Security Metrics

At a high-level, metrics are quantifiable measurements of some aspect of a system or enterprise. For an entity (system, product, or other) for which security is a meaningful concept, there are some identifiable attributes that collectively characterize the security of that entity. Further, a security metric (or combination of security metrics) is a quantitative measure of how much of that attribute the entity possesses. A security metric can be built from lower-level physical measures.

Security metrics focus on the actions (and results of those actions) that organizations take to reduce and manage the risks of loss of reputation, theft of information or money, and business discontinuities that arise when security defenses are breached. They are useful to senior management, decision makers, users, administrators, or other stakeholders who face a difficult and complex set of questions regarding security, such as:

  • How much money/resources should be spent on security?
  • Which system components or other aspects should be targeted first?
  • How can the system be effectively configured?
  • How much improvement is gained by security expenditures, including improvements to security processes?
  • How do we measure the improvements?
  • Are we reducing our exposure?

    Metrics and the SSE-CMM

    With regard to the use of the SSE-CMM, the following types of metrics are being identified and studied:

    Process Metrics - Specific metrics that could serve as quantitative or qualitative evidence of the level of maturity for a particular SSE-CMM process area or could serve as a binary indication of the presence or absence of a mature process.

    Security Metrics - A measurable attribute of the result of an SSE-CMM security engineering process, that could serve as evidence of its effectiveness. A security metric may be objective or subjective, and quantitative or qualitative.

    The first type of metric provides information about the processes themselves. The second type of metric provides information on the results of those processes and what they can tell the stakeholder about how effective use of the processes has been in achieving an acceptable security outcome. These metrics categories tailor their own metrics program to measure their progress against security objectives. Accompanying guidance is also being provided.