Defining a Process for Statistical Analysis of Vulnerability Management using KPI

Abstract: In todays connected society, with rapidly advancing technology, there is an interest in offering technical services in our day to day life. Since these services are used to handle sensitive information and money, there are demands for increased information security. Sometimes errors occur in these systems that risk the security for both parties. These systems should be secured to maintain secure operations even though vulnerabilities occur. Outpost24 is one company that specializes in vulnerability management. By using their scanning tool OUTSCAN™, Outpost24 can identify vulnerabilities in network components, such as firewalls, switches, printers, devices, servers, workstations and other computer systems. These results are then stored in a database. Within this study, the authors will work together with Outpost24 towards this data. The goal is to define a process for generation of vulnerability reports for the company. The process will perform a statistical analysis of the data and present the findings. To solve the task a report was created, during which the process was documented. The work began with a background study into Key Performance Indicators (KPIs), in which the most common security KPIs were identified from similar works. A tool was also developed to help with the analysis. This resulted in a statistical analysis using Outpost24’s dataset. By presenting the data formatted by the KPIs, trends could be identified. This showed an overall trend of increasing vulnerabilities and the necessity for organizations to spend resources towards security. The KPIs offer other possibilities, such as creating a baseline for security evaluation using data from one year. In the future, one could use the KPIs to compare how the security situation has changed.