Managing security projects is a delicate activity due to the evolution of attacks. In this paper, we develop a new methodology for estimating security effort based on algebraic representation of security policies. This methodology is used within the SECOMO model. Two models are defined: the a priori model and the a posteriori model. Real security projects are used to prove the accuracy of the new methodology.

Protecting the critical infrastructure, application estate, and company data is a massive responsibility that is much bigger than IT and cyber security. Technical teams are challenged with having a fundamental understanding of security programs. They are also challenged by the increasing number of moving people, parts, and processes around vulnerability management. Then there are security patches and a wide range of best practices required to support hybrid working from any device.