Taking the Measure of Cybersecurity
Abstract
In this presentation I will provide an overview of the meaning and purpose of measurement and how to measurement can apply to cybersecurity. Measurement has a scientific definition and an engineering implementation but is used primarily to make economic decisions. Nonetheless, problems in measurement result from several causes include the following: a poorly defined concepts, ill-defined objectives, lack of context, failure to connect the measures to outcomes, inattention to the quality aspect of the measure. These are especially problematic in cybersecurity because the relationship between measurements and outcomes can change for unexpected reasons. Many of these problems can be addressed using structured frameworks that recognize these sometimes-competing aspects of measurement. Some examples of measurements derived using disciplined frameworks will demonstrate how science supports engineering and both support economic decisions. The emphasis will be on metrics for making economic decisions. This presentation will conclude by noting that some emerging trends in software engineering such as increased reliance upon automated tools, use of big data, cloud computing, and end-to-end digital engineering models will profoundly influence future measurement. Each of these brings new challenges, but also promises more rigorous definition and documentation.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 22, 2022
- Accession Number
- AD1187379
Entities
People
- William R. Nichols
Organizations
- Carnegie Mellon University