Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Enhancing & disseminating Africa’s Scholarly Publications www.mijsrp.org Mara International Journals
MIJSRP, Vol. 1, No. 1, Sept. 2017, Pages 40 - 48 40
Mara International Journal of Scientific & Research Publications
Vol. 1, No. 1, September 2017, Pages 40 - 48
Understanding Database Security Metrics: A Review
Jane Juma* and Daniel Makupi School of Computer Science and Bioinformatics Department of Information Technology Security
Kabarak University, Private Bag 20157, Kabarak, Kenya Email: [email protected]
* Corresponding author
Received: August 1, 2017 Published: September 4, 2017
Abstract
The ever increasing demand for high software reliability requires more robust techniques for software quality and
security level prediction. Databases are the core of Information Systems (IS), it is therefore necessary to ensure that
the quality of the databases in order to ensure the quality of the IS. Recently, it has been a challenge to determine on
what is a good database model or design. Therefore, in our discussion we have considered measuring specific features
and factors in a particular database implementation. The variant features and characteristics inherent to a particular
database serve to come up with a metric of assessment.
Keywords: Database Metric, Assesment, database, database security © 2016 by the author(s); Mara Research Journals (Nairobi, Kenya; Vancouver Canada) OPEN ACCESS
1. INTRODUCTION
Databases are the repositories of the most important and expensive mission critical information in the
enterprise. Today, in many business organizations, the databases and data assets are poorly protected from
external attackers as well as insiders. Databases must be secured well as any other systems in the
organization. They allow data to be retained and shared electronically and the amount of data contained in
these systems continues to grow at an exponential rate. So, the need to ensure the integrity of the data and
secure the data from unintended access has emerged, (Cavoukian and Jonas, 2012). To secure a database
environment, many database security models are developed. With the increase in usage of databases, the
frequency of attacks against those databases has also increased. Database attacks are an increasing trend
these days. What is the reason behind database attacks? One reason is the increase in access to data stored
in databases. When the data is being accessed by many people, the chance of data theft also increases (Al-
Sayid and Aldlaeen, 2013). In the past, database attacks were widespread, but were less in number as
hackers hacked the network more to show it was possible to hack and not to sell proprietary information.
Another reason for database attacks is to gain money selling sensitive information, which includes credit
card numbers, Social Security Numbers (SSN) among others. In order to have a proper discussion and
understanding of database security metrics, we first need to define database security metric as a standard of
measurement that enables quantification of the degree of safety of a database. It measures how likely a
database system is to suffer damage from attack. A database metrics helps:
i) To evaluate performance and protection of the database.
ii) Monitor database security in a proactive measure.
iii) Contribute to the improvement of the existing database security practices
Enhancing & disseminating Africa’s Scholarly Publications www.mijsrp.org Mara International Journals
MIJSRP, Vol. 1, No. 1, Sept. 2017, Pages 40 - 48 41
iv) Help management monitor database security
v) Justify database related security budgets
1.1 Statement of the research problem
The security assessment of a database application over time has proved to be difficult to implement. The
assessment in place is per usage, at the user level understanding but not measurable. Therefore, this method
has been occasioned with a non-deterministic conceptualization of how secure a design and a model of a
database should be. Therefore, our discussion will serve to inform on inherent factors that can be used as a
metric of assessment.
1.2 Objective of the study
Our main focus is to come up with a framework that would aid banking institutions to measure the security
status of their online banking infrastructure by commutatively considering banking facilities, investments
and defense in-depth strategies (SSOB).The status will serve to appropriately inform the security posture of
the banking institution.
2. SURVEY OF LITERATURE
Database technologies are a core component of many computing systems. They allow data to be retained
and shared electronically and the amount of data contained in these systems continues to grow at an
exponential rate. So does the need to insure the integrity of the data and secure the data from unintended
access. The Privacy Rights Clearing House reports that more than 345 million customer records have been
lost or stolen since 2005 when they began tracking data breach incidents, and the Ponemon Institute reports
that the average cost of a data breach has risen to $202 per customer record, (Razdan and Bommakanty,
2001).In August 2009, criminal indictments were handed down in the United States to three perpetrators
accused of carrying out the single largest data security breach recorded to date. These hackers allegedly
stole over 130 million in credit and debit card numbers by exploiting well-known database vulnerability, an
SQL injection (Murray, 2010). The Verizon Business Risk Team, that has been reporting data breach
statistics since 2004, examined 90 breaches during the 2008 calendar year. They reported that more than
285 million records had been compromised, a number exceeding the combined total from all prior years of
study (Murray, 2010). Their findings provide insight into who commits these acts and how they occur.
Consistently, they have found that most data breaches originate from external sources, with 75% of the
incidents coming from outside the organization as compared to 20% coming from inside. They also
reported that 91% of the compromised records were linked to organized criminal groups. Further, they note
that the majority of breaches result from hacking and malware often facilitated by errors committed by the
victim, for instance, the database owner. Unauthorized access and SQL injection were found to be the two
most common forms of hacking, an interesting finding given that both of these exploits are well known and
often preventable. Given the increasing number of beaches to database systems, there is a corresponding
need to increase awareness of how to properly protect and monitor database systems.
At its core, database security strives to ensure that only authenticated users perform authorized activities at
authorized times. It includes the system, processes, and procedures that protect a database from unintended
activity. The Defense Information Systems Agency of the US Department of Defense (2004), in its
Database Security Technical Implementation Guide, states that database security should provide controlled
protected access to the database content and, in the process, preserve the integrity, consistency, and overall
quality of your data (Murray, 2010). The objective is simple, the path to achieving the goal, a bit more
complex. Traditionally database security focused on user authentication and managing user privileges to
database objects (Guimaraes, 2006). This has proven to be inadequate given the growing number of
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP
successful database
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
database security and to identify possible solutions.
3. DATABASE METRIC FACTORS
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
information security. With changing needs of i
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
databases
those responsible for information security function try to scrutinize their information system
3.1 Database security metrics factors
The
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP, Vol. 1, No.
successful database
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
database security and to identify possible solutions.
3. DATABASE METRIC FACTORS
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
information security. With changing needs of i
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
databases secure. Operational
those responsible for information security function try to scrutinize their information system
3.1 Database security metrics factors
There are three fundamental factors that governs database security, these are:
i) Foundational defenses and
confidentiality, authentication and availability of information. They should be taken into
consideration and these entail anti
ii) Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
central patch management or improvement of the process.
iii) Authentication
should be
be addressed. Attacking password is very easy through use of password cracking programs. These
attacks
your systems should be considered, for instance, is it prone to cracking during lunch hour when
admin is not on his des
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
shows the demonstration;
Fig 1: Login authe
Enhancing & disseminating Africa’s Scholarly Publications
No. 1, Sept. 2017,
successful database hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
database security and to identify possible solutions.
3. DATABASE METRIC FACTORS
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
information security. With changing needs of i
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
secure. Operational
those responsible for information security function try to scrutinize their information system
3.1 Database security metrics factors
re are three fundamental factors that governs database security, these are:
Foundational defenses and
confidentiality, authentication and availability of information. They should be taken into
consideration and these entail anti
Patch latency: is the time from w
helps identify business units with outdated or missing patches and which might raise the need for
central patch management or improvement of the process.
Authentication: passwords use and st
should be with password
be addressed. Attacking password is very easy through use of password cracking programs. These
attacks could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
admin is not on his des
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
shows the demonstration;
ogin authentication for MySQL
Enhancing & disseminating Africa’s Scholarly Publications
, Pages 40 - 48
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
database security and to identify possible solutions.
3. DATABASE METRIC FACTORS
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
information security. With changing needs of i
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
secure. Operational effectiveness and demonstration of strategic value comes to effect when
those responsible for information security function try to scrutinize their information system
3.1 Database security metrics factors
re are three fundamental factors that governs database security, these are:
Foundational defenses and coverage
confidentiality, authentication and availability of information. They should be taken into
consideration and these entail anti
s the time from w
helps identify business units with outdated or missing patches and which might raise the need for
central patch management or improvement of the process.
asswords use and st
with password-complexity and
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
admin is not on his desk? Like in this scenario (Fig.
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
shows the demonstration;
ntication for MySQL
Enhancing & disseminating Africa’s Scholarly Publications
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
database security and to identify possible solutions.
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
information security. With changing needs of information and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
effectiveness and demonstration of strategic value comes to effect when
those responsible for information security function try to scrutinize their information system
re are three fundamental factors that governs database security, these are:
coverage: these
confidentiality, authentication and availability of information. They should be taken into
consideration and these entail anti-virus, anti-
s the time from when a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
central patch management or improvement of the process.
asswords use and strengths should also be taken into account. The passwords
complexity and harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
k? Like in this scenario (Fig.
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
ntication for MySQL (Researcher, 2017)
www.mijsrp
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understandin
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
nformation and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
effectiveness and demonstration of strategic value comes to effect when
those responsible for information security function try to scrutinize their information system
re are three fundamental factors that governs database security, these are:
these are data securing factors which strive to provision
confidentiality, authentication and availability of information. They should be taken into
-spyware, firewalls in use etc.
hen a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
central patch management or improvement of the process.
rengths should also be taken into account. The passwords
harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
k? Like in this scenario (Fig. 1) example a ca
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
(Researcher, 2017)
mijsrp.org
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
for students in the computing disciplines to develop an understanding of the issues and challenges related to
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
nformation and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
effectiveness and demonstration of strategic value comes to effect when
those responsible for information security function try to scrutinize their information system
re are three fundamental factors that governs database security, these are:
are data securing factors which strive to provision
confidentiality, authentication and availability of information. They should be taken into
spyware, firewalls in use etc.
hen a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
rengths should also be taken into account. The passwords
harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
1) example a case of MySQL database vis
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
Mara International
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
g of the issues and challenges related to
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
nformation and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them
effectiveness and demonstration of strategic value comes to effect when
those responsible for information security function try to scrutinize their information systems
are data securing factors which strive to provision
confidentiality, authentication and availability of information. They should be taken into
spyware, firewalls in use etc.
hen a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
rengths should also be taken into account. The passwords
harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
se of MySQL database vis
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
International Journals
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
g of the issues and challenges related to
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
nformation and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
principles. Organizations employ a number of different metrics and a combination of them to make their
effectiveness and demonstration of strategic value comes to effect when
s.
are data securing factors which strive to provision
confidentiality, authentication and availability of information. They should be taken into
hen a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
rengths should also be taken into account. The passwords
harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
se of MySQL database vis-
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
42
hacking incidents and the increase in the number of organizations reporting loss of
sensitive data. A more comprehensive view of database security is needed, and it is becoming imperative
g of the issues and challenges related to
Database security should always be SMART to be counted as being effective. The security metrics should
indicate the extent to which the goals set are being met and be driven towards organization overall aim of
nformation and database security in organizations, there is
no denying that good metrics take care of the need to secure database systems while observing the security
to make their
effectiveness and demonstration of strategic value comes to effect when
are data securing factors which strive to provision
confidentiality, authentication and availability of information. They should be taken into
hen a patch is released to the time it is deployed. Patch latency
helps identify business units with outdated or missing patches and which might raise the need for
rengths should also be taken into account. The passwords
harder to crack and any weak spots in the systems should
be addressed. Attacking password is very easy through use of password cracking programs. These
could target desktops, admin systems and servers. The time required to break a password of
your systems should be considered, for instance, is it prone to cracking during lunch hour when
-à-
vis Oracle database. The security architecture in the two databases is that the way MySQL is
implemented is prone to Security breaches compared to Oracle. The following diagrams below
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP
From
password. A user can
does not enforce strict rules for passwords to authenticate users.
In
per user level
has to enter matching password to the level as shown above which
Implementation process
during
other
password bef
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP, Vol. 1, No.
From Fig. 1 sample above,
password. A user can
does not enforce strict rules for passwords to authenticate users.
Fig. 2:
In Fig. 2 example
per user level privi
as to enter matching password to the level as shown above which
Implementation process
during installation
other hand forces
password before the user
Fig. 3:
Enhancing & disseminating Africa’s Scholarly Publications
No. 1, Sept. 2017,
Fig. 1 sample above,
password. A user can easily
does not enforce strict rules for passwords to authenticate users.
Fig. 2: Login authentication in O
example above, in case of Oracle base,
privilege. Once the user enters the correct username it
as to enter matching password to the level as shown above which
Implementation process: MySQL
installation; as such it does not require strong password authentication practices.
hand forces a user to use st
ore the user is
Fig. 3: Screenshots of
Enhancing & disseminating Africa’s Scholarly Publications
, Pages 40 - 48
Fig. 1 sample above, it can be clearly seen that
easily access the system at any
does not enforce strict rules for passwords to authenticate users.
authentication in O
in case of Oracle base,
. Once the user enters the correct username it
as to enter matching password to the level as shown above which
MySQL is such that it does not force a user o
as such it does not require strong password authentication practices.
a user to use strong password combinations
is logged into the system.
reenshots of MySQL installation process
Enhancing & disseminating Africa’s Scholarly Publications
it can be clearly seen that
ess the system at any
does not enforce strict rules for passwords to authenticate users.
authentication in Oracle (Research data, 2017)
in case of Oracle base, a user
. Once the user enters the correct username it
as to enter matching password to the level as shown above which
is such that it does not force a user o
as such it does not require strong password authentication practices.
ong password combinations
the system.
installation process
www.mijsrp
it can be clearly seen that access to the database
ess the system at any privilege level especial
does not enforce strict rules for passwords to authenticate users.
(Research data, 2017)
a user has to provide
. Once the user enters the correct username it
as to enter matching password to the level as shown above which
is such that it does not force a user o
as such it does not require strong password authentication practices.
ong password combinations
installation process (Research data, 2017)
mijsrp.org
to the database
level especially
(Research data, 2017)
provide a username
. Once the user enters the correct username it prompts entry of password. The user
as to enter matching password to the level as shown above which actually enforces security.
is such that it does not force a user on strict authentication mechanism
as such it does not require strong password authentication practices.
ong password combinations during installation. It
(Research data, 2017)
Mara International
to the database does not need strict use of
y given the fact that MySQL
rname to start w
entry of password. The user
enforces security.
n strict authentication mechanism
as such it does not require strong password authentication practices.
during installation. It further
(Research data, 2017)
International Journals
does not need strict use of
given the fact that MySQL
to start with, and is set
entry of password. The user
enforces security.
n strict authentication mechanism
as such it does not require strong password authentication practices. Oracle, on the
further requires
43
does not need strict use of
given the fact that MySQL
is set
entry of password. The user
n strict authentication mechanism
the
es a
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP
It can be noted t
and also combinations.
From
during installation a strong
Running compli
ensure that information security lapses are not ov
points of access are available, ports are not left unnecessarily
Figure 5 below regarding
Fig. 5:
From the above
certain ac
have
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP, Vol. 1, No.
It can be noted t
and also combinations.
Fig 4:
From Fig. 4 abov
during installation a strong
Running compli
ensure that information security lapses are not ov
points of access are available, ports are not left unnecessarily
Figure 5 below regarding
Fig. 5: User privilege
From the above
certain access provision. And above
have a ‘create session
Enhancing & disseminating Africa’s Scholarly Publications
No. 1, Sept. 2017,
It can be noted that during installation of MySQL
and also combinations.
Screenshots of Oracle installation process
above, it can be seen that O
during installation a strong password
Running compliance and standard scores
ensure that information security lapses are not ov
points of access are available, ports are not left unnecessarily
Figure 5 below regarding user level
rivilege levels
From the above Fig. 5, it can be noted that from a user level
ess provision. And above
create session privil
Enhancing & disseminating Africa’s Scholarly Publications
, Pages 40 - 48
hat during installation of MySQL
creenshots of Oracle installation process
e, it can be seen that O
password combination is used.
ance and standard scores
ensure that information security lapses are not ov
points of access are available, ports are not left unnecessarily
user level privilege
levels (Research data, 2017)
it can be noted that from a user level
ess provision. And above (Fig.
privilege’ which has
Enhancing & disseminating Africa’s Scholarly Publications
hat during installation of MySQL it does not enforce strick rules on passoword requiremnet
creenshots of Oracle installation process
e, it can be seen that Oracle enforces a
combination is used.
ance and standard scores: Organizations adhere to certain best practice guidelines to
ensure that information security lapses are not overlooked. These scores endeavor
points of access are available, ports are not left unnecessarily
privilege and revoke.
(Research data, 2017)
it can be noted that from a user level
(Fig. 5) a user named
which has now been granted to her as shown in the Fi
www.mijsrp
it does not enforce strick rules on passoword requiremnet
creenshots of Oracle installation process (Research data, 2017)
racle enforces a password
combination is used.
Organizations adhere to certain best practice guidelines to
erlooked. These scores endeavor
points of access are available, ports are not left unnecessarily open. An illustrative example is shown
and revoke.
it can be noted that from a user level, a user can be created but that user
user named jane ca
granted to her as shown in the Fi
mijsrp.org
it does not enforce strick rules on passoword requiremnet
(Research data, 2017)
password strict requirement that ensures that
Organizations adhere to certain best practice guidelines to
erlooked. These scores endeavor
open. An illustrative example is shown
a user can be created but that user
cannot be able to login since she
granted to her as shown in the Fi
Mara International
it does not enforce strick rules on passoword requiremnet
strict requirement that ensures that
Organizations adhere to certain best practice guidelines to
erlooked. These scores endeavor to see that only a few
open. An illustrative example is shown
a user can be created but that user
nnot be able to login since she
granted to her as shown in the Fig. 6;
International Journals
it does not enforce strick rules on passoword requiremnet
strict requirement that ensures that
Organizations adhere to certain best practice guidelines to
to see that only a few
open. An illustrative example is shown
a user can be created but that user has
nnot be able to login since she does not
44
it does not enforce strick rules on passoword requiremnet
strict requirement that ensures that
Organizations adhere to certain best practice guidelines to
to see that only a few
open. An illustrative example is shown in
has a
does not
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP
Fig. 6:
From
illustrates
3.2
For a database metric to be effective and efficient the organization has to
metrics
metrics
3.3 Categories of database security metrics:
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
categories are:
3.4
Database security metrics can be implemented in a number of ways. For instance, an organization could
note the nu
futile back
passwords, record the t
instances of
3.5
The overall information security program of an institution or entity will determine the effectiveness of a
particular metric. For
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B ha
for B.
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP, Vol. 1, No.
Fig. 6: Privilege levels
From Fig. 6 it can be noted that
illustrates the running compliance and standard scores.
3.2 Requirements for an Effective DB S
For a database metric to be effective and efficient the organization has to
metrics, gain management
metrics, and conduct
3.3 Categories of database security metrics:
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
categories are:
i) Implementation
controls.
ii) Effectiveness and efficiency
iii) Impact
mission, often done through quantifying of costs avoided or risk reduction achieved.
3.4 Sample situations of DB security metrics
Database security metrics can be implemented in a number of ways. For instance, an organization could
note the number of false SQL server instan
futile back-up attempts
passwords, record the t
instances of systems complian
3.5 Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
particular metric. For
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B ha
for B.
Enhancing & disseminating Africa’s Scholarly Publications
No. 1, Sept. 2017,
rivilege levels (Research data, 2017)
it can be noted that
running compliance and standard scores.
Requirements for an Effective DB S
For a database metric to be effective and efficient the organization has to
, gain management
and conduct a regular review and update
3.3 Categories of database security metrics:
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
Implementation – metric for showing progress in policy implementation, action plans and security
controls.
Effectiveness and efficiency
Impact – metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
tuations of DB security metrics
Database security metrics can be implemented in a number of ways. For instance, an organization could
mber of false SQL server instan
attempts, take statistics of t
passwords, record the time taken to evaluate and retrieve client data on a DB security event
systems complian
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
particular metric. For instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B ha
Enhancing & disseminating Africa’s Scholarly Publications
, Pages 40 - 48
(Research data, 2017)
it can be noted that the user
running compliance and standard scores.
Requirements for an Effective DB S
For a database metric to be effective and efficient the organization has to
, gain management support and approval
a regular review and update
3.3 Categories of database security metrics:
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
metric for showing progress in policy implementation, action plans and security
Effectiveness and efficiency – metr
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
tuations of DB security metrics
Database security metrics can be implemented in a number of ways. For instance, an organization could
mber of false SQL server instan
, take statistics of t
ime taken to evaluate and retrieve client data on a DB security event
systems compliance with regulatory and ethical standards
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B ha
Enhancing & disseminating Africa’s Scholarly Publications
(Research data, 2017)
the user jane has now been given
running compliance and standard scores.
Requirements for an Effective DB Security Metrics
For a database metric to be effective and efficient the organization has to
support and approval, u
a regular review and update of the metrics.
3.3 Categories of database security metrics:
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
metric for showing progress in policy implementation, action plans and security
metrics used to track results of security control implementation.
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
tuations of DB security metrics
Database security metrics can be implemented in a number of ways. For instance, an organization could
mber of false SQL server instances over a short period of time like a month, record a nu
, take statistics of the percentage of total database access priv
ime taken to evaluate and retrieve client data on a DB security event
with regulatory and ethical standards
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B ha
www.mijsrp
has now been given
running compliance and standard scores.
etrics
For a database metric to be effective and efficient the organization has to
, understand the exact informat
of the metrics.
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (
metric for showing progress in policy implementation, action plans and security
ics used to track results of security control implementation.
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
Database security metrics can be implemented in a number of ways. For instance, an organization could
ces over a short period of time like a month, record a nu
he percentage of total database access priv
ime taken to evaluate and retrieve client data on a DB security event
with regulatory and ethical standards
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
about policy compliance would be more important that if B had the same as this has now become routine
mijsrp.org
has now been given ‘create session
For a database metric to be effective and efficient the organization has to be able to
nderstand the exact informat
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
the Performance Measurement Guide for Information Security (NIST SP 800
metric for showing progress in policy implementation, action plans and security
ics used to track results of security control implementation.
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
Database security metrics can be implemented in a number of ways. For instance, an organization could
ces over a short period of time like a month, record a nu
he percentage of total database access priv
ime taken to evaluate and retrieve client data on a DB security event
with regulatory and ethical standards
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
d the same as this has now become routine
Mara International
create session privilege
be able to fully comprehend t
nderstand the exact information required of all the
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
NIST SP 800-55 Revision 1
metric for showing progress in policy implementation, action plans and security
ics used to track results of security control implementation.
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
Database security metrics can be implemented in a number of ways. For instance, an organization could
ces over a short period of time like a month, record a nu
he percentage of total database access privileges with difficult
ime taken to evaluate and retrieve client data on a DB security event, and note the
Comparison and variation of database security metrics for different entities:
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
d the same as this has now become routine
International Journals
privilege’. This clearly
fully comprehend the
ion required of all the
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
55 Revision 1). The
metric for showing progress in policy implementation, action plans and security
ics used to track results of security control implementation.
metrics used to show the impact of the information security program on the institution’s
mission, often done through quantifying of costs avoided or risk reduction achieved.
Database security metrics can be implemented in a number of ways. For instance, an organization could
ces over a short period of time like a month, record a number of
ileges with difficult
, and note the
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
d the same as this has now become routine
45
’. This clearly
he
ion required of all the
The National Institute of Standards and Technology (NIST) categorize metrics into three groupings under
. The
metric for showing progress in policy implementation, action plans and security
metrics used to show the impact of the information security program on the institution’s
mber of
The overall information security program of an institution or entity will determine the effectiveness of a
instance, institution A issues a policy about all workstations data being encrypted and
institution B has had the same policy for five years. Thus, after ten months, institution A having a metric
d the same as this has now become routine
Enhancing & disseminating Africa’s Scholarly Publications www.mijsrp.org Mara International Journals
MIJSRP, Vol. 1, No. 1, Sept. 2017, Pages 40 - 48 46
The process of ensuring database security should systematically be able to be planned, discover and assess,
secure, monitored, protect and manage.
3.6 Importance of Database Security Metrics:
Metrics are very important to an information security unit in an organisation as they provide an insight
concerning information security program efficacy, they let an organization benchmark their security
investments against other organizations, they show the height of compliance to regulations, the metrics
“gathering” process often leads to identification of security inconsistencies or holes, and indicate levels of
risk and required mitigation strategies.
In order to put good database security metrics in place, it’s important to ask questions such as, how difficult
will it be to collect data meant to address a certain metric? what are the chances that the metric may be
misconstrued? will regular review of metrics and update be conducted as needed?
4. DISCUSSION
With the ever widening landscape of threats on databases, organizations have been forced eventually to
change the way they work. The key factors that have driven database security metrics are money matters
(return on investment), governance and management, risk mitigation, decision-making at all levels,
sensitive business and customer data, need to comply with regulatory requirements, high profile data
breaches experience by other organizations, legal and ethical responsibilities, and the need to find out how
effective information security implemented is.
Therefore, in order to measure and report on database security issues, metrics include:
Metrics for losses that arise from security incident: It is worth to track and come up with all the losses from
security incidences in order to establish a best case basis for management decisions. These costs include
direct losses, investigative and corrective actions, legal action and may be measured or estimated, although
losses arising indirectly might be difficult to measure but can at least be classified into high, low or
medium. The security of database is a subset of all security incidents but the key concern is the failure of
confidentiality, integrity and availability (CIA) of data. For example, a worm that causes a widespread
network disruption. Costs associated with unplanned outages of vital database system to clean up the
worm’s damage can be accounted for as a database security failure as well as part of the costs of malware
incidents.
Database security control costs metric: The security control of a database include controls that are specific
to database, for example, database user authentication and encryption software and generally security
controls like physical protection of servers in the data center. It might be possible to allocate the IT
departments costs to security, operations, development and other categories, and within security to identify
database security costs. High level summary metrics are perhaps the best than can be expected.
Confidence metrics: Managers and stakeholders may be surveyed regarding their confidence in database
security for example; how confident are you that our database security controls meet the business needs?
Please mark the following percentage scale at the appropriate point, in your opinion.
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP
Comment e.g what has led you to this score? Have there been particular situations or incidents that
influenced your decisions?
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
the peaks caused
recurrence.
5.
In develo
assets in the
components
hardware and software, and the
database security metrics for use in countermeasures against threats and
6. AREAS FOR FURTHER STUDY
It can be noted that database is the core of information and information systems. Therefore efforts in
ensuring further
conf
7. REFERENCES
Al
Cavoukian, A., & Jonas, J. (2012).
Guimaraes, M. (2006
Murray, M. C. (2010).
Razdan, R., &
Cite this article:
Juma, J. an
Enhancing & disseminating Africa’s Scholarly Publications
MIJSRP, Vol. 1, No.
Comment e.g what has led you to this score? Have there been particular situations or incidents that
influenced your decisions?
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
the peaks caused
recurrence.
5. CONCLUSION
In developing database security metrics, it is important to conduct a risk analysis of the risks and value of
assets in the organization
components of an inform
hardware and software, and the
database security metrics for use in countermeasures against threats and
6. AREAS FOR FURTHER STUDY
It can be noted that database is the core of information and information systems. Therefore efforts in
ensuring further
confidence level attached to a database implementation and design.
7. REFERENCES
Al-Sayid, N. A., & Aldlaeen, D. (2013
and Information Technology (CSIT), 2013 5th
Cavoukian, A., & Jonas, J. (2012).
Available
big-data.pdf
Guimaraes, M. (2006
conference on Information security curriculum development
Murray, M. C. (2010).
Technology Education
org/documents/Vol9/JITEv9IIPp061
Razdan, R., &
Cite this article:
Juma, J. and Makupi, D
Pages 40
Enhancing & disseminating Africa’s Scholarly Publications
No. 1, Sept. 2017,
Comment e.g what has led you to this score? Have there been particular situations or incidents that
influenced your decisions?
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
the peaks caused by serious
CONCLUSION
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
organization in accordance with their risk exposure. This exercise should be done across all
of an information system that includes people, information, network, system patches, system
hardware and software, and the
database security metrics for use in countermeasures against threats and
6. AREAS FOR FURTHER STUDY
It can be noted that database is the core of information and information systems. Therefore efforts in
ensuring further survey into the index factor of database dependability would be a viable approach to
idence level attached to a database implementation and design.
7. REFERENCES
A., & Aldlaeen, D. (2013
and Information Technology (CSIT), 2013 5th
Cavoukian, A., & Jonas, J. (2012).
Available at: http://gpsbydesign.org/wp
data.pdf
Guimaraes, M. (2006). New challenges in teaching database security
conference on Information security curriculum development
Murray, M. C. (2010). Database Security: What Students Need to Know,
Technology Education
org/documents/Vol9/JITEv9IIPp061
Razdan, R., & Bommakanty, S. (2001).
Cite this article:
Makupi, D. (2017).
40 - 48
Enhancing & disseminating Africa’s Scholarly Publications
, Pages 40 - 48
Comment e.g what has led you to this score? Have there been particular situations or incidents that
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
by serious incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
hardware and software, and the database
database security metrics for use in countermeasures against threats and
6. AREAS FOR FURTHER STUDY
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
idence level attached to a database implementation and design.
A., & Aldlaeen, D. (2013).
and Information Technology (CSIT), 2013 5th
Cavoukian, A., & Jonas, J. (2012). Privacy by design in the age of big data
http://gpsbydesign.org/wp
New challenges in teaching database security
conference on Information security curriculum development
Database Security: What Students Need to Know,
Technology Education, Volume 9, PP. 61
org/documents/Vol9/JITEv9IIPp061
Bommakanty, S. (2001). U.S. Patent Application No. 09/769,443
. (2017). Understanding Database Security Metrics: A Review
Enhancing & disseminating Africa’s Scholarly Publications
Comment e.g what has led you to this score? Have there been particular situations or incidents that
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
database servers. This will aid in coming up with suitable yet effective
database security metrics for use in countermeasures against threats and
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
idence level attached to a database implementation and design.
). Database security
and Information Technology (CSIT), 2013 5th
Privacy by design in the age of big data
http://gpsbydesign.org/wp-content/uploads/2016/07/privacy
New challenges in teaching database security
conference on Information security curriculum development
Database Security: What Students Need to Know,
, Volume 9, PP. 61
org/documents/Vol9/JITEv9IIPp061-077Murray804. pdf
U.S. Patent Application No. 09/769,443
Understanding Database Security Metrics: A Review
www.mijsrp
Comment e.g what has led you to this score? Have there been particular situations or incidents that
The metrics can be indexed to come up with a value to reveal the state of th
graphing the accumulated database security losses over the course of a year, for instance
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
servers. This will aid in coming up with suitable yet effective
database security metrics for use in countermeasures against threats and
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
idence level attached to a database implementation and design.
Database security -threats: A survey study
and Information Technology (CSIT), 2013 5th International Conference on
Privacy by design in the age of big data
content/uploads/2016/07/privacy
New challenges in teaching database security
conference on Information security curriculum development
Database Security: What Students Need to Know,
, Volume 9, PP. 61-77. Available at: http://www. jite.
077Murray804. pdf
U.S. Patent Application No. 09/769,443
Understanding Database Security Metrics: A Review
mijsrp.org
Comment e.g what has led you to this score? Have there been particular situations or incidents that
The metrics can be indexed to come up with a value to reveal the state of the organizations controls. Also
graphing the accumulated database security losses over the course of a year, for instance
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
servers. This will aid in coming up with suitable yet effective
database security metrics for use in countermeasures against threats and vulnerabilities.
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
idence level attached to a database implementation and design.
threats: A survey study
International Conference on
Privacy by design in the age of big data
content/uploads/2016/07/privacy
New challenges in teaching database security. In Proceedings of the 3rd annual
conference on Information security curriculum development (pp. 64-67). ACM.
Database Security: What Students Need to Know,
. Available at: http://www. jite.
U.S. Patent Application No. 09/769,443
Understanding Database Security Metrics: A Review
Mara International
Comment e.g what has led you to this score? Have there been particular situations or incidents that
e organizations controls. Also
graphing the accumulated database security losses over the course of a year, for instance, should highlight
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
servers. This will aid in coming up with suitable yet effective
vulnerabilities.
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
threats: A survey study. In Computer Science
International Conference on (pp. 60-64). IEEE.
Privacy by design in the age of big data. Information and Privacy.
content/uploads/2016/07/privacy-by-design
Proceedings of the 3rd annual
67). ACM.
Database Security: What Students Need to Know, Journal of Information
. Available at: http://www. jite.
U.S. Patent Application No. 09/769,443.
Understanding Database Security Metrics: A Review. MIJSRP.
International Journals
Comment e.g what has led you to this score? Have there been particular situations or incidents that
e organizations controls. Also
should highlight
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
servers. This will aid in coming up with suitable yet effective
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
Computer Science
64). IEEE.
. Information and Privacy.
design-in-the-age-of
Proceedings of the 3rd annual
Journal of Information
. Available at: http://www. jite.
. Vol. 1, No. 1,
47
Comment e.g what has led you to this score? Have there been particular situations or incidents that
e organizations controls. Also
should highlight
incidents and provide opportunities to discuss the actions taken to prevent a
ping database security metrics, it is important to conduct a risk analysis of the risks and value of
in accordance with their risk exposure. This exercise should be done across all
ation system that includes people, information, network, system patches, system
servers. This will aid in coming up with suitable yet effective
It can be noted that database is the core of information and information systems. Therefore efforts in
into the index factor of database dependability would be a viable approach to
Computer Science
. Information and Privacy.
of-
Proceedings of the 3rd annual
Journal of Information
. Available at: http://www. jite.
Vol. 1, No. 1,