{"id":"https://openalex.org/W2086633188","doi":"https://doi.org/10.1109/esem.2009.5314213","title":"Using security metrics coupled with predictive modeling and simulation to assess security processes","display_name":"Using security metrics coupled with predictive modeling and simulation to assess security processes","publication_year":2009,"publication_date":"2009-10-01","ids":{"openalex":"https://openalex.org/W2086633188","doi":"https://doi.org/10.1109/esem.2009.5314213","mag":"2086633188"},"language":"en","primary_location":{"id":"doi:10.1109/esem.2009.5314213","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem.2009.5314213","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 3rd International Symposium on Empirical Software Engineering and Measurement","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5067929028","display_name":"Yolanta Beres","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156325","display_name":"Hewlett-Packard (United Kingdom)","ror":"https://ror.org/05g4mtv59","country_code":"GB","type":"company","lineage":["https://openalex.org/I1324840837","https://openalex.org/I4210156325"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Yolanta Beres","raw_affiliation_strings":["HP Laboratories, UK","HP Labs, UK#TAB#"],"affiliations":[{"raw_affiliation_string":"HP Laboratories, UK","institution_ids":["https://openalex.org/I4210156325"]},{"raw_affiliation_string":"HP Labs, UK#TAB#","institution_ids":["https://openalex.org/I4210156325"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055694969","display_name":"Marco Casassa Mont","orcid":"https://orcid.org/0009-0004-7611-6947"},"institutions":[{"id":"https://openalex.org/I4210156325","display_name":"Hewlett-Packard (United Kingdom)","ror":"https://ror.org/05g4mtv59","country_code":"GB","type":"company","lineage":["https://openalex.org/I1324840837","https://openalex.org/I4210156325"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Marco Casassa Mont","raw_affiliation_strings":["HP Laboratories, UK","HP Labs, UK#TAB#"],"affiliations":[{"raw_affiliation_string":"HP Laboratories, UK","institution_ids":["https://openalex.org/I4210156325"]},{"raw_affiliation_string":"HP Labs, UK#TAB#","institution_ids":["https://openalex.org/I4210156325"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5042851788","display_name":"Jonathan Griffin","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156325","display_name":"Hewlett-Packard (United Kingdom)","ror":"https://ror.org/05g4mtv59","country_code":"GB","type":"company","lineage":["https://openalex.org/I1324840837","https://openalex.org/I4210156325"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Jonathan Griffin","raw_affiliation_strings":["HP Laboratories, UK","HP Labs, UK#TAB#"],"affiliations":[{"raw_affiliation_string":"HP Laboratories, UK","institution_ids":["https://openalex.org/I4210156325"]},{"raw_affiliation_string":"HP Labs, UK#TAB#","institution_ids":["https://openalex.org/I4210156325"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5013373237","display_name":"Simon Shiu","orcid":"https://orcid.org/0000-0003-2813-3561"},"institutions":[{"id":"https://openalex.org/I4210156325","display_name":"Hewlett-Packard (United Kingdom)","ror":"https://ror.org/05g4mtv59","country_code":"GB","type":"company","lineage":["https://openalex.org/I1324840837","https://openalex.org/I4210156325"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Simon Shiu","raw_affiliation_strings":["HP Laboratories, UK","HP Labs, UK#TAB#"],"affiliations":[{"raw_affiliation_string":"HP Laboratories, UK","institution_ids":["https://openalex.org/I4210156325"]},{"raw_affiliation_string":"HP Labs, UK#TAB#","institution_ids":["https://openalex.org/I4210156325"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5067929028"],"corresponding_institution_ids":["https://openalex.org/I4210156325"],"apc_list":null,"apc_paid":null,"fwci":5.1821,"has_fulltext":false,"cited_by_count":20,"citation_normalized_percentile":{"value":0.95667044,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"564","last_page":"573"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9904000163078308,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6680729389190674},{"id":"https://openalex.org/keywords/lagging","display_name":"Lagging","score":0.6653338670730591},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.548096239566803},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.5472285151481628},{"id":"https://openalex.org/keywords/security-management","display_name":"Security management","score":0.5292410850524902},{"id":"https://openalex.org/keywords/security-convergence","display_name":"Security convergence","score":0.5180978178977966},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.5175104141235352},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5067384839057922},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.489541620016098},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.4867565631866455},{"id":"https://openalex.org/keywords/information-security-standards","display_name":"Information security standards","score":0.4402121603488922},{"id":"https://openalex.org/keywords/asset","display_name":"Asset (computer security)","score":0.4289571940898895},{"id":"https://openalex.org/keywords/security-through-obscurity","display_name":"Security through obscurity","score":0.4287579357624054},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.4283004105091095},{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.41723090410232544},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.359627902507782},{"id":"https://openalex.org/keywords/process-management","display_name":"Process management","score":0.3252107501029968},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.3090098798274994},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.30755865573883057},{"id":"https://openalex.org/keywords/network-security-policy","display_name":"Network security policy","score":0.2759843170642853},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.21928495168685913}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6680729389190674},{"id":"https://openalex.org/C2776962539","wikidata":"https://www.wikidata.org/wiki/Q6472078","display_name":"Lagging","level":2,"score":0.6653338670730591},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.548096239566803},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.5472285151481628},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.5292410850524902},{"id":"https://openalex.org/C52420254","wikidata":"https://www.wikidata.org/wiki/Q7445028","display_name":"Security convergence","level":5,"score":0.5180978178977966},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.5175104141235352},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5067384839057922},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.489541620016098},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.4867565631866455},{"id":"https://openalex.org/C139547956","wikidata":"https://www.wikidata.org/wiki/Q6031202","display_name":"Information security standards","level":5,"score":0.4402121603488922},{"id":"https://openalex.org/C76178495","wikidata":"https://www.wikidata.org/wiki/Q4808784","display_name":"Asset (computer security)","level":2,"score":0.4289571940898895},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.4287579357624054},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.4283004105091095},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.41723090410232544},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.359627902507782},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.3252107501029968},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3090098798274994},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.30755865573883057},{"id":"https://openalex.org/C117110713","wikidata":"https://www.wikidata.org/wiki/Q3394676","display_name":"Network security policy","level":4,"score":0.2759843170642853},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.21928495168685913},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.0},{"id":"https://openalex.org/C142724271","wikidata":"https://www.wikidata.org/wiki/Q7208","display_name":"Pathology","level":1,"score":0.0},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/esem.2009.5314213","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem.2009.5314213","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 3rd International Symposium on Empirical Software Engineering and Measurement","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.5,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":14,"referenced_works":["https://openalex.org/W31171651","https://openalex.org/W612698755","https://openalex.org/W1484037459","https://openalex.org/W1604811379","https://openalex.org/W1979820341","https://openalex.org/W2004584049","https://openalex.org/W2044839138","https://openalex.org/W2080461471","https://openalex.org/W2117210791","https://openalex.org/W2137567166","https://openalex.org/W2152118002","https://openalex.org/W2159443917","https://openalex.org/W2161833190","https://openalex.org/W2620244897"],"related_works":["https://openalex.org/W4321844648","https://openalex.org/W833563683","https://openalex.org/W2165898552","https://openalex.org/W2173238669","https://openalex.org/W2353811196","https://openalex.org/W2188404590","https://openalex.org/W2379320583","https://openalex.org/W2988129474","https://openalex.org/W2894900144","https://openalex.org/W2161814110"],"abstract_inverted_index":{"It":[0,39],"is":[1,40],"hard":[2],"for":[3,76],"security":[4,60,81,135,209,229,236],"practitioners":[5],"and":[6,32,36,63,140,181,183,194,215,254,263],"decision-makers":[7],"to":[8,43,52,90,98,131,147,189,200,216,243,251,265],"know":[9],"what":[10],"level":[11],"of":[12,30,80,110,177,205,225],"protection":[13],"they":[14,24,144],"are":[15,67,145,211,248],"getting":[16],"from":[17],"their":[18,54],"investments":[19,48,166],"in":[20,27,56,83,96,149,157,167,174,228,234],"security,":[21],"especially":[22],"when":[23],"have":[25],"invested":[26],"a":[28,86,127,202,226,256],"number":[29],"technologies":[31],"processes":[33,82,136,210],"which":[34,153],"interact":[35],"combine":[37],"together.":[38],"even":[41],"harder":[42],"estimate":[44],"how":[45,114,142,191,206],"well":[46,143,207],"these":[47,115],"can":[49,118,197],"be":[50,91,119,198],"expected":[51],"protect":[53],"organizations":[55],"the":[57,64,78,99,175,213,223,241,245,261,266],"future":[58,151],"as":[59,186,221],"policies,":[61],"regulations":[62],"threat":[65,162,179],"environment":[66],"constantly":[68],"changing.":[69],"In":[70],"this":[71,192],"paper":[72],"we":[73],"propose":[74],"that":[75,247,259],"measuring":[77],"effectiveness":[79],"large":[84],"organizations,":[85],"greater":[87],"emphasis":[88],"needs":[89],"put":[92],"on":[93,126],"process-based":[94,116],"metrics,":[95],"contrast":[97],"more":[100],"commonly":[101],"used":[102,199],"symptomatic":[103],"lagging":[104],"indicators.":[105],"We":[106,169],"show,":[107],"by":[108],"means":[109],"two":[111,171],"case":[112,172],"studies,":[113,173],"metrics":[117,246],"combined":[120],"with":[121],"executable,":[122],"predictive":[123],"models,":[124],"based":[125],"sound":[128],"mathematical":[129],"foundation,":[130],"both":[132],"assess":[133],"organizations'":[134],"under":[137],"current":[138],"conditions":[139],"predict":[141],"likely":[146],"perform":[148],"potential":[150],"scenarios,":[152],"may":[154],"include":[155],"changes":[156],"working":[158],"practices,":[159],"policies":[160],"or":[161,164,231],"levels,":[163],"new":[165,235],"security.":[168],"present":[170],"areas":[176],"vulnerability":[178],"management,":[180,185],"identity":[182],"access":[184],"significant":[187],"examples":[188],"illustrate":[190],"modeling":[193],"simulation-based":[195],"approach":[196,239],"provide":[201,255],"rich":[203],"picture":[204],"existing":[208],"protecting":[212],"organization":[214,242],"answer":[217],"\"what-if\"":[218],"questions,":[219],"such":[220],"exploring":[222],"effects":[224],"change":[227],"policy":[230],"an":[232],"investment":[233],"technology.":[237],"Our":[238],"enables":[240],"apply":[244],"most":[249],"relevant":[250],"its":[252],"business,":[253],"comprehensive":[257],"view":[258],"shows":[260],"benefits":[262],"losses":[264],"different":[267],"stakeholders.":[268]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2020,"cited_by_count":3},{"year":2019,"cited_by_count":1},{"year":2015,"cited_by_count":3},{"year":2014,"cited_by_count":3},{"year":2012,"cited_by_count":4}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}