A Unifying Theory of Security Metrics with Applications

A large number of measures have been proposed under the umbrella of "security metrics". Some of these measures are percentages, others are frequencies, numbers, monetary amounts or other units. This absence of a basic unit of measurement is aggravated by a general lack of theory and consistency in the field of security metrics. This paper tries to fill the void by proposing a unifying theory of security metrics. Towards this end, we define security metrics by the properties (validity, accuracy, and precision) they have to fulfill. We clearly differentiate security metrics from the related concepts of risk metrics, compliance metrics, and threat metrics. We further introduce a new classification scheme for security metrics, which helps us review the prior work and identify pitfalls that metrics authors should be aware of. Finally, we show how the theory developed in this paper can be applied to help managers make IT security decisions. Most importantly, the presented theory implies two novel rules for deciding how much money to spend on security and how to allocate this money among multiple systems.

By: Klaus Julisch

Published in: RZ3758 in 2009


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .