The Good, the Bad, And the Ugly: Stepping on the Security Scale

Metrics are both fashionable and timely: many regulations that affect cybersecurity rely upon metrics - albeit, of the checklist variety in many cases - to ascertain compliance. However, there are far more effective uses of security metrics than external compliance exercises. The most effective use of security metrics is to manage better, which may include: 1. Make a business case for needed change; 2. Focus scarce resource on most pressing problems (with the biggest payoff for resolution); 3. Help spot problems early - or successes early; and 4. Address ¿outside¿ concerns or criticisms fairly and objectively. A successful security metric should: 1. Motivate good/correct behavior (not promote evasive tactics just to make the numbers look good); 2. Prompt additional questions (?Why? How??) to understand what is influencing the numbers; 3. Answer basic questions of goodness (e.g., ¿Are we doing better or worse?¿); and 4. Be objective and measurable, even if correlation may not equal causality. This paper explores the qualities of good security metrics and their application in security vulnerability handling as well as a software assurance program.