative security metric model that derives three quantitative security metrics of efficiency, effectiveness and cost/benefit measure of security controls. Similarly, virtualization technologies are rapidly changing the landscape of the computing world. Devising security metrics for virtualized environment is even more challenging. This thesis took the secure virtual machine migration process as case study and applied the relative security metric model for measuring the efficiency, effectiveness and cost/benefit measure of the secure VM migration protocols. As secure VM migration is an evolving area and no standard protocol is available specifically for secure VM migration, therefore, this thesis first proposes a lightweight secure VM migration protocol and then applied the proposed relative security metric model in order to compute the security performance of the proposed protocol.
