A Framework for Security Metrics Based on Operational System Attributes
Paper in proceedings, 2011
There exists a large number of suggestions for how to measure security, and in many cases the goal is to find a single overall metric of security. Given that security is a complex and multi-faceted property, we believe that there are fundamental problems to find such an overall metric. Thus, we suggest a framework for security metrics that is based on a number of system attributes taken from the security and the dependability disciplines. We then regroup those attributes according to an existing conceptual system model and propose a metrication framework in accordance. We suggest that there should be metrics related to protective attributes, to behavioural attributes and possibly to system correctness. Thus, the main idea is that security metrication should be split up and related to a number of specific attributes, and that a composite security metric is hard to define.