Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Metrics of Security



Yi Cheng, Julia Deng, Jason Li, Scott DeLoach, Anoop Singhal, Xinming Ou


Discussion of challenges and ways of improving Cyber Situational Awareness dominated our previous chapters. However, we have not yet touched on how to quantify any improvement we might achieve. Indeed, to get an accurate assessment of network security and provide sufficient Cyber Situational Awareness (CSA), simple but meaningful metrics--the focus of the Metrics of Security chapter--are necessary. The adage, "what can't be measured can't be effectively managed," applies here. Without good metrics and the corresponding evaluation methods, security analysts and network operators cannot accurately evaluate and measure the security status of their networks and the success of their operations. In particular, this chapter explores two distinct issues: (i) how to define and use metrics as quantitative characteristics to represent the security state of a network, and (ii) how to define and use metrics to measure CSA from a defender's point of view.
Cyber Defense and Situational Awareness
Publisher Info
Springer, Dusseldorf, -1


attack graphs, risk mitigation, security metrics, vulnerability analysis


Cheng, Y. , Deng, J. , Li, J. , DeLoach, S. , Singhal, A. and Ou, X. (2014), Metrics of Security, Cyber Defense and Situational Awareness, Springer, Dusseldorf, -1, [online],, (Accessed June 12, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created December 14, 2014, Updated October 12, 2021