This Article 
 Bibliographic References 
 Add to: 
Measuring Security
May/June 2011 (vol. 9 no. 3)
pp. 60-65
Sal Stolfo, Columbia University
Steven M. Bellovin, Columbia University
David Evans, University of Virginia
To become a legitimate science, computer security requires metrics. However, metrics are the one thing most lacking in our current understanding of computer security. Computer security metrics can be based on computational complexity or on economic or biological metaphors, or they can be empirical. Any successful metric must address multiple layers of security.

1. J.P. Degabriele, K.G. Paterson, and G.J. Watson, "Provable Security in the Real World," IEEE Security & Privacy, vol. 9, no. 3, 2011, pp. 33–41.
2. H. Shacham et al., "On the Effectiveness of Address-Space Randomization," Proc. 2004 ACM Conf. Computer and Communications Security (CCS 04), ACM Press, 2004, pp. 298–307.
3. A.N. Sovarel, D. Evans, and N. Paul, "Where's the FEEB? The Effectiveness of Instruction Set Randomization," Proc. 14th Usenix Security Symp., Usenix Assoc., 2005, pp. 145–160.
4. B. Cox et al., "N-Variant Systems: A Secretless Framework for Security through Diversity," Proc. 15th Usenix Security Symp., Usenix Assoc., 2006, pp. 105–120.
5. W. Lee et al., "Toward Cost-Sensitive Modeling for Intrusion Detection and Response," J. Computer Security, vol. 10, nos. 1–2, 2002; pp. 5–22.
6. Y. Song et al., "On the Infeasibility of Modeling Polymorphic Shellcode," Proc. 14th ACM Conf. Computer and Communications Security (CCS 07), ACM Press, 2007, pp. 541–551.
7. B.M. Bowen et al., "Baiting Inside Attackers Using Decoy Documents," Security and Privacy in Communication Networks, Springer, 2009, pp. 51–70.
8. F.B. Schneider, ed., Trust in Cyberspace, National Academy Press, 1999.
9. C.E. Landwehr et al., "A Taxonomy of Computer Program Security Flaws," Computing Surveys, vol. 26, no. 3, 1994, pp. 211–254.
10. S.M. Bellovin, "On the Brittleness of Software and the Infeasibility of Security Metrics," IEEE Security & Privacy, vol. 4, no. 4, 2006, p. 96.

Index Terms:
computer security, cybersecurity metrics, defense in depth, intrusion detection systems, adversary models
Sal Stolfo, Steven M. Bellovin, David Evans, "Measuring Security," IEEE Security & Privacy, vol. 9, no. 3, pp. 60-65, May-June 2011, doi:10.1109/MSP.2011.56
Usage of this product signifies your acceptance of the Terms of Use.