Enterprise networks have become essential to the operation of companies, laboratories, universities, and government agencies. As they continue to grow both in size and complexity, their security has become a critical concern. Vulnerabilities are regularly discovered in software applications which are exploited to stage cyber attacks. There is no objective way to measure the security of an enterprise network. As a result it is difficult to answer such objective questions as "are we more secure than yesterday" or "how should we invest our limited resources to improve security" or "how does this vulnerability impact the overall security of my system". By increasing security spending an organization can decrease the risk associated with security breaches. However, to do this tradeoff analysis there is a need for quantitative models of security instead of the current qualitative models. The objective of our research is to develop models and metrics that can be used to objectively assess the security of an enterprise network.
For more information regarding the Techniques for Security Risk Analysis of Enterprise Networks (Renamed: Measuring Security Risk in Enterprise Networks), please visit the Computer Security Resource Center (CSRC).