The field of security metrology is early in its development. Organizations collect many individual measures, but often do not understand how to analyze those measures and combine them into higher-level metrics that can be used for decision-making. Many measures are also defined or implemented poorly, so that the data they generate is inaccurate, irrelevant, inconsistent, or misleading. Also, many measures have no meaning unless carefully considered within the context of other measures, but not much work has been done in identifying which measures relate to other measures. Little research has been performed to determine which measures and metrics are most relevant for determining a system or organizations security posture, particularly studies of empirical data from real-world operational environments and analysis of the degree of variability between different organizations security objectives. Examples of questions that cannot be answered in a scientific manner today are: How vulnerable is a particular system or a system design? What are the differences in security among multiple systems or networks within an organization? How does the security of one organizations systems and networks compare to those of another organization? If particular changes are made to security controls, how much does an individual systems security or the organizations security improve?
Our work will significantly improve the state of security metrology, improving the quantification of operational and technical security and increasing the ability to perform science for information security based on sound, consistent measures. This will initially impact all Federal agencies, and over time will also significantly impact state and local governments, private industry, and other organizations. Organizations will be able to make security decisions based on quantitative evidence, leading to more effective and efficient protection of systems and data, including better determination of an organization's current security posture.