This paper begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The paper then discusses what makes a good security metric and proposes a rigorous step-by-step method that can be applied to design good security metrics, and to test existing security metrics to see if they are good metrics. Application examples are included to illustrate the method.

Additional Metadata
Keywords Designing, Good security metrics, Security metrics, Testing, Weaknesses
Persistent URL dx.doi.org/10.1109/COMPSAC.2019.10270
Conference 43rd IEEE Annual Computer Software and Applications Conference, COMPSAC 2019
Citation
Yee, G.O.M. (2019). Designing good security metrics. In Proceedings - International Computer Software and Applications Conference (pp. 580–585). doi:10.1109/COMPSAC.2019.10270