As information security becomes a mainstream discipline and is talked about on primetime news and in cafes, among the first questions after the dust around the breach of the day settles would be whether we are secure, and how we measure whether we are secure.
These questions are being raised increasingly in boardrooms and research groups alike because to date there are no answers that satisfy either group. This paper is both a reminder of the various attempts made over the years to propose an approach and also a proposal for a way forward. The authors propose a security metric framework--the dynamic systems security state--that in theory at least takes into account aspects of information security measurement that make it such a hard problem.
Based primarily on three components--system vulnerabilities, attack (or threat) intensity, and power of defense mechanisms--the paper offers ideas for quantification of security metrics through mathematical abstractions and functions.
Because this isn’t a full thesis, the paper doesn’t spend too much time covering practical use cases showing how the authors’ approach could be applied from end to end. However, the study isn’t short on specific examples explaining how various existing metrics miss a key factor, the dynamic nature of the security state, and why separating the security state from the observed state at a particular time (known versus unknown issues) is a critical consideration.
Multiple existing surveys and measurement proposals from 1981 and earlier are referenced, studied, and critiqued to help explain the proposed framework. The authors also clarify the scope and methodology to help establish the constraints and approach in which the measurement techniques may be applied.
The key idea of the paper--categorizing possible attack-defense interactions into four submetrics as vulnerabilities, threats, controls, and context (risk)--in my opinion seems like a good approach to measure security in specific cases, especially during threat modeling phases of the security architecture process.
The paper concludes with ideas for future research directions that are worth exploring because the questions aren’t going away anytime soon. As information security as a science matures beyond audit checklists and point-in-time compliance certifications, this work will play an extremely important role in helping organizations make specific, measurable, achievable, repeatable, and time-bound (SMART) decisions for protecting the digital ecosystem.
