This paper begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The paper then discusses what makes a good security metric and proposes a rigorous step-by-step method that can be applied to design good security metrics, and to test existing security metrics to see if they are good metrics. Application examples are included to illustrate the method.

Designing, Good security metrics, Security metrics, Testing, Weaknesses
dx.doi.org/10.1109/COMPSAC.2019.10270
43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019
Department of Systems and Computer Engineering

Yee, G.O.M. (2019). Designing good security metrics. In Proceedings - International Computer Software and Applications Conference (pp. 580–585). doi:10.1109/COMPSAC.2019.10270