More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.
This Information Assurance Technology Analysis Center (IATAC) State of the Art Report (SOAR) provides a representative overview of the current state of the art of the measurement of cyber security and information assurance (CS/IA). It summarizes the progress made in the CS/IA measurement discipline and advances in CS/IA measurement research since 2000. Topics addressed include: terms and definitions used to describe CS/IA measurement; standards, guidelines, and best practices for development and implem
A large amount of effort is expended every year on finding and patching security holes. The underlying rationale for this activity is that it increases welfare by decreasing the number of vulnerabilities available for discovery and exploitation by bad guys, thus reducing the total cost of instrusions. Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality.
