Paul E. Black, Karen Scarfone, and Murugiah Souppaya, Cyber Security Metrics and Measures, in Wiley Handbook of Science and Technology for Homeland Security, John Voeller ed.-in-chief, John Wiley & Sons, Inc., (on-line) Feb 2009.

    Metrics are tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance. Regulatory, financial, and organizational factors drive the requirement to measure IT security performance. Potential security metrics cover a broad range of measurable features, from security audit logs of individual systems to the number of systems within an organization that were tested over the course of a year. Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success of failure of implemented security solutions.

Get a proof of the chapter in PDF (150k).

This page's URL is /~black/Papers/cyberSecurityMetrics2007.html

Updated Fri Dec 16 12:49:03 2011

by Paul E. Black  (

Go to Black's papers or NIST home page.