"Security Gap" as a metric for enterprise business processes

Security is becoming an indispensable factor for the well-being of an enterprise. Enterprises are making huge investments to fulfill the demand for security. A big challenge faced by an enterprise while securing itself is to find the gap between the demand for security and the actual security status. Finding out a consistent metric for measuring this gap can enable security administrators to utilize the allocated funds more appropriately. Popular control gap analysis methods practiced in enterprises are mostly subjective in nature and results in imprecise measurements. To address this issue, a novel security metric "Security Gap" is introduced in this paper. This metric finds out the business process-level insecurity from the security requirements and the estimated security. The methodology uses business process modeling, attack graph modeling, and relevant base metrics to compute Security Gap.