A Survey on Security Metrics
This survey addresses the open problem of security metrics for academia, government, and industry, but it is incremental as it reviews existing literature without new experimental results.
The paper presents a survey on security metrics, introducing a novel taxonomy that classifies metrics into four categories based on vulnerabilities, defenses, threats, and situations, and discusses gaps between current research and ultimate goals.
The importance of security metrics can hardly be overstated. Despite the attention that has been paid by the academia, government and industry in the past decades, this important problem stubbornly remains open. In this survey, we present a survey of knowledge on security metrics. The survey is centered on a novel taxonomy, which classifies security metrics into four categories: metrics for measuring the system vulnerabilities, metrics for measuring the defenses, metrics for measuring the threats, and metrics for measuring the situations. The insight underlying the taxonomy is that situations (or outcomes of cyber attack-defense interactions) are caused by certain threats (or attacks) against systems that have certain vulnerabilities (including human factors) and employ certain defenses. In addition to systematically reviewing the security metrics that have been proposed in the literature, we discuss the gaps between the state of the art and the ultimate goals.