Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics

Lexington Massachusetts This page intentionally left blank. EXECUTIVE SUMMARY The goal of this work is to introduce meaningful security metrics that motivate eective improvements in network security. We present a methodology for directly deriving security metrics from realistic mathematical models of adversarial behaviors and systems and also a maturity model to guide the adoption and use of these metrics. Four security metrics are described that assess the risk from prevalent network threats. These can be computed automatically and continuously on a network to assess the eectiveness of controls. Each new metric directly assesses the eect of controls that mitigate vulnerabilities, continuously estimates the risk from one adversary, and provides direct insight into what changes must be made to improve security. Details of an explicit maturity model are provided for each metric that guide security practitioners through three stages where they (1) Develop foundational understanding, tools and procedures, (2) Make accurate and timely measurements that cover all relevant network components and specify security conditions to test, and (3) Perform continuous risk assessments and network improvements. Metrics are designed to address specic threats, maintain practicality and simplicity, and motivate risk reduction. These initial four metrics and additional ones we are developing should be added incrementally to a network to gradually improve overall security as scores drop to acceptable levels and the risks from associated cyber threats are mitigated. iii This page intentionally left blank. ACKNOWLEDGMENT We would like to thank George Moore from the Department of State for his consistently insightful and cogent remarks. v This page intentionally left blank.