NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Evidence-Based, Good Enough, and Open

Published

Author(s)

Karen A. Scarfone

Abstract

One of the holy grail questions in computer security is how secure are my organization systems? This paper describes our new approach to answering this question. This approach is distinguished from previous efforts in three ways: 1) uses evidence-based security decision-making, 2) produces good enough answers, and 3) relies on open specifications and standards.
Conference Dates
July 29, 2008
Conference Location
San Jose, CA
Conference Title
Third Workshop on Security Metrics
Pub Type
Conferences

Download Paper

Local Download

Keywords

Risk assessment, Security Content Automation Protocol (SCAP), security metrology, technical security metrics
Cybersecurity and privacy

Citation

Scarfone, K. (2008), Evidence-Based, Good Enough, and Open, Third Workshop on Security Metrics, San Jose, CA, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=890007 (Accessed October 16, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created August 4, 2008, Updated February 19, 2017
Was this page helpful?