Measuring Security


Visible to the public Directions in Security Metrics Research

More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.


Visible to the public Measuring Cyber Security and Information Assurance: A State of the Art Report

This Information Assurance Technology Analysis Center (IATAC) State of the Art Report (SOAR) provides a representative overview of the current state of the art of the measurement of cyber security and information assurance (CS/IA).  It summarizes the progress made in the CS/IA measurement discipline and advances in CS/IA measurement research since 2000.  Topics addressed include: terms and definitions used to describe CS/IA measurement; standards, guidelines, and best practices for development and implem


Visible to the public NSA SVP Hard Problem Overview


Visible to the public Is Finding Security Holes a Good Idea?

A large amount of effort is expended every year on finding and patching security holes.  The underlying rationale for this activity is that it increases welfare by decreasing the number of vulnerabilities available for discovery and exploitation by bad guys, thus reducing the total cost of instrusions.  Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. 


Visible to the public Measuring Security

This presentation was given at the 2008 Science of Security Workshop.  It addresses the following topics:

Is there a scientific way to measure security?

How should/do we measure security?