What are the classification of security metrics?

Security metrics are used to assess the security level of a system and to implement security objective. There are multiple security metrics for security analysis, but there is no systematic description of security metrics that is based on network reachability information. To address this, it propose a systematic description of existing security metrics based on network reachability information. Mainly, it can classify the security metrics into host-based and network-based metrics.

The host-based metrics are defined into metrics without probability and with probability, while the network based metrics are defined into pathbased and nonpath based.

The classification of security metrics is as follows −

  • Host-based Security Metrics − The host-level metrics are used to quantify the security level of single hosts in a network. It can classify the host-level metrics into two types such as without probability and with probability. The reasons for this classification are −

    • Sometimes it is infeasible to discover a probability value for an attack.

    • Some analysis and optimisation can be completed with or without probability assignments.

  • Metrics without probability values − It can summarise the metrics without probability. An instance of metrics without probability values are attack impact, attack cost, fundamental essential measured, mincut analysis, mean-time-tocompromise (MTTC), mean-time-to-recovery (MTTR), etc.

    Metrics with probability values − Conversely, the security metrics with probability contain probability security metric, Common Vulnerability Scoring System (CVSS) metrics, etc. An attack graph (AG) is an acyclic directed graph to define some possible method for an attacker to reach a target vulnerability.

  • Network-based Security Metrics − This category of metrics uses the mechanism of a network to aggregate the security property of the network. It can classify these metrics into two types including path based and non-path based metrics.

    Non-path based metrics − In non-path based metrics, the structure and attributes of a network are not treated; instead, the security of a network is quantified concerning the network structure. An instance of this type of metrics is Network Compromise Percentage (NCP) metric.

    This metric denotes the percentage of network assets an attacker can negotiate. The objective of the NCP metric is to minimise this percentage. Another example is a group of vulnerabilities that enable an attacker to use them as entry points to a network.

    For example, web-services running on a host can be the first targets for an attacker to negotiate. The weakest adversary (WA) metric is also a network based metric that can be used to assess the security of a network. In the WA metric, a network configuration that is vulnerable to a powerful set of attribute is define as more protect than a network configuration that is vulnerable to a weaker set of original attacker attributes.

    Path based metrics − Path based metrics use the reachability data of a network (for example, reachability among hosts, shortest path from a host X to a host Y, etc) to quantify the security level of the network.