Security as a theoretical attribute construct

This paper provides an overview of the field of security metrics and discusses results of a survey of security experts on the topic. It describes a new framework for developing security metrics that focuses on effectiveness measures while maintaining measures of correctness. It introduces a view of security as a theoretical concept which encapsulates multiple aspects of a system. Viewing security as a theoretical attribute construct promotes the recognition that multiple characteristics and features of a system are required to make it secure. The view also motivates a sharp focus on system aspects which exhibit a measurable security attribute. The framework is illustrated with a case study.