Approaches to security metrics

There are three approaches to security metrics; qualitative, quantitative, and hybrid.

A qualitative approach is one where security is measured on a sliding scale of : SECURE -> INSECURE. Various levels or shades of security (or insecurity) can be determined as a measure of some stated policy. A grid/matrix of values can then be designed in such a manner that an aggregation can be obtained for the overall security/insecurity of an enterprise.

Quantitative approach is one where security is measured based on numerical value, grounded on a mathematical formulation; typically based on apriori knowledge of some known/measured occurrence or inferred expectation of security/insecurity and or based on inherent characteristics of the entity (or object) in question. For an enterprise, a grid/matrix of values can be developed for its entities and such developed matrix provide the basis for aggregation to determine the actual(true) security/insecurity of the overall system in a consistent manner acceptable to a collective of experts.

Hybrid approach is a middle ground where a combination of qualitative and quantitative values are used.

All approaches derive their motivation from the likelihood of occurrence of a threat to the system and the value of the  cost or consequence of  occurrence. Since security is a state of being determined largely by the nature of vulnerability, scope of exposure and expectations of exploit, security and risk can be construed as being directed correlated. Risk can indeed be used as a basis for security measurement. We know that generally,

Risk = Exposure to threats

Risk = Probability of a bad event occurring X The Impact of the event (often described in terms of value)

Note that the probability of occurrence is apriori chance of a system vulnerability being exploited.

Value (asset value) could be tangible or intangible, depending on the nature of the enterprise (or system under consideration). However, for a fully qualitative security metric, it is desirable to develop a  valuation mechanism for converting intangible asset value into acceptable  tangible cost that can then be used in the evaluation of the associated risks.

For qualitative metric,  it is acceptable to use comparative asset values such as high, low, or medium.  However, it is essential that in order to compute effective risk to the overall system, asset valuation for intangible assets be done in conjunction with a respected independent observer (evaluator/auditor) to minimize the impact of bias.