A framework for security metrics based on operational system attributes

There exists a large number of suggestions for how to measure security, with different goals and objectives. The application areas range from business management and organizational systems to large software systems. The approaches may be theoretical, technical, administrative or practical. In many cases the goal is to find a single overall metric of security. Given that security is a complex and multi-faceted property, we believe that there are fundamental problems to find such an overall metric. Thus, we suggest a framework for security metrics that is based on a number of system attributes taken from the security and the dependability disciplines. We start out from the traditional decomposition of security into three main aspects ("CIA") and include a set of dependability attributes. The reason for this is that security and dependability largely reflect the same basic system feature and are partly overlapping. We then regroup those attributes according to an existing conceptual system model and propose metrication methods in accordance. We suggest that there should be metrics related to protective attributes, to behavioural attributes and to system correctness. We also discuss the relation between these types of metrics. We are convinced that this approach will facilitate making quantitative assessment of the concept of combined security and dependability and that it would also improve our understanding of these important system properties.