Security Metrics Foundations for Computer Security

Security has been among top priority in computer information systems for more than a decade. Despite the importance of this area, it is interesting to note that the area still lacks (completeness of) one of its basic elements of scientific arsenal, which is metric. This paper therefore presents the situation in this field by giving an analysis of existing metrics that could serve the above-mentioned purpose. Further, it presents a generic risk management model, and gives an analysis of possibilities for application of these existing metrics to the model. It also introduces new metric elements, where these are lacking. As a result, means are provided that enable evaluation of security in information technology systems in a tangible way. Such an approach is essential for every organization in business areas ranging from economical justifications for new security implementations to customized security services with appropriate service costs calculations, and even development of new business models.