Abstract
The field of Internet security metrology is early in its development. Organizations collect many individual measures, but often do not understand how to analyze those measures and combine them into higher-level metrics that can be used for decision making. Many measures are also defined or implemented poorly, so that the data they generate is inaccurate, irrelevant, inconsistent, or misleading. Also, many measures have no meaning unless they are carefully considered within the context of other measures, but not much work has been done in identifying which measures relate to other measures. Little research has been performed to determine which measures and metrics are most relevant for determining a system or an organization’s Internet security posture, particularly, studies of empirical data from real-world operational environments and analysis of the degree of variability between different organizations security objectives. Examples of questions that this chapter will attempt to answer in a scientific manner are: How vulnerable is a particular system or a system design? What are the differences in Internet security among multiple systems or networks within an organization? How does the Internet security of one organization’s systems and networks compare to those of another organization? If particular changes are made to Internet security controls, how much does an individual systems security or the organization’s security improve?
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
