Measuring Security

Sal Stolfo; Steven M. Bellovin; David Evans

doi:10.1109/MSP.2011.56

Security&Privacy
2011
Issue No. 3 - May/June
Abstract - Measuring Security

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Sal Stolfo Articles by Steven M. Bellovin Articles by David Evans

Measuring Security

May/June 2011 (vol. 9 no. 3)

pp. 60-65

	ASCII Text	x
	Sal Stolfo, Steven M. Bellovin, David Evans, "Measuring Security," IEEE Security & Privacy, vol. 9, no. 3, pp. 60-65, May/June, 2011.

	BibTex	x
	@article{ 10.1109/MSP.2011.56, author = {Sal Stolfo and Steven M. Bellovin and David Evans}, title = {Measuring Security}, journal ={IEEE Security & Privacy}, volume = {9}, number = {3}, issn = {1540-7993}, year = {2011}, pages = {60-65}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2011.56}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - Measuring Security IS - 3 SN - 1540-7993 SP60 EP65 EPD - 60-65 A1 - Sal Stolfo, A1 - Steven M. Bellovin, A1 - David Evans, PY - 2011 KW - computer security KW - cybersecurity metrics KW - defense in depth KW - intrusion detection systems KW - adversary models VL - 9 JA - IEEE Security & Privacy ER -

Sal Stolfo, Columbia University

Steven M. Bellovin, Columbia University

David Evans, University of Virginia

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.56

To become a legitimate science, computer security requires metrics. However, metrics are the one thing most lacking in our current understanding of computer security. Computer security metrics can be based on computational complexity or on economic or biological metaphors, or they can be empirical. Any successful metric must address multiple layers of security.

1. J.P. Degabriele, K.G. Paterson, and G.J. Watson, "Provable Security in the Real World," IEEE Security & Privacy, vol. 9, no. 3, 2011, pp. 33–41.
2. H. Shacham et al., "On the Effectiveness of Address-Space Randomization," Proc. 2004 ACM Conf. Computer and Communications Security (CCS 04), ACM Press, 2004, pp. 298–307.
3. A.N. Sovarel, D. Evans, and N. Paul, "Where's the FEEB? The Effectiveness of Instruction Set Randomization," Proc. 14th Usenix Security Symp., Usenix Assoc., 2005, pp. 145–160.
4. B. Cox et al., "N-Variant Systems: A Secretless Framework for Security through Diversity," Proc. 15th Usenix Security Symp., Usenix Assoc., 2006, pp. 105–120.
5. W. Lee et al., "Toward Cost-Sensitive Modeling for Intrusion Detection and Response," J. Computer Security, vol. 10, nos. 1–2, 2002; pp. 5–22.
6. Y. Song et al., "On the Infeasibility of Modeling Polymorphic Shellcode," Proc. 14th ACM Conf. Computer and Communications Security (CCS 07), ACM Press, 2007, pp. 541–551.
7. B.M. Bowen et al., "Baiting Inside Attackers Using Decoy Documents," Security and Privacy in Communication Networks, Springer, 2009, pp. 51–70.
8. F.B. Schneider, ed., Trust in Cyberspace, National Academy Press, 1999.
9. C.E. Landwehr et al., "A Taxonomy of Computer Program Security Flaws," Computing Surveys, vol. 26, no. 3, 1994, pp. 211–254.
10. S.M. Bellovin, "On the Brittleness of Software and the Infeasibility of Security Metrics," IEEE Security & Privacy, vol. 4, no. 4, 2006, p. 96.

Index Terms:

computer security, cybersecurity metrics, defense in depth, intrusion detection systems, adversary models

Citation:

Sal Stolfo, Steven M. Bellovin, David Evans, "Measuring Security," IEEE Security & Privacy, vol. 9, no. 3, pp. 60-65, May-June 2011, doi:10.1109/MSP.2011.56

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.