Security Level Quantification and Benchmarking in Complex Networks

The security of complex networks with multiple elements is very difficult to evaluate and characterize by numbers. The interaction between the network elements, the different layer topologies and the numerous features makes the security quantification almost impossible. On the other side, the lack of security benchmarking is very problematic for the budget and invests allocation by companies. Numerical economical indexes for the costs and potential benefits are used to set the budgets. The security is not be quantified and it cannot be mapped to these economical indexes, thus the budget is not set objectively. This paper suggests a novel framework for quantification of network security, thus security benchmarking. The relative vector expresses the different layers, physical connections, operation risk, and human resources. The benchmark is relative and not absolute value, which is an indirect indication for the security. The relative security vector maps to economical values and helps the management to take the decisions. The suggested framework extends the common standards like ISO 27000, BSI, ITIL, which characterize single network elements or processes in corporations. This framework is the missing link between the security standards, subjective expert analysis and the monetary instruments. The benchmarking is not saying if a system is secured, then it gives a relative indirect comparison between systems.