Defining effective information security metrics has proven difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and, at a minimum, rough comparisons of security between systems. Metrics underlie and quantify progress in many other system security areas. As the saying goes, “You cannot manage what you cannot measure.” The lack of sound and practical security metrics is severely hampering progress both in research and engineering of secure systems. However, general community agreement on meaningful metrics has been hard to achieve. This is due in part to the rapid evolution of IT, as well as the shifting focus of adversarial action.
Overview
Enterprise-level security metrics address the security posture of an organization. Experts, such as system administrators, and non-technical users alike must be able to use an organization’s system while still maintaining security.
This project is developing security metrics and the supporting tools and techniques to make them practical and useful as decision aids. This will allow the user to measure security while achieving usability and make informed decisions based on threat and cost to the organization.
Contact
Email: SandT-Cyber-Liaison@HQ.DHS.GOV
Performers
Enterprise-Level Security Metrics
Prime: George Mason University | Sub: Applied Visionis; ProInfo
Metrics Suite for Enterprise-Level Attack Graph Analysis
Prime: University of Illinois at Urbana-Champaign
A Tool for Compliance and Depth of Defense Metrics
Usable Security
Prime: IBM Research
Usable Multi-Factor Authentication and Risk-Based Authorization
Prime: Indiana University | Sub: USC Information Sciences Institute
CUTS: Coordinating User and Technical Security
Prime: University of Houston
Continuous and Active Authentication for Mobile Devices Using Multiple Sensors