Metrics

# ID PAPER TAXONOMY LEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 METRIC KEY WORD DEFINITION SCALE SCOPE AUTOMATION MEASUREMENT WHAT? USABLE REASON          
1 2   YES Vulnerability metrics Measuring User Vulnerabilities Phishing Susceptibility - - False positives (FP) USER Percentage of flagging genuine email as phishing email RATIO USER   DYNAMIC - NO Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device       * This information was induced by me
2 2   YES Vulnerability metrics Measuring User Vulnerabilities Phishing Susceptibility - - False negatives (FN) USER Percentage of detecting a phishing email as a genuine email RATIO USER   DYNAMIC - NO Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device       HW + SW DEVICE
3 2   YES Vulnerability metrics Measuring User Vulnerabilities Malware Susceptibility - - User’s online behavior USER   RATIO USER   DYNAMIC - NO Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device. This is only a suggestion. Not defined          
4 2   YES Vulnerability metrics Measuring User Vulnerabilities Malware Susceptibility - - Users’ susceptibility to attacks USER   RATIO USER   UNKNOWN - NO This evaluates the user, not the device. This is only a suggestion. Not defined          
5 2   YES Vulnerability metrics Measuring User Vulnerabilities Password Vulnerabilities - - Entropy PASSWORD     USER AUTOMATIC STATIC - YES This could be used with keys instead of passwords to measure randomness          
6 2   YES Vulnerability metrics Measuring User Vulnerabilities Password Vulnerabilities - - Password guessability (statistical / parameterized) PASSWORD This metric measures the guessability of a set of passwords (rather than for individual passwords) by an “idealized” attacker with the assumption of a perfect guess / This metric measures the number of guesses an attacker needs to make via a particular cracking algorithm (i.e., a particular threat model) before recovering a particular password and training data. Different password cracking algorithms leads to different results RATIO BSOLUTE USER AUTOMATIC STATIC - NO Passwords are for people. Devices use keys (that are much more larger)          
7 2   YES Vulnerability metrics Measuring User Vulnerabilities Password Vulnerabilities - - Password strength meter PASSWORD This metric measures the password strength via an estimated effort to guess the password, while considering factors such as the character set (e.g., special symbols are required or not), password length, whitespace permissibility, password entropy, and blacklisted passwords being prevented or not. One variant metric is adaptive password strength, which is used to improve the accuracy of strength estimation ORDINAL USER AUTOMATIC STATIC - NO Passwords are for people. Devices use keys (that are much more larger)          
8 2   YES Vulnerability metrics Measuring Interface-Induced Vulnerabilities - - - Attack surface SURFACE It aim to measure the ways by which an attacker can compromise a targeted software ABSOLUTE DEVICE   STATIC DEVICE YES            
9 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Evolution of vulnerabilities - Historical vulnerability metric VULNERABILITY It measures the degree that a system is vulnerable (i.e., frequency of vulnerabilities) in the past RATIO BSOLUTE ISTRIBUTION DEVICE   STATIC   YES This could be part of a checklist of task, to check if there is any vulnerability that affects the device          
10 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Evolution of vulnerabilities - Historically exploited vulnerability metric VULNERABILITY It measures the number of vulnerabilities exploited in the past RATIO BSOLUTE ISTRIBUTION DEVICE   STATIC   YES This could be part of a checklist of task, to check if there is any vulnerability that affects the device          
11 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Evolution of vulnerabilities - Future vulnerability metric VULNERABILITY It measures the number of vulnerabilities that will be discovered during a future period of time RATIO BSOLUTE ISTRIBUTION DEVICE   STATIC   NO If this has to do with statistic and probabilities, I think it is better not to use it          
12 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Evolution of vulnerabilities - Future exploited vulnerability metric VULNERABILITY It measures the number of vulnerabilities that will be exploited during a future period of time RATIO BSOLUTE ISTRIBUTION DEVICE   STATIC   NO If this has to do with statistic and probabilities, I think it is better not to use it          
13 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Evolution of vulnerabilities - Tendency-to-be-exploited metric   It measures the tendency that a vulnerability may be exploited, where the “tendency” may be derived from information sources such as posts on Twitter before vulnerability disclosures RATIO BSOLUTE ISTRIBUTION DEVICE   STATIC   ¿? This research work might not be part of a security evaluation, but could be applied if so          
14 2   YES Vulnerability metrics Measuring Software Vulnerabilities Temporal Attributes of Vulnerabilities Vulnerability lifetime - Vulnerability lifetime VULNERABILITY Client-end vulnerabilities Server-end vulnerabilities Cloud-end vulnerabilities ABSOLUTE NETWORK   STATIC   NO Clearly related to nerworks          
15 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Exploitability Metrics Attack vector   Describes whether a vulnerability can be exploited remotely, adjacently, locally, or physically (i.e., attacker must have physical access to the computer) NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
16 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Exploitability Metrics Attack complexity   Describes the conditions that must hold before an attacker can exploit the vulnerability, such as low or high ORDINA SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
17 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Exploitability Metrics Privilege required   Describes the level of privileges that an attacker must have in order to exploit a vulnerability, such as none, low, or high ORDINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
18 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Exploitability Metrics User interaction   Describes whether the exploitation of a vulnerability requires the participation of a user (other than the attacker), such as none or required NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
19 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Exploitability Metrics Authorization scope   Describes whether or not a vulnerability has an impact on resources beyond its privileges (e.g., sandbox or virtual machine), such as unchanged or changed NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
20 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Impact Metrics Confidentiality impact CONFIDENTIALITY The impact of a successful exploitation of a vulnerability in terms of confidentiality such as none, low, high ORDINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
21 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Impact Metrics Integrity impact   The impact of a successful exploitation of a vulnerability in terms of integrity such as none, low, high ORDINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
22 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base Impact Metrics Availability impact AVAILABILITY The impact of a successful exploitation of a vulnerability in terms of availability, such as none, low, high ORDINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
23 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base CVSS Temporal Metrics Exploit code maturity   The likelihood a vulnerability can be attacked based on the current exploitation techniques, such as undefined, unproven, proof-of-concept, functional, or high ORDINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
24 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base CVSS Temporal Metrics Remediation level   Describes whether or not a remediation method is available for a given vulnerability, such as undefined, unavailable, workaround, temporary fix, or official fix NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
25 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base CVSS Temporal Metrics Report confidence   Measures the level of confidence for a given vulnerability as well as known technical details, such as unknown, reasonable, or confirmed NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
26 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of Individual Software Vulnerabilities CVSS Base CVSS Environmental Metrics Security requirement   Describes environment-dependent security requirements in terms of confidentiality, integrity, and availability, such as not defined, low, medium, or high NOMINAL SOFTWARE   STATIC   YES For calculating new vulnerabilities, or to know each dimension of known vulnerabilities          
27 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Topology metrics Depth metric   Ratio of the diameter of a domain-level attack graph over the diameter in the most secure case, implying that the larger the diameter, the more secure the network - NETWORK   STATIC   NO It is related to the topological properties of attack graphs          
28 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Topology metrics Existence, number, and lengths of attack paths metrics   It uses the attributes of attack paths from an initial state to the goal state. These metrics can be used to compare two attacks - NETWORK   STATIC   NO It is related to the topological properties of attack graphs          
29 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Effort metrics Necessary defense metric   It estimates a minimal set of defense countermeasures necessary for thwarting a certain attack - DEVICE   STATIC   YES This is related with the defenses that are necesary to implement so the system is secure for a certain vulnerability          
30 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Effort metrics Effort-to-security-failure metric EFFORT It measures an attacker’s effort to reach its goal state - DEVICE   DYNAMIC*   YES Although it might be difficult to estimate, this could be also included in the evaluation process          
31 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Effort metrics Weakest adversary metric EFFORT It estimates minimum adversary capabilities required to achieve an attack goal - DEVICE   DYNAMIC*   ¿? If the effort can be calculated in an objective manner, this could be used in embedded systems          
32 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Deterministic Severity Metrics (attack graphs) Effort metrics k-zero-day-safety metric   It measures a number of zero-day vulnerabilities for an attacker to compromise a target - DEVICE   STATIC   NO This has to do with probabilities. Can be applied, but I won't          
33 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Probabilistic Severity Metrics Metrics treating CVSS scores as atomic parameters Likelihood of exploitation   It measures the probability that an exploit will be executed by an attacker with certain capabilities - SOFTWARE   STATIC   ¿? This is related with statistics and risk assessment. It could be applied          
34 2   YES Vulnerability metrics Measuring Software Vulnerabilities Severity of a Collection of Vulnerabilities Probabilistic Severity Metrics Metrics not treating CVSS scores as atomic parameters Effective base metric / scope   Given an attack graph and a subset of exploits, the effective base metric aims to adjust the CVSS base metric by taking the highest value of the ancestors of an exploit to reflect the worst-case scenario, while the effective base score metric is calculated based on the effective base metric - SOFTWARE   STATIC   - -          
35 2   YES Defense metrics Strength of Preventive Defenses Metrics for Blacklisting - - Reaction time metric TIME It captures the delay between the observation of the malicious entity at time t and the blacklisting of the malicious entity at time t (i.e., t − t) ABSOLUTE DEVICE   DYNAMIC   YES If the device has any kind of detection mechanism, this could be used. Detection and reaction might have different times          
36 2   YES Defense metrics Strength of Preventive Defenses Metrics for Blacklisting - - Coverage metric COVERAGE It estimates the portion of blacklisted malicious players ORDINAL DEVICE   STATIC   YES This could be used, but the device has to have a blacklist          
37 2   YES Defense metrics Strength of Preventive Defenses Metrics for DEP - - NO METRIC IS DEFINED   No metrics have been defined to measure the effectiveness of DEP. The effectiveness of DEP can be measured based on the probability of being compromised by a certain attack A(t) over all possible classes of attacks - DEVICE   -   - No metric is defined          
38 2   YES Defense metrics Strength of Preventive Defenses Metrics for CFI - - Average indirect target reduction   It counts the overall reduction of targets for any indirect control-flow transfer. It measures the overall reduction in terms of the number of targets exploitable by the attacker where smaller targets are more secure ABSOLUTE UNKNOWN   UNKNOWN   UNKNOWN UNKNOWN          
39 2   YES Defense metrics Strength of Preventive Defenses Metrics for CFI - - Average target size   Ratio between the size of the largest target and the number of targets - UNKNOWN   UNKNOWN   UNKNOWN UNKNOWN          
40 2   YES Defense metrics Strength of Preventive Defenses Metrics for CFI - - Evasion resistance   It is measured against control flow bending attacks, reflecting the effort (or premises) that an attacker must make (or satisfy) for evading the CFI scheme - UNKNOWN   UNKNOWN   UNKNOWN UNKNOWN          
41 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Monitoring - - Coverage metric COVERAGE It measures the fraction of events detectable by a specific sensor deployment, reflecting a defender’s need in monitoring events - DEVICE   DYNAMIC   UNKNOWN UNKNOWN          
42 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Monitoring - - Redundancy metric   It estimates the amount of evidence provided by a specific sensor deployment to detect an event - DEVICE   DYNAMIC   YES This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software)          
43 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Monitoring - - Confidence metric   It measures how well-deployed sensors detect an event in the presence of compromised sensors - DEVICE   DYNAMIC   YES This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software)          
44 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Monitoring - - Cost metric COST It measures the amount of resources consumed by deploying sensors including the cost for operating and maintaining sensors - ORGANISATION   STATIC   NO This is related with the cost of a specific countermeasure. This is more likely to be applied in early steps of the development          
45 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms - Detection time TIME For instrument-based attack detection, this metric is used to measure the delay between the time t0 at which a compromised computer sends its first scan packet and the time t that a scan packet is observed by the instrument - UNKNOWN   UNKNOWN   UNKNOWN UNKNOWN          
46 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics True-positive rate INTRUSION It is the probability that an intrusion is detected as an attack - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
47 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics False-negative rate INTRUSION It is the probability that an intrusion is not detected as an attack - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
48 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics True-negative rate INTRUSION It is the probability that a non-intrusion is not detected as an attack - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
49 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics False-positive rate INTRUSION Also known as false alarm rate, it is the probability that a nonintrusion is detected as an attack - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
50 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics Intrusion detection capability metric INTRUSION It is the normalized metric of I(I, O) with respect to H(I) based on the base rate where I is the input to the IDS as a stream of 0/1 random variables (0 for benign/normal and 1 for malicious/abnormal), O is the output of the IDS as a stream of 0/1 random variables (0 for no alert or normal; 1 for alert / abnormal), H(I) and H(O), respectively, denote the entropy of I and O, and I(I, O) = H(I) − H(I\O) is the mutual information between I and O - NETWORK   UNKNOWN   NO This is clearly a network-oriented metric          
51 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics Receiver operating characteristic (ROC)   It reflects the dependence of the true-positive rate on the false-positive rate, reflecting a tradeoff between the true-positive and the false-positive rates - NETWORK   STATIC   NO This is clearly a network-oriented metric          
52 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics Intrusion detection operating characteristic (IDOC) INTRUSION It describes the dependence of the true positive rate Pr(A\I) on the Bayesian detection rate Pr(I\A), while accommodating the base rate Pr(I) - NETWORK   STATIC   NO This is clearly a network-oriented metric          
53 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Individual Strength of Defense Mechanisms Intrusion detection metrics Cost metric (damage / response / operational) COST It includes the damage cost incurred by undetected attacks, the response cost spent on the reaction to detected attacks including both true and false alarms, and the operational cost for running an IDS - NETWORK   STATIC   NO This is clearly a network-oriented metric, that aims to translate the impact into moneu          
54 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Relative Strength of Defense Mechanisms - Relative effectiviness   This metric reflects the strength of a defense tool when employed in addition to other defense tools. A defense tool does not offer any extra strength if it cannot detect any attack undetected by other defense tools in place RATIO NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
55 2   YES Defense metrics Measuring the Strength of Reactive Defenses Metrics for Detection Mechanisms Collective Strength of Defense Mechanisms - Collective effectiviness   This metric measures the collective strength of IDSs and anti-malware programs RATIO NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
56 2   YES Defense metrics Measuring the Strength of Proactive Defenses Address Space Layout Randomization (ASLR) - - ASLR-induced Entropy metric     -           This is clearly a network-oriented metric          
57 2   YES Defense metrics Measuring the Strength of Proactive Defenses Address Space Layout Randomization (ASLR) - - ASLR-induced Effective entropy metric   Measure of entropy in user space memory which quantitatively considers an adversary’s ability to leverage low entropy regions of memory via absolute and dynamic inter-section connections - SOFTWARE   DYNAMIC OS YES If the device runs an OS, this could be applied          
58 2   YES Defense metrics Measuring the Strength of Proactive Defenses - - - Moving Target Defense (MTD)   It measures the degree that an enterprise system can tolerate some undesirable security configurations in order to direct the global security state S(t) towards a desired stable system state - NETWORK   DYNAMIC   NO This is only applicable to an enterprise system          
59 2   YES Defense metrics Measuring the Strength of Overall Defenses - - - Penetration resistance (PR)   Running a penetration test to estimate the level of effort (e.g., person-day or cost) required for a red team to penetrate into a system - DEVICE ETWORK   DYNAMIC   YES Penetration testing is a really common way to test this kind of device          
60 2   YES Defense metrics Measuring the Strength of Overall Defenses - - - Network diversity (ND)   It measures the least or average effort an attacker must make to compromise a target entity based on the causal relationships between resource types to be considered as the inclusion in an attack graph - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
61 2   YES Attack metrics Measuring Zero-Day Attacks - - - Lifetime of zero-day attacks ZERODAY It measures the period of time between when an attack was launched and when the corresponding vulnerability is disclosed to the public - SOFTWARE ARDWARE EVICE   DYNAMIC   NO This can be computed, but it is not feasible for a security evaluation          
62 2   YES Attack metrics Measuring Zero-Day Attacks - - - Victims by zero-day attacks ZERODAY It measures the number of computers compromised by zero-day attacks - ORGANISATION   DYNAMIC*   NO This is usefull for networks or an organisation. It can be computed for a network of devices, but it is not useful for a security evaluation          
63 2   YES Attack metrics Measuring Zero-Day Attacks - - - Susceptibility of a device to zero-day attacks ZERODAY If we can capture the degree of the susceptibility of a device to zero-day attacks, then we can prioritize resource allocation to the ones requiring higher attention for mitigating the damage - DEVICE         This metric is proposed in [2] as a future concept, but it is not developed          
64 2   YES Attack metrics Measuring Targeted Attacks - - - Targeted threat index   Level of targeted malware attacks - NETWORK RGANISATION   DYNAMIC   NO This is usefull for networks or an organisation. It can be computed for a network of devices, but it is not useful for a security evaluation          
65 2   YES Attack metrics Measuring Botnets - - - Botnet size   Number of bots, x, that can be instructed to launch attacks (e.g., distributed denial-of-service attacks) at time t, denoted by y(t). Due to time zone difference, y(t) is often much smaller than the actual x as some of x is turned off during night time at time zones - NETWORK   STATIC   NO This is clearly a network-oriented metric          
66 2   YES Attack metrics Measuring Botnets - - - Network bandwidth   Network bandwidth that a botnet can use to launch denial-of-service attacks - NETWORK   STATIC YNAMIC   NO This is clearly a network-oriented metric          
67 2   YES Attack metrics Measuring Botnets - - - Botnet efficiency   Network diameter of the botnet network topology. It measures a botnet’s capability in communicating command-and-control messages and updating bot programs - NETWORK   ¿?   NO This is clearly a network-oriented metric          
68 2   YES Attack metrics Measuring Botnets - - - Botnet robustness   Robustness of botnets under random or intelligent disruptions. The idea was derived from the concept of complex network robustness, characterized by the percolation threshold under which a network is disrupted into small components - NETWORK   ¿?   NO This is clearly a network-oriented metric          
69 2   YES Attack metrics Measuring Malware Spreading - - - Infection rate   Average number of vulnerable computers that are infected by a compromised computer (per time unit) at the early stage of spreading - NETWORK   DYNAMIC   NO This is usefull for networks or an organisation. It can be computed for a network of devices, but it is not useful for a security evaluation          
70 2   YES Attack metrics Measuring Attack Evasion Techniques Adversarial Machine Learning Attacks - - Increased false-positive rate   The strength of attacks as a consequence of applying a certain evasion method - DEVICE ETWORK   DYNAMIC   NO This can only be calculated if the embedded system has implemented an evasion mechanism against machine learning attacks          
71 2   YES Attack metrics Measuring Attack Evasion Techniques Adversarial Machine Learning Attacks - - Increased false-negative rate   The strength of attacks as a consequence of applying a certain evasion method - DEVICE ETWORK   DYNAMIC   NO This can only be calculated if the embedded system has implemented an evasion mechanism against machine learning attacks          
72 2   YES Attack metrics Measuring Attack Evasion Techniques Obfuscation Attacks - - Obfuscation prevalence metric CODE Occurrence of obfuscation in malware samples - MALWARE   STATIC   NO Malware-related          
73 2   YES Attack metrics Measuring Attack Evasion Techniques Obfuscation Attacks - - Structural complexity metric   Runtime complexity of packers in terms of their layers or granularity - MALWARE   ¿?   NO Malware-related          
74 2   YES Attack metrics Measuring Attack Evasion Techniques Obfuscation Attacks - - Evasion capability of attacks   Allows comparing the evasion power of two attacks, but also allows computing the damage caused by evasion attacks - MALWARE   DYNAMIC   NO Proposed, but not defined          
75 2   YES Attack metrics Measuring Attack Evasion Techniques Obfuscation Attacks - - Obfuscation sophistication CODE In terms of the amount of effort required for unpacking packed malware - MALWARE   STATIC   NO Proposed, but not defined. Malware related          
76 2   YES Situation metrics Measuring Security State Data-Driven State Metrics - - Network maliciousness metric   It estimates the fraction of blacklisted IP addresses n a network - NETWORK   STATIC YNAMIC   NO This metric works at network level, for systems in a network. Cannot be applied to embedded systems          
77 2   YES Situation metrics Measuring Security State Data-Driven State Metrics - - Rogue networkmetric   Population of networks used to launch drive-by download or phishing attacks - NETWORK   DYNAMIC   NO This metric works at network level, for systems in a network. Phishing cannot be applied to embedded systems          
78 2   YES Situation metrics Measuring Security State Data-Driven State Metrics - - ISP badness metric   Quantifies the effect of spam from one ISP or Autonomous System (AS) on the rest of the Internet - NETWORK   DYNAMIC   NO This is clearly a network-oriented metric          
79     YES Situation metrics Measuring Security State Data-Driven State Metrics - - Control-plane reputation metric   Calibrates the maliciousness of attacker-owned (i.e., rather than legitimate but mismanaged/abused) ASs based on their control plane information (e.g., routing behavior), which can achieve an early-detection time of 50–60 days (before these malicious ASs are noticed by other defense means) - ATTACKER   ¿?   NO This is related to external systems that could be potential attackers          
80 2   YES Situation metrics Measuring Security State Data-Driven State Metrics - - Cybersecurity posturemetric   Measures the dynamic threat imposed by the attacking computers - ATTACKER   DYNAMIC   NO This is related to attacks themselves          
81 2   YES Situation metrics Measuring Security State Model-Driven Metrics - - Fraction of compromised computers at time t     - NETWORK   DYNAMIC   NO Directly related to the systems in a network          
82 2   YES Situation metrics Measuring Security State Model-Driven Metrics - - Probability a computer is compromised at time t   It quantifies the degree of security in enterprise systems by using modeling techniques based on a holistic perspective - DEVICE ETWORK   ¿?   ¿? Although this is a network-oriented metric, this might be adapted to be used with an embedded system          
83 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Encounter rate   Measures the fraction of computers that encountered some malware or attack during a period of time - NETWORK   STATIC   NO Directly related to the systems in a network          
84 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Incident rate   Measures the fraction of computers successfully infected or attacked at least once during a period of time - NETWORK   STATIC   NO Directly related to the systems in a network          
85 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Blocking rate   The rate an encountered attack is successfully defended by a deployed defense - NETWORK   DYNAMIC   ¿? Although this is a network-oriented metric, this might be adapted to be used with an embedded system (maybe for a penetration test)          
86 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Breach frequencymetric   How often breaches occur - NETWORK   STATIC   NO Directly related to the systems in a network          
87 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Breach size metric   Number of records breached in individual breaches - NETWORK   STATIC   NO Directly related to the systems in a network          
88 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Time-between-incidents metric TIME Period of time between two incidents - NETWORK   STATIC   NO Directly related to the systems in a network          
89 2   YES Situation metrics Measuring Security Incidents Frequency of Security Incidents - - Time-to-first-compromise metric TIME Estimates the duration of time between when a computer starts to run and the first malware alarm is triggered on the computer where the alarm indicates detection rather than infection - DEVICE   DYNAMIC   YES This can be used in embedded systems, but it might not be suitable for a security evaluation (maybe for a penetration test)          
90 2   YES Situation metrics Measuring Security Incidents Damage of Security Incidents - - Delay in incident detection TIME Time between the occurrence and detection - ORGANISATION   DYNAMIC   NO This metric could be used to transmit the importance of security in the organisation, but cannot be used in embedded systems          
91 2   YES Situation metrics Measuring Security Incidents Damage of Security Incidents - - Cost of incidents COST - - ORGANISATION   STATIC   NO Similar to 56          
92 2   YES Situation metrics Measuring Security Investment - - - Security spending COST Percentage of IT budget - ORGANISATION   STATIC   NO This metric shows the investing in security in the organization. It Cannot be applied to embedded systems          
93 2   YES Situation metrics Measuring Security Investment - - - Security budget allocation COST It estimates how the security budget is allocated to various security activities and resources - ORGANISATION   STATIC   NO This metric shows the investing in security in the organization. It Cannot be applied to embedded systems          
94 2   YES Situation metrics Measuring Security Investment - - - Return on security investment (ROSI) COST It is a variant of the classic return on investment (ROI) metric, measuring the financial net gain of an investment based on the gain from investment minus the cost of investment - ORGANISATION   STATIC   NO This metric shows the investing in security in the organization. It Cannot be applied to embedded systems          
95 2   YES Situation metrics Measuring Security Investment - - - Net present value COST It measures the difference between the present economic value of future inflows and the present economic value of outflows with respect to an investment - ORGANISATION   STATIC   NO This metric shows the investing in security in the organization. It Cannot be applied to embedded systems          
96 10   YES Host-based Without Probability Values - - - Attack Impact   It is the quantitative measure of the potential harm caused by an attacker to exploit a vulnerability - NETWORK   STATIC                
97 10   YES Host-based Without Probability Values - - - Attack Cost COST It is the cost spent by an attacker to successfully exploit a vulnerability (i.e., security weakness) on a host - NETWORK   STATIC YNAMIC   YES This is related to network, but this could be applicable to devices too          
98 10   YES Host-based Without Probability Values - - - Structural Important Measured   It it used to qualitatively determine the most critical event (attack, detection or mitigation) in a graphical attack model - NETWORK   STATIC   NO Related to networks          
99 10   YES Host-based Without Probability Values - - - Mincut Analysis   ?? - NETWORK                    
100 10   YES Host-based Without Probability Values - - - Mean-time-to-compromise (MTTC) TIME It is used to measure how quickly a network can be penetrated - NETWORK   DYNAMIC   ¿? This is no directly applicable, but its equivalent would be a penetration attack in an embedded system          
101 10   YES Host-based Without Probability Values - - - Mean-time-to-recovery (MTTR) TIME It is used to assess the effectiveness of a network to recovery from an attack incidents. It is defined as the average amount of time required to restore a system out of attack state - NETWORK   DYNAMIC   ¿? Although this is developed for networks, the same concept can be translated into embeded systems          
102 10   YES Host-based Without Probability Values - - - Mean-time-to-First-Failure (MTFF) TIME ?? - NETWORK                    
103 10   YES Host-based Without Probability Values - - - Mean-Time-To-Breach (MTTB) TIME ?? - NETWORK                    
104 10   YES Host-based Without Probability Values - - - Return on Investment COST It measures the financial net gain of an investment based on the gain from investment minus the cost of investment - NETWORK   STATIC   NO Network-related and cost related. Useful for organisation managing          
105 10   YES Host-based Without Probability Values - - - Return on Attack   The gain the attacker expects from successful attack over the losses he sustains due to the countermeasure deployed by his target - NETWORK   ¿?   ¿? Network-related, but it scent can be translated into embedded systems          
106 10   YES Host-based With Probability Values - - - Common Vulnerability Scoring System (CVSS) - Overall value VULNERABILITY The overall score is determined by generating a base score and modifying it through the temporal and environmental formulas - DEVICE   STATIC   YES This could be used tohether with other metics to obtain a numeric value          
107 10   YES Host-based With Probability Values - - - Probability of Vulnerability Exploited VULNERABILITY It is used to assess the likelihood of an attacker exploiting a specific vulnerability on a host - SOFTWARE ARDWARE ETWORK   STATIC   ¿? Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems          
108 10   YES Host-based With Probability Values - - - Probability of attack detection   It is used to assess the likelihood of a countermeasure to successfully identify the event of an attack on a target. - SOFTWARE ARDWARE ETWORK   DYNAMIC   ¿? Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems          
109 10   YES Host-based With Probability Values - - - Probability of host compromised   It is used to assess the likelihood of an attacker to successfully compromise a target - HARDWARE OFTWARE ETWORK   STATIC YNAMIC   ¿? Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems          
110 10   YES Network-based Non-path based - - - Network Compromise Percentage   It quantifies the percentage of hosts on the network on which an attacker can obtain an user or administration level privilege - NETWORK   STATIC YNAMIC   NO It's about networks, and we can't predict where the device will be used, so this metric is not representative          
111 10   YES Network-based Non-path based - - - Waekest Adversary EFFORT It is used to assess the security strength of a network in terms of the weakest part of the network that an attacker can successfully penetrate - SOFTWARE ARDWARE ETWORK   STATIC YNAMIC   NO Similar to 31. It's about networks, and we can't predict where the device will be used, so this metric is not representative          
112 10   YES Network-based Non-path based - - - Vulnerable Host Percentage   This metric quantifies the percentage of hosts with vulnerability on a network. It is used to assess the overall security of a network - NETWORK   DYNAMIC   NO It's about networks, and we can't predict where the device will be used, so this metric is not representative          
113 10   YES Network-based Path based - - - Attack Shortest Path PATH It is the smallest distance from the attacker to the target. This metric represents the minimum number of hosts an attacker will use to compromise the target host - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
114 10   YES Network-based Path based - - - Number of Attack Paths PATH It is the total number of ways an attacker can compromise the target - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
115 10   YES Network-based Path based - - - Mean of Attack Path Lengths PATH It is the average of all path lengths. It gives the expected effort that an attacker may use to breach a network policy - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
116 10   YES Network-based Path based - - - Normalised Mean of Path Lengths PATH Expected number of exploits an attacker should execute in order to reach the target - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
117 10   YES Network-based Path based - - - Standand Deviation of Path Lengths PATH It is used to determine the attack paths of interest - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
118 10   YES Network-based Path based - - - Mode of Path Lengths PATH It is the attack path length that occurs most frequently - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
119 10   YES Network-based Path based - - - Median of Path Lengths PATH It is used by network administrator to determine how close is an attack path length to the value of the median path length (i.e. path length that is at the middle of all the path length values) - NETWORK AUTOMATIC* DYNAMIC   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
120 10   YES Network-based Path based - - - Attack Resistance Metric   It is use to assess the resistance of a network configuration based on the composition of measures of individual exploits. It is also use for assessing and comparing the security of different network configurations - NETWORK   ¿?   NO If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used          
121 4   YES - - - - - Mean Time To Failure (MTTF) - Time to compromise TIME Mean time for a potential intruder to reach the specified target - NETWORK AUTOMATIC DYNAMIC   NO            
122 4   YES - - - - - Mean Effort To Failure (METF) - Effort to compromise   Mean effort for a potential attacker to reach the specified target - NETWORK SEMI-AUTOMATIC DYNAMIC   NO            
123 4   YES - - - - - Mean Time to Security Failure (MTTSF) - Time to compromise TIME Expected amount of time attackers need to successfully complete an attack process - NETWORK SEMI-AUTOMATIC STATIC   NO            
124 4   YES - - - - - Mean Time to First Failure (MTFF) - Time to compromise TIME Mean time interval from system initiation to the first system failure - NETWORK SEMI-AUTOMATIC STATIC   ¿? Similar to 102. Depending on the type of test, the time to compromise can be measured (penetration test, fuzzing…), but the result could not be representative          
125 4   YES - - - - - Mean Time To Compromise (MTTC) - Time to compromise TIME Mean time needed for an attacker to gain some level of privilege on some system component - NETWORK SEMI-AUTOMATIC STATIC   NO Similar to 100. How can the effort be calculated in an objective manner? This might be the result after some tests          
126 4   YES - - - - - Shortest path PATH     NETWORK AUTOMATIC DYNAMIC   NO Similar to 113          
127 4   YES - - - - - Number of paths PATH     NETWORK AUTOMATIC DYNAMIC   NO Similar to 114          
128 4   YES - - - - - Mean of Path lengths PATH     NETWORK AUTOMATIC DYNAMIC   NO Similar to 115          
129 4   YES - - - - - Weakest adversary EFFORT     NETWORK SEMI-AUTOMATIC STATIC   NO Similar to 31          
130 4   YES - - - - - Network compromise percentage       NETWORK AUTOMATIC DYNAMIC   NO If we are evaluating a device, it has no sense talking about networks          
131 4   YES - - - - - Compromise probability       NETWORK SEMI-AUTOMATIC DYNAMIC   NO            
132 4   YES - - - - - Attack Resistance   It is use to assess the resistance of a network configuration based on the composition of measures of individual exploits. It is also use for assessing and comparing the security of different network configurations - NETWORK SEMI-AUTOMATIC STATIC   NO Similar to 120          
133 4   YES - - - - - Expected dificulty       NETWORK AUTOMATIC STATIC   NO            
134 4   YES - - - - - Percentage of distinct hosts (d1-Diversity)       NETWORK SEMI-AUTOMATIC STATIC   NO This is related with servers in a network, cannot be applied to a single device          
135 4   YES - - - - - Number of bits leaked (mean privacy) DATA     NETWORK SEMI-AUTOMATIC STATIC   ¿? If adapted, this metric can be used to test memory related vulnerabilities          
136 4   YES - - - - - K-zero day safety   Instead of attempting to rank unknown vulnerabilities, the metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security because the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower - NETWORK SEMI-AUTOMATIC* STATIC*   NO Similar to 32. This has to do with probabilities. Can be applied, but I won't          
137 5   NO - - - - - rav OPSEC It is a scale measurement of the attack surface, the amount of uncontrolled interactions with a target, which is calculated by the quantitative balance between operations, limitations, and controls -                      
138 11   YES Churn - - - - 30-Day Churn CODE     SOFTWARE                    
139 11   YES Churn - - - - Churn CODE Count of Source Lines of Code that has been added or changed in a component since the previous revision of the software - SOFTWARE - -   -            
140 11   YES Churn - - - - Frequency CODE Number of times that a binary was edited during its development cycle - SOFTWARE AUTOMATIC* STATIC*   NO This is more related to the development of the software          
141 11   YES Churn - - - - Lines Changed CODE The cumulated number of code lines changed since the creation of a file - SOFTWARE AUTOMATIC* STATIC*   NO This is more related to the development of the software          
142 11   YES Churn - - - - Lines new CODE The cumulated number of new code lines since the creation of a file - SOFTWARE AUTOMATIC* STATIC*   NO This is more related to the development of the software          
143 11   YES Churn - - - - Number of lines deleted between revisions CODE     SOFTWARE AUTOMATIC*     NO This is more related to the development of the software          
144 11   YES Churn - - - - Number of commits CODE Counting the commits a given developer made - SOFTWARE AUTOMATIC* STATIC*   NO This is more related to the development of the software          
145 11   YES Churn - - - - Percentage of interactive churn (PIC)                            
146 11   YES Churn - - - - Relative churn CODE Normalized by parameters such as lines of code, files counts - SOFTWARE AUTOMATIC* STATIC*                
147 11   YES Churn - - - - Repeat frequency CODE The number of consecutive edits that are performed on a binary - SOFTWARE AUTOMATIC* STATIC*                
148 11   YES Churn - - - - Total churn CODE The total added, modified, and deleted lines of code of a binary during the development - SOFTWARE AUTOMATIC* STATIC*                
149 11   YES Complexity - - - - Average service depth (ASD)                            
150 11   YES Complexity - - - - Code complexity CODE     SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
151 11   YES Complexity - - - - Complexity CODE     SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
152 11   YES Complexity - - - - Count path complexity CODE     SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
153 11   YES Complexity* - - - - Cyclomatic number CODE M = E − N + P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components.   SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
154 11   YES Complexity - - - - Dependency network complexity                            
155 11   YES Complexity - - - - Execution complexity CODE                          
156 11   YES Complexity - - - - Fan in (FI) COUPLING Number of inputs a function uses. Inputs include parameters and global variables that are used (read) in the function / Number of functions calling a function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
157 11   YES Complexity - - - - Fan out (FO) COUPLING Number of outputs that are set. The outputs can be parameters or global variables (modified) / Number of functions called by a function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
158 11   YES Complexity - - - - Henry Kafura: SLOC *( (FI*FO)2)                            
159 11   YES Complexity - - - - Lack of cohesion of methods (LCOM)                            
160 11   YES Complexity - - - - Max fan in CODE The largest number of inputs to a function such as parameters and global variables - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
161 11   YES Complexity - - - - Max fan out CODE The largest number of assignment to the parameters to call a function or global variables - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
162 11   YES Complexity - - - - MaxMaxNesting CODE The maximum of MaxNesting in a file - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
163 11   YES Complexity - - - - MaxNesting CODE Maximum nesting level of control constructs such as if or while statements in a function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
164 11   YES Complexity - - - - Nesting complexity CODE Maximum nesting level of control constructs (if, while, for, switch, etc.) in the function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
165 11   YES Complexity - - - - Number of children (NOC) CODE Number of immediate sub-classes of a class or the count of derived classes. If class CA inherits class CB, then CB is the base class and CA is the derived class. In other words, CA is the children of class CB, and CB is the parent of class CB. - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
166 11   YES Complexity - - - - SumCyclomaticStrict CODE The sum of the strict cyclomatic complexity, where strict cyclomatic complexity is defined as the number of conditional statements in a function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
167 11   YES Complexity - - - - SumEssential CODE The sum of essential complexity, where essential complexity is defined as the number of branches after reducing all the programming primitives such as a for loop in a function’s control flow graph into a node iteratively until the graph cannot be reduced any further. Completely well-structured code has essential complexity 1 - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
168 11   YES Complexity - - - - SumFanIn CODE The sum of FanIn, where FanIn is defined as the number of inputs to a function such as parameters and global variables - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
169 11   YES Complexity - - - - SumFanOut CODE The sum of FanOut, where FanOut is defined as the number of assignment to the parameters to call a function or global variables - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
170 11   YES Complexity - - - - SumMaxNesting CODE The sum of the MaxNesting in a file, where MaxNesting is defined as the maximum nesting level of control constructs such as if or while statements in a function - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
171 11   YES Complexity - - - - McCabe Cyclomatic Complexity   M = E − N + 2P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
172 11   YES Complexity - - - - Weighted methods per class (WMC)   Number of local methods defined in the class - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
173 11   YES Cost - - - - Annual Loss Expectancy (ALE) COST                          
174 11   YES Cost - - - - Cost of security breach COST             NO            
175 11   YES Cost - - - - Remediation Impact (RI)   The remediation impact provides an overview of how much impact the remediation could have on the affected system -         NO            
176 11   YES Cost - - - - Risk Potential                            
177 11   YES Cost - - - - Threat-to-impact transitions                            
178 11   YES Coverage - - - - Access accuracy USER Number of correctly configured user accounts, against the overall number of accounts created, including badly configured accounts and hanging accounts - ORGANISATION AUTOMATIC* DYNAMIC*   NO This is not related to embedded systems          
179 11   YES Coverage - - - - Administrator and operator logs LOG Total number corrective actions taken after specific event is recorded in log / total number of events recorded in log * 100 -                      
180 11 X YES Coverage - - - - Anomalous session count ACCESS The first phase derives a SessionTableAccessProfile by correlating application server user log entries for a user session with accessed database tables; the resulting value of SessionTableAccessProfile is represented as a user ID followed by a set of ordered pairs with a table name and a count. The second phase derives the AnomalousSessionCount by counting how many SessionTableAccessCounts don’t fit a predefined user profile. If AnamalousSessionCount is greater than one for any user, especially a privileged user, it could indicate the need for significant refactoring and redesign of the Web application’s persistence layer. This is a clear case in which detection at design time is preferable. - SOFTWARE - -   ¿? If adapted, it could be used          
181 11   YES Coverage - - - - Approval accuracy   Number of approved provisioning activities, against the overall provisioning activities, including the unauthorized ones - ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is not related to embedded systems          
182 11   YES Coverage - - - - Arc coverage                            
183 11   YES Coverage - - - - Audit logging LOG Total number of log files monitored in specific time interval / number of available log files * 100 - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   NO Although this has to do with larger systems, embedded systems could not be able to produce log files          
184 11   YES Coverage - - - - Block coverage                            
185 11   YES Coverage - - - - Classified Accessor Attribute Interactions (CAAI) CODE The ratio of the sum of all interactions between accessors and classified attributes to the possible maximum number of interactions between accessors and classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
186 11   YES Coverage - - - - Classified Attributes Interaction Weight (CAIW) CODE The ratio of the number of all interactions with classified attributes to the total number of all interactions with all attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
187 11   YES Coverage - - - - Classified Class Data Accessibility (CCDA) CODE The ratio of the number of non-private classified class attributes to the number of classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
188 11   YES Coverage - - - - Classified Instance Data Accessibility (CIDA) CODE The ratio of the number of non-private classified instance attributes to the number of classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
189 11   YES Coverage - - - - Classified Method Extensibility (CME) CODE The ratio of the number of the non-finalised classified methods in program to the total number of classified methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
190 11   YES Coverage - - - - Classified Methods Weight (CMW) CODE The ratio of the number of classified methods to the total number of methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
191 11   YES Coverage - - - - Classified Mutator Attribute Interactions (CMAI) CODE The ratio of the sum of all interactions between mutators and classified attributes to the possible maximum number of interactions between mutators and classified attributes in the program. - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
192 11   YES Coverage - - - - Classified Operation Accessibility (COA) CODE The ratio of the number of non-private classified methods to the number of classified methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
193 11   YES Coverage - - - - Classified Writing Methods Proportion (CWMP) CODE The ratio of the number of methods which write classified attributes to the total number of classified methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
194 11   YES Coverage - - - - Composite-Part Critical Classes (CPCC) CODE The ratio of the number of critical composed-part classes to the total number of critical classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
195                 Classes Design Proportion (CDP) CODE Ratio of the number of critical classes to the total number of classes, from the group of Design Size Metrics. - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
196 11   YES Coverage - - - - Controls against malicious code CODE Number of incidents as results of malware (malicious software) outbreaks on system / number of detected and blocked malware occurrences * 100 - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   NO This metric could be adapted to embedded systems, but it might not make sense in the testing phase          
197 11   YES Coverage - - - - Countermeasure-effectiveness                            
198 11   YES Coverage - - - - Coverage COVERAGE                          
199 11   YES Coverage - - - - Coverage of Hazard Analysis COVERAGE                          
200 11   YES Coverage - - - - Critical Class Extensibility (CCE) CODE The ratio of the number of the non-finalised critical classes in program to the total number of critical classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
201 11   YES Coverage - - - - Critical Design Proportion (CDP) CODE The ratio of the number of critical classes to the total number of classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
202 11   YES Coverage - - - - Critical Element Ratio CODE A process may not require all aspects of an object to be instantiated. Critical Elements Ratio = (Critical Data Elements in an Object) / (Total number of elements in the object) - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
203 11   YES Coverage - - - - Critical Serialized Classes Proportion (CSCP) CODE The ratio of the number of critical serialized classes to the total number of critical classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
204 11   YES Coverage - - - - Critical Superclasses Inheritance (CSI) CODE The ratio of the sum of classes which may inherit from each critical superclass to the number of possible inheritances from all critical classes in the program’s inheritance hierarchy - SOFTWARE - -   ¿?            
205 11   YES Coverage - - - - Critical Superclasses Proportion (CSP) CODE The ratio of the number of critical superclasses to the total number of critical classes in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
206 11   YES Coverage - - - - Depth of inspection CODE It calculates the depth of inspection by collecting the statistical data of inspection and testing approaches and finds out the defect capturing capability as a ratio. DI can be measured phase-wise or as a whole before the deployment of the product. # defects captured by inspection process / # defects captured by both inspection and testing approaches - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
207 11   YES Coverage - - - - EIR - ratio between external and internal data flow                            
208 11   YES Coverage - - - - Fail-Safe Defaults (PFSD)                            
209 11   YES Coverage - - - - Grant Least Privilege (PLP)                            
210 11   YES Coverage - - - - Hazard Analysis Achieved                            
211 11   YES Coverage - - - - Isolation (PI) CODE This assesses the level of security isolation between system components. This means getting privileges to a component does not imply accessibility of other co-located components. This metric can be assessed using system architecture and deployment models. Components marked as confidential should not be hosted with nonconfidential (public) components. Methods that are not marked as confidential should not have access to confidential attributes or methods - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? I am not sure if this metric can be applied to embedded software          
212 11   YES Coverage - - - - Least Common Mechanism (PLCM)                            
213 11   YES Coverage - - - - Number of Catch Blocks Per Class (NCBC) CODE It measures the exception handing factor (EHF) in some way. It is defined as the percentage of catch blocks in a class over the theoretical maximum number of catch blocks in the class - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
214 11   YES Coverage - - - - Percentage High-, medium- and moderate-Risk Software Hazards with Safety Requirements   It reveals whether all high-, medium- and moderate-risk software hazards have resulted in applicable safety requirements through hazard analysis - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES This is related to software and the design          
215 11   YES Coverage - - - - Percentage of Software Safety Requirements (PSSR)   How sufficient hazard analysis has been performed. (# Software Safety Requirements / # SoftwareRequirements) * 100 - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES This is related to software and the design          
216 11   YES Coverage - - - - Percentage of Software Safety Requirements Traceable to Hazards   Ensuring traceability to system hazards or System of Systems hazards increases the validation case. Percentage indicator of traceability of requirements. All derived software safety requirements must be traceable to system hazards or System of Systems hazards (# Traceable Software Safety Requirements / # Software Safety Requirements) * 100 - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES This is related to software and the design          
217 11   YES Coverage - - - - Percentage of identified corrective action that has not been implemented       ORGANISATION       ¿?            
218 11   YES Coverage - - - - Percentage of incidents that are a recurrence of previous incidents       ORGANISATION MANUAL* DYNAMIC*   NO This a high level metric          
219 11   YES Coverage - - - - Percentage of increases in reported security incidents       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
220 11   YES Coverage - - - - Percentage of IT assets for which fault tolerance mechanisms have been implemented       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
221 11   YES Coverage - - - - Percentage of IT assets for which recovery procedures have been defined and implemented       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
222 11   YES Coverage - - - - Percentage of IT assets for which redundancy mechanisms have been implemented       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
223 11   YES Coverage - - - - Percentage of new components that were deployed in the system all at once       ORGANISATION                    
224 11   YES Coverage - - - - Percentage of organization attended security training       ORGANISATION                    
225 11   YES Coverage - - - - Percentage of Organization contributing to development       ORGANISATION                    
226 11   YES Coverage - - - - Percentage of reported incidents that have been followed up and mitigated       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
227 11   YES Coverage - - - - Percentage of reported security incidents where the cause of the incident was identified       ORGANISATION                    
228 11   YES Coverage - - - - Percentage of security incidents related to incorrect, incomplete, missing or compromised audit data       ORGANISATION MANUAL* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
229 11   YES Coverage - - - - Percentage of security incidents related to lack of an audit capability       ORGANISATION MANUAL* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
230 11   YES Coverage - - - - Percentage of security incidents related to the ability to bypass an audit function       ORGANISATION MANUAL* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
231 11   YES Coverage - - - - Percentage of security incidents that exploited existing vulnerabilities with known solutions       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
232 11   YES Coverage - - - - Percentage of servers with installed and active automatic hard-disk encryption       NETWORK       NO Although this cannot be applied directly, this can be something to check for in the checklist          
233 11   YES Coverage - - - - Percentage of system architecture for which failure modes have been thoroughly identified       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   ¿? This is a high level metric, but the concept might be applied to embedded systems          
234 11   YES Coverage - - - - Percentage of system changes that were reviewed for security impacts before implementation       ORGANISATION                    
235 11   YES Coverage - - - - Percentage of system for which approved configuration settings has been implemented       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric. Different configurations of the device can be tested, but this might not be suitable for assessment          
236 11   YES Coverage - - - - Percentage of system that depends on external components that the organization lacks control over       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   ¿? This can be applied to components of thirds parties, as libraries that have not been tested          
237 11   YES Coverage - - - - Percentage of system that has been subject to risk analysis       ORGANISATION AUTOMATIC* STATIC*   ¿? If the risk analysis can be done just to a percentage of the device, this can be applied. Although it might not make sense to do that          
238 11   YES Coverage - - - - Percentage of system that is continuously monitored for configuration policy compliance       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric          
239 11   YES Coverage - - - - Percentage of system where permissions to install non-standard software is limited or prohibited       ORGANISATION AUTOMATIC* DYNAMIC*   NO Software cannot be installed on a embedded system          
240 11   YES Coverage - - - - Percentage of system where the authority to make configuration changes is limited in accordance to policy       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is a high level metric          
241 11   YES Coverage - - - - Percentage of systems with the latest approved patches installed       ORGANISATION AUTOMATIC* DYNAMIC*   NO This is related to an organisation security          
242 11   YES Coverage - - - - Percentage of sytems exposed at time of malware                            
243 11 X YES Coverage - - - - PercentValidatedInput INPUTS To compute this metric, let T equal the count of the amount of input forms or interfaces the application exposes (the number of HTML form POSTs, GETs, and so on) and let V equal the number of these interfaces that use input validation mechanisms. The ratio V/T makes a strong statement about the Web application’s vulnerability to exploits from invalid input - SOFTWARE - -   YES This could be adapted to other pieces of code, rather than just HTML          
244 11   YES Coverage - - - - Ratio of Design Decisions (RDD)   Ratio of the number of design decisions related to security to the total number of design decisions of the entire system. The objective is to assess the portion of design dedicated to security - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? This is related to design phase          
245 11   YES Coverage - - - - Ratio of Design Flaws Related to Security (RDF)   Ratio of design flaws related to security to the total number of design flaws applicable to the whole system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? This is related to design phase          
246 11   YES Coverage - - - - Ratio of extension misuse cases extended once to the total number of extension misuse cases DESIGN Are the functional decompositions between misuse cases correctly handled? 1 - (# Extension Misuse Cases included once / # Extension Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
247 11   YES Coverage - - - - Ratio of Implementation Errors That Have an Impact on Security (RSERR)   Ratio of the number of errors related to security to the total number of errors in the implementation of the system (i.e. NERR) - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? This is related to design phase          
248 11   YES Coverage - - - - Ratio of inclusion misuse cases included once to the total number of inclusion misuse cases DESIGN Are the functional decompositions between misuse cases correctly handled? (# Inclusion Misuse Cases included once) / (# Inclusion Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
249 11   YES Coverage - - - - Ratio of misuse cases used as pre/post conditions of other misuse cases to the total number of misuse cases DESIGN Are the functional decompositions between misuse cases correctly handled? (# Misuse Cases used as pre/post conditions) / (# Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
250 11   YES Coverage - - - - Ratio of Patches Issued to Address Security Vulnerabilities (RP)   Ratio of the number of patches that are issued to address security vulnerabilities to the total number of patches of the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
251 11   YES Coverage - - - - Ratio of Security Requirements (RSR)   Ratio of the number of requirements that have direct impact on security to the total number of requirements of the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
252 11   YES Coverage - - - - Ratio of Security Test Cases (RTC)   Number of test cases designed to detect security issues to the total number of test cases of the entire system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
253 11   YES Coverage - - - - Ratio of Security Test Cases that Fail (RTCP)   Number of test cases that detect implementation errors (i.e. the ones that fail) to the total number of test cases, designed specifically to target security issues - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
254 11   YES Coverage - - - - Ratio of Shared Resources (RSR)                            
255 11   YES Coverage - - - - Ratio of Software Changes Due to Security Considerations (RSC)   Number of changes in the system triggered by a new set of security requirements. Software changes due to security considerations include patches that are released after a system is delivered, or any other security updates - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
256 11   YES Coverage - - - - Ratio of the number of included security requirements to the total number of stated security requirements DESIGN How vulnerable is the application based on the stated security requirements? 1 - ( (# Stated Security Requirements - # Excluded Stated Security Requirements) / # Stated Security Requirements ) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
257 11   YES Coverage - - - - Ratio of the number of misuse cases that do not threaten the application to the total number of misuse cases DESIGN Do the misuse cases correctly represent the application vulnerabilities and are they consistent with application security use cases? (# Non-Threatening Misuse Cases) / (# Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
258 11   YES Coverage - - - - Ratio of the Number of Omitted Exceptions (ROEX)   Ratio of the number of omitted exceptions (i.e. Noex) to the total number of exceptions that are related to security - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the software is available, it can be applied. It can be also applied to embedded software          
259 11   YES Coverage - - - - Ratio of the Number of Omitted Security Requirements (ROSR)   Ratio of the number of security requirements that have not been considered during the analysis phase (i.e. NOSR) to the total number of security requirements identified during the analysis phase (NSR) - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
260 11   YES Coverage - - - - Ratio of the number of the base misuse cases associated to one misuser to the total number of base misuse cases DESIGN Are the misusers presented and handled correctly in the misuse case model? 1 - (# Base Misuse Cases Associated to one misuser / # Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
261 11   YES Coverage - - - - Ratio of the number of unmitigated misuse cases that threaten the application to the total number of misuse cases DESIGN Do the misuse cases correctly represent the application vulnerabilities and are they consistent with application security use cases? (# Unmitigated Misuse Cases) / (# Misuse Cases) - SOFTWARE MANUAL* STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
262 11   YES Coverage - - - - Readability of Classified Attributes (RCA)                            
263 11   YES Coverage - - - - Readability via Classified Methods (RCM)                            
264 11   YES Coverage - - - - Readability via Critical Classes (RCC)                            
265 11   YES Coverage - - - - Readability via Critical Classes (RCC)                            
266 11   YES Coverage - - - - Software Hazard Analysis Depth   Hazardous software, or safety-critical software, allocated as high- or medium-risk, according to the Software Hazard Criticality Matrix, requires analysis of second- and third-order causal factors (should they exist) - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES Hazard is similar to risk.          
267 11   YES Coverage - - - - Static analysis alert density       SOFTWARE                    
268 11   YES Coverage - - - - Static analysis vulnerability density   Vulnerability metrics are typically normalized by code size to create vulnerability density metrics. Normalizing by size lets us compare software components of varying size. Number of vulnerabilities a static-analysis tool finds per thousand LOC -                      
269 11   YES Coverage - - - - Target Distribution (TD)                            
270 11   YES Coverage - - - - Unaccessed Assigned Classified Attribute (UACA)   The ratio of the number of classified attributes that are assigned but never used to the total number of classified attributes in the program - SOFTWARE - -   - Object-oriented programs          
271 11   YES Coverage - - - - Uncalled Classified Accessor Method (UCAM)   The ratio of the number of classified methods that access a classified attribute but are never called by other methods to the total number of classified methods in the program - SOFTWARE - -   - Object-oriented programs          
272 11   YES Coverage - - - - Unused Critical Accessor Class (UCAC)   The ratio of the number of classes which contain classified methods that access classified attributes but are never used by other classes to the total number of critical classes in the program - SOFTWARE - -   - Object-oriented programs          
273 11   YES Coverage - - - - Window of exposure                            
274 11   YES Coverage - - - - Writability of Classified Attributes (WCA)                            
275 11   YES Coverage - - - - Writability via Classified Methods (WCM)                            
276 11   YES Coverage - - - - Writability via Critical Classes (WCC)                            
277 11   YES Dependency - - - - Average internal data flow (AIDF)                            
278 11   YES Dependency - - - - Average external data flow (EDF)                            
279 11   YES Dependency - - - - Average incoming data flow (EDFIN)                            
280 11   YES Dependency - - - - Average outgoing data flow (EDFOUT)                            
281 11   YES Dependency - - - - Classified Attributes Inheritance (CAI) CODE The ratio of the number of classified attributes which can be inherited in a hierarchy to the total number of classified attributes in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
282 11   YES Dependency - - - - Classified Methods Inheritance (CMI) CODE The ratio of the number of classified methods which can be inherited in a hierarchy to the total number of classified methods in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
283 11   YES Dependency - - - - Coupling COUPLING Measures the following three coupling dimensions between modules: referential dependency, structural dependency, and data integrity dependency -                      
284 11   YES Dependency - - - - Coupling between components COUPLING                          
285 11   YES Dependency - - - - Coupling Between Object classes (CBOC) COUPLING Number of other classes coupled to a class C - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
286 11   YES Dependency - - - - Coupling Between Objects (CBO) COUPLING                          
287 11   YES Dependency - - - - Coupling Corruption Propagation COUPLING Coupling corruption propagation is meant to measure the total number of methods that could be affected by erroneous originating method. Coupling Corruption Propagation = Number of child methods invoked with the parameter(s) based on the parameter(s) of the original invocation - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
288 11   YES Dependency - - - - Critical Classes Coupling (CCC) CODE The ratio of the number of all classes’ links with classified attributes to the total number of possible links with classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software          
289 11   YES Dependency - - - - Depth of Inheritance Tree (DIT)   Maximum depth of the class in the inheritance tree - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
290 11   YES Dependency - - - - Eigenvector Centrality (EvCent)                            
291 11   YES Dependency - - - - Flow_ Betweenness                            
292 11   YES Dependency - - - - Incoming closure                            
293 11   YES Dependency - - - - Incoming data flow of (EDFIN)                            
294 11   YES Dependency - - - - Incoming direct                            
295 11   YES Dependency - - - - InDegree                            
296 11   YES Dependency - - - - InDegreew                            
297 11   YES Dependency - - - - Internal data flow (IDF)                            
298 11   YES Dependency - - - - Lack of cohesion of methods (LCOM)   The LCOM value for a class C is defined as LCOM(C) = (1- \E(C)\ ÷ (\V(C)\ × \M(C)\)) × 100%, where V(C) is the set of instance variables, M(C) is the set of instance methods, and E(C) is the set of pairs (v,m) for each instance variable v in V(C) that is used by method m in M(C) - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
299 11   YES Dependency - - - - Layer information                            
300 11   YES Dependency - - - - Number of edges between two arbitrary nodes (IE)                            
301 11   YES Dependency - - - - NumCalls   The number of calls to the functions defined in an entity   SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
302 11   YES Dependency - - - - OutDegree                            
303 11   YES Dependency - - - - OutDegreew                            
304 11   YES Dependency - - - - Outgoing closure                            
305 11   YES Dependency - - - - Outgoing data flow of (EDFOUT)                            
306 11   YES Dependency - - - - Outgoing direct                            
307 11   YES Dependency - - - - Paths                            
308 11   YES Dependency - - - - Ratio between average outgoing and incoming data flow (OIR)                            
309 11   YES Dependency - - - - Reflection Package Boolean (RPB) CODE A boolean value representing whether the Java program imports the reflection package (1) or not (0) - SOFTWARE - -   - Object-oriented programs          
310 11   YES Dependency - - - - RW_ Betweenness                            
311 11   YES Dependency - - - - SPBetweenness                            
312     YES Dependency - - - - Vulnerability Propagation (VP) CODE Vulnerability Propagation (VP) of a class C, denoted by VP(C), is the set containing classes in the hierarchy which directly or indirectly inherit class C. Cardinality of set VP(C) represents the number of classes which have become vulnerable due to class C. Alternatively, Vulnerability Propagation of a class C is the total number of classes which directly or indirectly inherit class C. - SOFTWARE AUTOMATIC* STATIC*   YES This metric can be applied to embedded software          
313 11   YES Dependency - - - - Vulnerability Propagation Factor (VPF) CODE An Inheritance hierarchy may contain no class or one or more vulnerable classes. Also, there are more than one Inheritance hierarchies present in a design. So, calculation of Vulnerability Propagation Factor (VPF) of a design requires calculation of Vulnerability Propagation due to each vulnerable class in Inheritance hierarchies present in the design. Then, union of Vulnerability Propagation due to each vulnerable class will give overall Vulnerability Propagation in design. - SOFTWARE AUTOMATIC* STATIC*   YES This metric can be applied to embedded software          
314 11   YES Effort - - - - Access Complexity (AC) ACCESS This metric measures the complexity of attacks exploiting the vulnerability. A vulnerability with low complexity can be for example a buffer overflow in a web server, the vulnerability can be exploited at will                        
315 11   YES Effort - - - - Access Vector (AV) ACCESS This metric indicates from where an attacker can exploit the vulnerability                        
316 11   YES Effort - - - - Adversary Work Factor EFFORT Adversary work factor is an informative metric for gauging the relative strengths and weaknesses of modem information systems. However, this metric can be difficult to measure and evaluate - NETWORK MANUAL* DYNAMIC*   NO This metric has nothing to do with embedded systems and it is directly retaled to networks          
317 11   YES Effort - - - - Attackability   The number of inbound edges of a node in the hostbased attack graph represents all the direct attack paths that other hosts in the considered network can compromise to that node. This number can be used to compute the attackability metric of a host in the context of the system under study. The metric is based on intuitive properties derived from common sense. For example, the metric will indicate reduced confidence when more inbound edges exist. (1 - # inbound edges of the node/ total inbound edges) - NETWORK AUTOMATIC* STATIC*   NO This metric has nothing to do with embedded systems and it is directly retaled to networks          
318 11   YES Effort - - - - Authentication (AU) AUTHENTICATION This metric counts how often an attacker must authenticate before the vulnerability can be exploited                        
319 11   YES Effort - - - - Confidentiality Requirement (CR) CONFIDENTIALITY                          
320 11   YES Effort - - - - Damage potential-effort ratio   It indicates the level of damage an attacker can potentially cause to the system and the effort required for the attacker to cause such damage - DEVICE SEMI-AUTOMATIC* DYNAMIC*   YES It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase          
321 11   YES Effort - - - - Depth                            
322 11   YES Effort - - - - ExclusiveExeTime   Execution time for the set of functions, S, defined in an entity excluding the execution time spent by the functions called by the functions in S                        
323 11   YES Effort - - - - Expected Time to Completion                            
324 11   YES Effort - - - - Exploitability (TE)                            
325 11   YES Effort - - - - InclusiveExeTime   Execution time for the set of functions, S, defined in an entity including all the execution time spent by the functions called directly or indirectly by the functions in S                        
326 11   YES Effort - - - - Integrity Requirement (IR)                            
327 11   YES Effort - - - - Mean Effort to security Failure                            
328 11   YES Effort - - - - Minimal cost of attack COST Minimal cost of attack represents the minimal cost that the attacker has to pay for the execution of an attack on a system - NETWORK* - -   NO Formal model. Formal verification. Too much notation. I think this is more related to networks          
329 11   YES Effort - - - - Minimal length of attacks   An intuition behind this metric is the following: the less steps an attacker has to make, the simpler is to execute the attack successfully, and the less secure the system is - NETWORK* - -   NO Formal model. Formal verification. Too much notation. I think this is more related to networks          
330 11   YES Effort - - - - Protection Rate (PR)   It expresses the efficiency of security mechanisms. Percentage of the known vulnerabilities protected by a given security mechanism. It is based on the Attack Surface metric. PR = (1 - AttackSurfaceEvaluatedSystem / AttackSurfaceReferenceSystem) * 100 - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   ¿? This metric was developed specificaly for OSGi platform, but I think it can be adapted to be applied to embedded systems          
331 11   YES Effort - - - - Rigor                            
332 11   YES Effort - - - - Side-channel Vulnerability Factor (SVF)   SVF quantifies patterns in attackers’ observations and measures their correlation to the victim’s actual execution patterns and in doing so captures systems’ vulnerability to side-channel attacks. we can measure information leakage by computing the correlation between ground-truth patterns and attacker observed patterns. We call this correlation Side-channel Vulnerability Factor (SVF). SVF measures the signal-to-noise ratio in an attacker’s observations. While any amount of leakage could compromise a system, a low signal-to-noise ratio means that the attacker must either make do with inaccurate results (and thus make many observations to create an accurate result) or become much more intelligent about recovering the original signal. We use phase detection techniques to find patterns in both sets of data then compute the correlation between actual patterns in the victim and observed patterns. - HARDWARE SEMI-AUTOMATIC* DYNAMIC*   YES Embedded devices can be vulnerable to side-channel attacks and they can be tested          
333 11   YES Effort - - - - Social Engineering Resistance (SER)   SER = <SERlow, SERhigh>; SERlow = (1 − (P + N − A)/N) ∗ 100; SERhigh = (1 − P/N) ∗ 100; where N is the number of individuals selected or invited to take part in the experiment; A is the number of active participants; P is the total number of valid password/username pairs obtained during the experiment - USER SEMI-AUTOMATIC* DYNAMIC*   NO Social engineering cannot be applied to a device          
334 11   YES Effort - - - - Structural severity RISK Measure that uses software attributes to evaluate the risk of an attacker reaching a vulnerability location from attack surface entry points. It is measured based on three values: high (reachable from an entry point), medium (reachable from an entry point with no dangerous system calls), low (not reachable from any entry points) - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   ¿? I am not sure if this metric can be applied to embedded software          
335 11   YES Effort - - - - Vulnerability exploitability                            
336 11   YES Effort - - - - Weakest adversary EFFORT It measures the security strength of a network in terms of the strength of the weakest adversary (i.e., requiring least amount of effort) who can successfully penetrate the network. We define a network configuration that is vulnerable to a weaker set of initial attacker attributes as less secure than a network configuration vulnerable to a stronger set of attributes - NETWORK AUTOMATIC* DYNAMIC*   NO Similar to 31. This is for networks, not for embedded systems          
337 11   YES Effort - - - - Vulnerability Index (VI)   Probability of a component’s vulnerability being exposed in a single execution - DEVICE MANUAL* DYNAMIC*   ¿? It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase          
338 11   YES Effort - - - - Effective Vulnerability Index (EVI)   Relative measure of the impact of a component on the system’s insecurity - DEVICE SEMI-AUTOMATIC* DYNAMIC*   ¿? It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase          
339 11   YES Organization - - - - CNBetweenness               NO            
340 11   YES Organization - - - - CNCloseness               NO            
341 11   YES Organization - - - - Depth of Master Ownership   This metric determines the level of ownership of the binary depending on the number of edits done. The organization level of the person whose reporting engineers perform more than 75% of the rolled up edits is considered as the DMO. This metric determines the binary owner based on activity on that binary. Our choice of 75% is based on prior historical information on Windows to quantify ownership.           NO            
342 11   YES Organization - - - - DNAvgBetweenness               NO            
343 11   YES Organization - - - - DNAvgCloseness               NO            
344 11   YES Organization - - - - DNAvgEdgeBetweenness               NO            
345 11   YES Organization - - - - DNMaxCloseness               NO            
346 11   YES Organization - - - - DNMaxDegree               NO            
347 11   YES Organization - - - - DNMaxEdgeBetweenness               NO            
348 11   YES Organization - - - - DNMinBetweenness               NO            
349 11   YES Organization - - - - DNMinDegree               NO            
350 11   YES Organization - - - - Edit Frequency   Total number of times the source code that makes up the binary was edited. An edit is when an engineer checks out code from the version control system, alters it, and checks it in again. This is independent of the number of lines of code altered during the edit -         NO            
351 11   YES Organization - - - - Level of Organizational Code Ownership   The percent of edits from the organization that contains the binary owner (or if there is no owner the percent of edits from the organization that made the majority of the edits to that binary) - ORGANISATION       NO It is at higher level. It is related to the organisation's security          
352 11   YES Organization - - - - New Effective Author (NEA)               NO            
353 11   YES Organization - - - - Number of Developers       ORGANISATION       NO It is at higher level. It is related to the organisation's security          
354 11   YES Organization - - - - Number of Ex-Engineers   Total number of unique engineers who have touched a binary and have left the company as of the release date of the software system - ORGANISATION       NO It is at higher level. It is related to the organisation's security          
355 11   YES Organization - - - - Organization Intersection Factor   The number of different organizations that contribute more than 10% of edits, as measured at the level of the overall org owners -         NO            
356 11   YES Organization - - - - Overall Organization Ownership   This is the ratio of the people at the DMO level making edits to a binary relative to total engineers editing the binary - ORGANISATION       NO It is at higher level. It is related to the organisation's security          
357 11   YES Size - - - - Arithmetic Expression                            
358 11   YES Size - - - - Array index                            
359 11   YES Size - - - - Attack Surface Metric   This metric has been proposed by Howard and Manadhata and Wing. Here we consider one of the latest versions of attack surface metric presented by Manadhata et al. - DEVICE* - -   - Similar to 8. Formal model. Formal verification. Too much notation. I think this is more related to networks          
360 11   YES Size - - - - Blank lines       SOFTWARE                    
361 11   YES Size - - - - Classified Attributes Total (CAT)   The total number of classified attributes in the program - SOFTWARE - -   - Object-oriented programs          
362 11   YES Size - - - - Classified Methods Total (CMT)   The total number of classified methods in the program - SOFTWARE - -   - Object-oriented programs          
363 11   YES Size - - - - Comment Lines       SOFTWARE                    
364 11   YES Size - - - - Component interface                            
365 11   YES Size - - - - Control operation                            
366 11   YES Size - - - - Count of Base Classes (CBC)   Number of base classes - SOFTWARE - -   -            
367 11   YES Size - - - - Critical Classes Total (CCT)   The total number of critical classes in the program - SOFTWARE - -   - Object-oriented programs          
368 11   YES Size - - - - Data format                            
369 11   YES Size - - - - Economy of Mechanism (PEM)                            
370 11   YES Size - - - - I/O management                            
371 11   YES Size - - - - Interface complexity density (I-density)                            
372 11   YES Size - - - - Kernel control                            
373 11   YES Size - - - - Lines of Code (LOC)       SOFTWARE                    
374 11   YES Size - - - - LOCVarDecl       SOFTWARE                    
375 11   YES Size - - - - Network planning       NETWORK                    
376 11   YES Size - - - - Number of Attacks   How many attacks on a system exist. The idea behind this metric is that the more attacks on a system exist the less secure the system is. This metric is applied for the simplest analysis of attack graphs. Number of attacks also can be used for the analysis of results of the penetration testing - NETWORK* - -   NO Formal model. Formal verification. Too much notation. I think this is more related to networks          
377 11   YES Size - - - - Number of data items transferred in an edge                            
378 11   YES Size - - - - Number of Design Decisions Related to Security (NDD)   The proposed metric aims at assessing the number of design decisions that address the security requirements of the system. During the design phase, it is common to end up with multiple solutions to the same problem. Software engineers make many design decisions in order to choose among alternative design solutions. - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
379 11   YES Size - - - - Number of Developers       ORGANISATION       NO It has to do with the organisation and the development of the product. It is applied at the beginning of the life-cycle          
380 11   YES Size - - - - Number of elicited security use cases * DESIGN What is the number of elicited security use cases? # Elicited Security Use Cases - SOFTWARE MANUAL STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
381 11   YES Size - - - - Number of excluded security requirements that ensure session handling * DESIGN Is session identifier created on server side? Is new session identifier assigned to user on authentication? Is session identifier changed on reauthentication? Is logout option provided for all operations that require authentication? Is session identifier cancelled when authenticated user logs out? Is session identifier killed after a period of time without any actions? Is user’s authenticated session identifier protected via secure data transmission protocol? - SOFTWARE MANUAL STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
382 11   YES Size - - - - Number of excluded security requirements that put the system at risk of possible attacks * DESIGN Summation of the excluded security requirements that put the system at risk - SOFTWARE MANUAL STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
383 11   YES Size - - - - Number of global variables *       SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
384 11   YES Size - - - - Number of identified misuse cases * DESIGN What is the number of misuse cases found? # Misuse Cases - SOFTWARE MANUAL STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
385 11   YES Size - - - - Number of incoming connections (RIN)                            
386 11   YES Size - - - - Number of member nodes                            
387 11   YES Size - - - - Number of outgoing connections from (ROUT)                            
388 11   YES Size - - - - Number of parameters in the method signature                            
389 11   YES Size - - - - Number of published vulnerabilities       DEVICE                    
390 11   YES Size - - - - Number of return points in the method       SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
391 11   YES Size - - - - Number of Security Algorithms (NSA)   Number of security algorithms that are supported by the application - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied, but this metric can be used in finals stages of the development life-cycle          
392 11   YES Size - - - - Number of Security Incidents Reported (NSR)   Number of incidents related to security that are reported by the users of the system - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   NO By definition, the values of this metric are collectec by the user. Son it can't be used in the valuation          
393 11   YES Size - - - - Number of Security Requirements (NSR) *   Number of security requirements identified during the analysis phase of the application - SOFTWARE MANUAL STATIC*   ¿? If the design is available, it can be applied          
394 11   YES Size - - - - Number of sub classes       SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
395 11   YES Size - - - - NumFunctions       SOFTWARE       YES If the software is available, it can be applied. It can be also applied to embedded software          
396 11   YES Size - - - - NumLineProcessor                            
397 11   YES Size - - - - Paths       SOFTWARE                    
398 11   YES Size - - - - Reduce Attack Surface (PRAS)                            
399 11   YES Size - - - - Resource allocation                            
400 11   YES Size - - - - Response set for a Class (RFC)   Set of methods that can potentially be executed in response to a message received by an object of that class. RFC is simply the number of methods in the set, including inherited methods - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
401 11   YES Size - - - - Security Absolute Measurements (SAM)                            
402 11   YES Size - - - - Stall Ratio CODE Stall ratio is a measure of how much a program’s progress is impeded by frivolous activities. stall ratio = (lines of non-progressive statements in a loop) / (total lines in the loop) - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
403 11   YES Size - - - - Total Security Index (TSI)                            
404 11   YES Size - - - - User authority       USER                    
405 11   YES Size - - - - Volume of email correspondence with vulnerability handling team                            
406 11   YES Strength - - - - Availability Impact (A) AVAILABILITY                          
407 11   YES Strength - - - - Availability Requirement (AR) AVAILABILITY                          
408 11   YES Strength - - - - CMMI Level                            
409 11   YES Strength - - - - Comment ratio   Ratio of number of comment lines to number of code lines - SOFTWARE AUTOMATIC* STATIC*   YES If the software is available, it can be applied. It can be also applied to embedded software          
410 11   YES Strength - - - - CommentDensity   The ratio of lines of comments to lines of code -                      
411 11   YES Strength - - - - Compartmentalization CODE Compartmentalization means that systems and their components run in different compartments, isolated from each other. Thus a compromise of any of them does not impact the others. This metric can be measured as the number of independent components that do not trust each other (performs authentication and authorization for requests/calls coming from other system components) that the system is based on to deliver its function. The higher the compartmentalization value, the more secure the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the software is available, it can be applied. It can be also applied to embedded software          
412 11   YES Strength - - - - Completeness of fix                            
413 11   YES Strength - - - - Confidentiality CONFIDENTIALITY                          
414 11   YES Strength - - - - Confidentiality Impact (C) CONFIDENTIALITY               Similar to 22          
415 11   YES Strength - - - - Defense-In-Depth CODE This metric verifies that security controls are used at different points in the system chain including network security, host security, and application security. Components that have critical data should employ security controls in the network, host, and component layers. To assess this metric we need to capture system architecture and deployment models as well as the security architecture model. Then we can calculate the ratio of components with critical data that apply the layered security principle compared to number of critical components - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? I am not sure if this metric can be applied to embedded software, or at verification phases          
416 11   YES Strength - - - - Expected Reliability                            
417 11   YES Strength - - - - Fail Securely CODE The system does not disclose any data that should not be disclosed ordinarily at system failure. This includes system data as well as data about the system in case of exceptions. This metric can be evaluated from the security control responses – i.e. how the control behaves in case it failed to operate. From the system architecture perspective, we can assess it as the number of critical attributes and methods that can be accessed in a given component. The smaller the metric value, the likely more secure the system in case of failure - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES This could be used in evaluation          
418 11   YES Strength - - - - Independence of Verification                            
419 11   YES Strength - - - - Inspection Performance Metric (IPM) TESTER It measures the performance of the people during the inspection process using the aforementioned parameters. # defects captured by inspection process /inspection effort - TESTER SEMI-AUTOMATIC* STATIC*   NO This metric is related to the tester          
420 11   YES Strength - - - - Integrity                            
421 11   YES Strength - - - - Isolation (PI) CODE This assesses the level of security isolation between system components. This means getting privileges to a component does not imply accessibility of other co-located components. This metric can be assessed using system architecture and deployment models. Components marked as confidential should not be hosted with nonconfidential (public) components. Methods that are not marked as confidential should not have access to confidential attributes or methods - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? I am not sure if this metric can be applied to embedded software          
422 11   YES Strength - - - - K-zero day safety   Instead of attempting to rank unknown vulnerabilities, the metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security because the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower - NETWORK SEMI-AUTOMATIC* STATIC*   NO Similar to 32. This has to do with probabilities. Can be applied, but I won't          
423 11   YES Strength - - - - Least Privilege CODE This metric states that each component and user should be granted the minimal privileges required to complete their tasks. This metric can be assessed from two perspectives: from the security controls perspective we can review users’ granted privileges. From the architectural analysis perspective this can be assessed as how the system is broken down to minimal possible actions i.e. the number of components that can access critical data. The smaller the value, the more secure the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the software is available, it can be applied. It can be also applied to embedded software          
424 11   YES Strength - - - - Mean Time To Failure TIME                          
425 11   YES Strength - - - - Report Confidence (RC)                            
426 11   YES Strength - - - - Risk control                            
427 11   YES Strength - - - - Risk identification                            
428 11   YES Strength - - - - Security resource indicator                            
429 11   YES Strength - - - - Service Mechanism Strength                            
430 11   YES Strength - - - - Software project management experience       ORGANISATION       NO It has to do with the organisation and the development of the product. It is applied at the beginning of the life-cycle          
431 11   YES Strength - - - - Trustworthiness   Trustworthiness of software means its worthy of being trusted to fulfill requirements which may be needed for a particular software component, application, system, or network. It involves attributes of stability, data security, quality, privacy, safety and so on. Software trustworthiness is interrelated with not only risk control in the software process, but also the quality management of the software development process. Furthermore, vision is needed to avoid excessive costs and schedule delays in development and risks management costs in operation; to improve development efforts; and above all - SOFTWARE - -   - -          
432 11   YES Strength - - - - Use of (automated) tools                            
433 11   YES Strength - - - - Variable Security Vulnerability CODE The security vulnerability of a variable v@l is determined by the combined security damage it might cause to the overall system security when v@l is attacked. The more security properties that can be left intact, the less vulnerable the variable is; on the other hand, the more security properties are violated, the more criticall the variable is. - SOFTWARE AUTOMATIC* STATIC*   ¿? This is only applicable if the source code is available          
434 11   YES Strength - - - - Vulnerability Confidence Coefficient (VCC)                            
435 11   YES Strength - - - - Vulnerability Free Days (VFD)   Percent of days in which the vendor’s queue of reported vulnerabilities for the product is empty - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   NO This metric is not suitable for the evaluation phase          
436 11   YES Weakness - - - - Attack Graph Probability                            
437 11   YES Weakness - - - - Average Active Vulnerabilities per day (AAV)   Median number of software vulnerabilities which are known to the vendor of a particular piece of software but for which patch has been publicly released by the vendor - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   NO This metric is not suitable for the evaluation phase          
438 11   YES Weakness - - - - Average time from incident detection until incident has been reported       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   ¿? This a high level metric, but it might be used during a penetration testing if the device has countermeasures implemented          
439 11 X YES Weakness - - - - BrokenAccountCount   Number of accounts that have no activity for more than 90 days and will never expire. Such accounts represent a clear risk of password compromise and resulting illegal access. - SOFTWARE - -   ¿?            
440 11   YES Weakness - - - - Collateral Damage Potential (CDP)                            
441 11   YES Weakness - - - - CVSS Base Score CVSS This group represents the properties of a vulnerability that don’t change over time, such as access complexity, access vector, degree to which the vulnerability compromises the confidentiality, integrity, and availability of the system, and requirement for authentication to the system - DEVICE         Similar to 15 - 26          
442 11   YES Weakness - - - - Developer Risk                            
443 11   YES Weakness - - - - Development Risk                            
444 11   YES Weakness - - - - Environment Risk                            
445 11   YES Weakness - - - - Excess Privilege                            
446 11   YES Weakness - - - - Expected threat frequency                            
447 11   YES Weakness - - - - Expected Vulnerability                            
448 11   YES Weakness - - - - ExploitedFlawCount                            
449 11   YES Weakness - - - - Faults found during manual inspection       SOFTWARE       YES It is related to software and it can be applied to embedded software          
450 11 X YES Weakness - - - - InjectionFlawCount                            
451 11   YES Weakness - - - - Integrity Impact (I)                            
452 11   YES Weakness - - - - Maximal probability of successful attack   The probability to accomplish an attack successfully is a well-known metric. The metric describes the most probable way to compromise the system - NETWORK* - -   NO Formal model. Formal verification. Too much notation. I think this is more related to networks          
453 11   YES Weakness - - - - Mean Failure Cost COST Mean Failure Cost MFC) used in the operational sense because the lack of security within the system may cause damage, in terms of lost productivity, lost business, lost data, resulting in security violations. We represent this loss by a random variable, and define MFC as the mean of this random variable. As discussed further, this quantity is not intrinsic to the system, but varies by stakeholder - ORGANISATION - -   NO This metric is not related to embeded systems, but to organisations          
454 11   YES Weakness - - - - Mean time from vendor patch availability to patch approval to patch installation       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This a high level metric, and it is related with a network inside an organisation          
455 11   YES Weakness - - - - Mean time to incident detection TIME     ORGANISATION                    
456 11   YES Weakness - - - - Monitoring system use   Number of unauthorized attempts to access file, folders, device attachment, attempts to change security settings - ORGANISATION AUTOMATIC* DYNAMIC*   NO This can be adapted to be used in embedded systems, but this metric makes no sense in the evaluation phase          
457 11   YES Weakness - - - - Non-security failure reports                            
458 11   YES Weakness - - - - Number of Design Flaws Related to Security (NSDF)   Security-related design flaws occur when software is planned and specified without proper consideration of security requirements and principles. For instance, clear-text passwords are considered as design flaws. Design flaws can be detected using design inspection techniques (e.g., design reviews). Identifying the number of design flaws related to security can help detect security issues earlier in the design process - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
459 11   YES Weakness - - - - Number of Exceptions That Have Been Implemented to Handle Execution Failures Related to Security (NEX)   Number of exceptions that have been included in the code to handle possible failures of the system due to an error in a code segment that has an impact on security - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
460 11   YES Weakness - - - - Number of excluded security requirements that ensure input/output handling DESIGN Is a specific encoding scheme defined for all inputs? Is a process of canonicalization applied to all inputs? Is an appropriate validation defined and applied to all inputs, in terms of type, length, format/syntax and range? Is a whitelist Filtering approach is applied to all inputs? Are all the validations performed on the client and server side? Is all unsuccessful input handling rejected with an error message? Is all unsuccessful input handling logged? Is output data to the client filtered and encoded? Is output encoding performed on server side? - SOFTWARE MANUAL STATIC*   NO This metric is intended to be use in the design phase. This cannot be applied in a security assessment          
461 11   YES Weakness - - - - Number of function calls that don’t check return values                            
462 11   YES Weakness - - - - Number of Implementation Errors Found in the System (NERR)   Number of implementation errors of the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Related to the implementation phase          
463 11   YES Weakness - - - - Number of Implementation Errors Related to Security (NSERR)   Number of implementation errors of the system that have a direct impact on security. One of the most common security related implementation errors is the buffer overflow - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Related to the implementation phase          
464 11   YES Weakness - - - - Number of Omitted Exceptions for Handling Execution Failures Related to Security (NOEX)   Number of missing exceptions that have been omitted by software engineers when implementing the system. These exceptions can easily be determined through testing techniques. - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? Related to the implementation phase          
465 11   YES Weakness - - - - Number of Omitted Security Requirements (NOSR)   Number of requirements that should have been considered when building the application - SOFTWARE SEMI-AUTOMATIC* STATIC*   ¿? If the design is available, it can be applied          
466 11   YES Weakness - - - - Number of open security bugs                            
467 11   YES Weakness - - - - Number of reported security incidents       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is high level metric          
468 11   YES Weakness - - - - Number of security bulletins issues per year       DEVICE                    
469 11   YES Weakness - - - - Number of service accounts with weak or default passwords       SOFTWARE                    
470 11   YES Weakness - - - - Number of successful attempts to execute recovery this period       ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This is a high level metric, and it is related with attacks on a organisation's network          
471 11   YES Weakness - - - - Number of violations of the LP principle   Number of violations of the Least Privilege principle. A component does not adhere to LP if it, based upon the permissions attributed as described before, is capable of executing tasks it is not responsible for - SOFTWARE AUTOCATIC* STATIC*   YES This could be used in embedded systems          
472 11 X YES Weakness - - - - OverflowVulnCount                            
473 11   YES Weakness - - - - Percentage Software Hazards (PSH)   Comparing the number of software hazards identified against historical data, it indicates the sufficiency of the software hazard identification based on the identified hazards. (# software hazards / # System hazards ) * 100 - SOFTWARE SEMI-AUTOMATIC* STATIC*   Hazard is similar to risk.          
474 11   YES Weakness - - - - Project Management Risk                            
475 11   YES Weakness - - - - Remediation Level (RL)               NO Similar to 24          
476 11   YES Weakness - - - - Remediation Potency (RP)   Remediation potency refers to how good the remediation is against the vulnerability -         NO            
477 11   YES Weakness - - - - Remediation Scheme (RS)   It is used to describe the remediation process -         NO            
478 11   YES Weakness - - - - Requirements Risk                            
479 11   YES Weakness - - - - Security of system documentation   Total number of unauthorized accesses to system documentation / total number of access to system documentation * 100 - ORGANISATION SEMI-AUTOMATIC* DYNAMIC*   NO This might be useful to measure anything related to social engineering and information gathering and OSINT          
480 11   YES Weakness - - - - Static analysis alert count (number of)       SOFTWARE                    
481 11   YES Weakness - - - - Temporal Score   Temporal metrics represent the time dependent features of the vulnerabilitie - SOFTWARE SEMI-AUTOMATIC* DYNAMIC*   YES Similar to 23, 24 and 25. This is the final result that is obtained with those partial metrics. CVSS          
482 11   YES Weakness - - - - Time to close bug/vulnerability TIME                          
483 11   YES Weakness - - - - Time to Problem Correction TIME                          
484 11   YES Weakness - - - - Time to Problem Report TIME                          
485 11   YES Weakness - - - - User Risk       USER                    
486 11   YES Weakness - - - - Vulnerabilities found during requirements, design and coding       DEVICE                    
487 11   YES Weakness - - - - Vulnerabilities found post-development       DEVICE                    
488 11   YES Weakness - - - - Vulnerability Density CODE Number of vulnerabilities in the unit size of a code. VD = size of the software / # vulnerabilities in the system - SOFTWARE SEMI-AUTOMATIC* STATIC*   YES It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase          
489 11   YES Weakness - - - - Weakness                            
490 11 X YES Weakness - - - - XsiteVulnCount   It is obtained via a penetration-testing tools - SOFTWARE - -   NO It is not clearly defined          
491 11   YES Dependency* - - - - Operational Environment Security Measurement                            
492 11   YES Dependency* - - - - Program Implementation Security Measurement                            
493 11   YES Dependency* - - - - Security Indictor of Software Systems (sic)                            
494 11   YES Dependency* - - - - Security metrics of Arithmetic Expression   The security flaws of arithmetic expression include divide by zero, overflow of arithmetic operation, misused data type of arithmetic expression, and truncation error of arithmetic operation - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
495 11   YES Dependency* - - - - Security Metrics of Array Index   The security flaws of array index include index out of range, incorrect index variable and uncontrollable array index - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
496 11   YES Dependency* - - - - Security Metrics of Component Interfaces   The security flaws of component interface include inconsistent parameter numbers, inconsistent data types, and inconsistent size of data types - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
497 11   YES Dependency* - - - - Security Metrics of Control Operation   The security flaws of control operations include infinite loop, deadlock situations and boundary defects - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
498 11   YES Dependency* - - - - Security Metrics of I/O Management   File is an important media which can store critical information and record log data. However, file privilege definition, file access management, file contents, file organization and file size are major factors to affect the security software operation - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
499 11   YES Dependency* - - - - Security Metrics of Input Format   The security flaws of data format include mismatched data contents, mismatched data type, mismatch data volume - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist          
500 11   YES Dependency* - - - - Security Metrics of Kernel Operation   A released software system must be adapted to a suitable operating system and environment. The kernel of operating system and environment become a critical factor to affect the operating security of software system. Resource management, execution file protection, main memory control and process scheduling are major tasks of operating system. The security flaws, which embedded in the tasks of operating system, become high security risk for software system operation - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified. Checklist. Only when there is an OS          
501 11   YES Dependency* - - - - Security Metrics of Network Environment   Network environment is a critical tool in the e-commerce years. However, data transmission management, remote access control, and transmission contents always become the security holes of software system operation - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified          
502 11   YES Dependency* - - - - Security Metrics of Resources Allocation   The security flaws of resource allocation include exhausted memory, unreleased memory exhausted resources, and unreleased resources - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified          
503 11   YES Dependency* - - - - Security Metrics of User Authority   Many users may use the released system to do specific jobs. However, user privilege definition, user password management and user detailed information maintenance are important tasks to control and manage the user authority. Without user authority control and management, the operation environment of software system will be on high security risk - SOFTWARE AUTOMATIC* STATIC*   ¿? This is not a metric, but a group of them. Individually, they could be used if they are specified          
504 11   YES Size* - - - - Instruction Count                            
505 11   YES Weakness* - - - - Attack-reward (URL Jumping)                            
506 11   YES Weakness* - - - - Classified Accessor Attribute Interactions (CAAI) CODE The ratio of the sum of all interactions between accessors and classified attributes to the possible maximum number of interactions between accessors and classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 187. Object-oriented programs          
507 11   YES Weakness* - - - - Classified Attributes Inheritance (CAI) CODE The ratio of the number of classified attributes which can be inherited in a hierarchy to the total number of classified attributes in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 284. Object-oriented programs          
508 11   YES Weakness* - - - - Classified Attributes Interaction Weight (CAIW) CODE The ratio of the number of all interactions with classified attributes to the total number of all interactions with all attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 188. Object-oriented programs          
509 11   YES Weakness* - - - - Classified Class Data Accessibility (CCDA) CODE The ratio of the number of non-private classified class attributes to the number of classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 189. Object-oriented programs          
510 11   YES Weakness* - - - - Classified Instance Data Accessibility (CIDA) CODE The ratio of the number of non-private classified instance attributes to the number of classified attributes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 190. Object-oriented programs          
511 11   YES Weakness* - - - - Classified Method Extensibility (CME) CODE The ratio of the number of the non-finalised classified methods in program to the total number of classified methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 191. Object-oriented programs          
512 11   YES Weakness* - - - - Classified Methods Inheritance (CMI) CODE The ratio of the number of classified methods which can be inherited in a hierarchy to the total number of classified methods in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 258. Object-oriented programs          
513 11   YES Weakness* - - - - Classified Methods Weight (CMW) CODE The ratio of the number of classified methods to the total number of methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 192. Object-oriented programs          
514 11   YES Weakness* - - - - Classified Mutator Attribute Interactions (CMAI) CODE The ratio of the sum of all interactions between mutators and classified attributes to the possible maximum number of interactions between mutators and classified attributes in the program. - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 193. Object-oriented programs          
515 11   YES Weakness* - - - - Classified Operation Accessibility (COA) CODE The ratio of the number of non-private classified methods to the number of classified methods in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 194. Object-oriented programs          
516 11   YES Weakness* - - - - CNBetweenness                            
517 11   YES Weakness* - - - - Composite-Part Critical Classes (CPCC)   The ratio of the number of critical composed-part classes to the total number of critical classes in the program - SOFTWARE - -   - Similar to 196          
518 11   YES Weakness* - - - - Confidentiality CONFIDENTIALITY               Similar to 413          
519 11   YES Weakness* - - - - Critical Class Extensibility (CCE) CODE The ratio of the number of the non-finalised critical classes in program to the total number of critical classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 201. Object-oriented programs          
520 11   YES Weakness* - - - - Critical Design Proportion (CDP) CODE The ratio of the number of critical classes to the total number of classes in the program - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 202. Object-oriented programs          
521 11   YES Weakness* - - - - Critical Superclasses Inheritance (CSI) CODE The ratio of the sum of classes which may inherit from each critical superclass to the number of possible inheritances from all critical classes in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 205. Object-oriented programs          
522 11   YES Weakness* - - - - Critical Superclasses Proportion (CSP) CODE The ratio of the number of critical superclasses to the total number of critical classes in the program’s inheritance hierarchy - SOFTWARE SEMI-AUTOMATIC* STATIC*   NO Similar to 206. Object-oriented programs          
523 11   YES Weakness - - - - Design Size       SOFTWARE ARDWARE                    
524 11   YES Weakness - - - - DNMaxEdgeBetweenness                            
525 11   YES Weakness* - - - - Knot Count                            
526 11   YES Weakness - - - - Kolmogorov Complexity       SOFTWARE                    
527 11   YES Weakness* - - - - Measurement of Cost                            
528 11   YES Weakness* - - - - Number of Developers       ORGANISATION       NO It is no related directly with the device          
529 11   YES Weakness - - - - Potency                            
530 11   YES Weakness - - - - Resilience                            
531 11   YES Weakness* - - - - Shortest Path                            

Author: Angel Longueira

Created: 2020-04-28 Tue 16:58