Defining effective information security metrics has proven difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and, at a minimum, rough comparisons of security between systems. Metrics underlie and quantify progress in many other system security areas. As the saying goes, “You cannot manage what you cannot measure.” The lack of sound and practical security metrics is severely hampering progress both in research and engineering of secure systems. However, general community agreement on meaningful metrics has been hard to achieve. This is due in part to the rapid evolution of IT, as well as the shifting focus of adversarial action.

Overview

Enterprise-level security metrics address the security posture of an organization. Experts, such as system administrators, and non-technical users alike must be able to use an organization’s system while still maintaining security.

This project is developing security metrics and the supporting tools and techniques to make them practical and useful as decision aids. This will allow the user to measure security while achieving usability and make informed decisions based on threat and cost to the organization.

Contact

Program Manager: Greg Wigton

Email: SandT-Cyber-Liaison@HQ.DHS.GOV

Performers

Enterprise-Level Security Metrics

Prime: George Mason University | Sub: Applied Visionis; ProInfo

Metrics Suite for Enterprise-Level Attack Graph Analysis

Prime: University of Illinois at Urbana-Champaign

A Tool for Compliance and Depth of Defense Metrics

Usable Security

Prime: IBM Research

Usable Multi-Factor Authentication and Risk-Based Authorization

Prime: Indiana University | Sub: USC Information Sciences Institute

CUTS: Coordinating User and Technical Security

Prime: University of Houston

Continuous and Active Authentication for Mobile Devices Using Multiple Sensors