Enterprise Level Metrics

Background

Strong security metrics are required to make the right decisions about how to design security countermeasures, what security architectures to use, and how to improve security during design and operations of information technology infrastructure. In essence, metrics can be viewed as a decision aid. The lack of sound, practical security metrics is hampering progress both in the research and engineering of secure systems.

Technology Implementation

The U.S. Department of Homeland Security (DHS) seeks metrics that detail the costs and benefits of alternative approaches to securing systems. Ideally, the government wants to be able to select research and engineering activities that will reduce the most risks for the lowest cost.

DHS S&T is currently funding one project to address the lack of cyber security metrics. The Cyber Defense Agency is creating metrics that measure the risks associated with system missions. The metrics being developed will be quantitative, validated against known truths, accurately measured, affordable both in time and cost, repeatable independent of the performer, and scalable from small single computers to major national systems.

This effort combines two previously developed and tested methods to provide an integrated system of security metric quantification. The first, MIRROR, provides an overarching approach to security risk quantification that relies on probabilistic assessment of the security of the system itself. The second, Mobius, provides a probabilistic assessment.

Significant Impact

The project works to develop security metrics and the supporting tools and techniques to make them practical and useful as decision aids. Successfully developed metrics will allow network operators within the government and private industry to evaluate current systems and establish the best way to diminish risks to that system.

See Chapter 2 of A Roadmap for Cybersecurity Research for further details relating to future R&D needs relating to Enterprise-Level Metrics.