3rd Reduction

PAPER

TAXONOMY

LEVEL 0

LEVEL 1

LEVEL 2

LEVEL 3

LEVEL 4

METRIC

KEY WORD

DEFINITION

SCALE

SCOPE

AUTOMATION

MEASUREMENT

WHAT?

USABLE

REASON

YES

Vulnerability metrics

Measuring User Vulnerabilities

Phishing Susceptibility

False positives (FP)

USER

Percentage of flagging genuine email as phishing email

RATIO

USER

DYNAMIC

Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device

HERE, THE ROWS WITH NO INFORMATION WERE DELETED

YES

Vulnerability metrics

Measuring User Vulnerabilities

Phishing Susceptibility

False negatives (FN)

USER

Percentage of detecting a phishing email as a genuine email

RATIO

USER

DYNAMIC

Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device

HERE, THE ROWS WITH "SIMILAR TO X" WERE DELETED

YES

Vulnerability metrics

Measuring User Vulnerabilities

Malware Susceptibility

User’s online behavior

USER

RATIO

USER

DYNAMIC

Phishing affects only people. It exploits a user vulnerability. This evaluates the user, not the device. This is only a suggestion. Not defined

HERE, THE ROWS WHOSE SCOPE IS "ORGANISATION" WERE DELETED

YES

Vulnerability metrics

Measuring User Vulnerabilities

Malware Susceptibility

Users’ susceptibility to attacks

USER

RATIO

USER

UNKNOWN

This evaluates the user, not the device. This is only a suggestion. Not defined

This information was induced by me

YES

Vulnerability metrics

Measuring User Vulnerabilities

Password Vulnerabilities

Entropy

PASSWORD

USER

AUTOMATIC

STATIC

YES

This could be used with keys instead of passwords to measure randomness

HW + SW

DEVICE

YES

Vulnerability metrics

Measuring User Vulnerabilities

Password Vulnerabilities

Password guessability (statistical / parameterized)

PASSWORD

This metric measures the guessability of a set of passwords (rather than for individual passwords) by an “idealized” attacker with the assumption of a perfect guess / This metric measures the number of guesses an attacker needs to make via a particular cracking algorithm (i.e., a particular threat model) before recovering a particular password and training data. Different password cracking algorithms leads to different results

RATIO BSOLUTE

USER

AUTOMATIC

STATIC

Passwords are for people. Devices use keys (that are much more larger)

YES

Vulnerability metrics

Measuring User Vulnerabilities

Password Vulnerabilities

Password strength meter

PASSWORD

This metric measures the password strength via an estimated effort to guess the password, while considering factors such as the character set (e.g., special symbols are required or not), password length, whitespace permissibility, password entropy, and blacklisted passwords being prevented or not. One variant metric is adaptive password strength, which is used to improve the accuracy of strength estimation

ORDINAL

USER

AUTOMATIC

STATIC

Passwords are for people. Devices use keys (that are much more larger)

YES

Vulnerability metrics

Measuring Interface-Induced Vulnerabilities

Attack surface

SURFACE

It aim to measure the ways by which an attacker can compromise a targeted software

ABSOLUTE

DEVICE

STATIC

DEVICE

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Evolution of vulnerabilities

Historical vulnerability metric

VULNERABILITY

It measures the degree that a system is vulnerable (i.e., frequency of vulnerabilities) in the past

RATIO BSOLUTE ISTRIBUTION

DEVICE

STATIC

YES

This could be part of a checklist of task, to check if there is any vulnerability that affects the device

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Evolution of vulnerabilities

Historically exploited vulnerability metric

VULNERABILITY

It measures the number of vulnerabilities exploited in the past

RATIO BSOLUTE ISTRIBUTION

DEVICE

STATIC

YES

This could be part of a checklist of task, to check if there is any vulnerability that affects the device

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Evolution of vulnerabilities

Future vulnerability metric

VULNERABILITY

It measures the number of vulnerabilities that will be discovered during a future period of time

RATIO BSOLUTE ISTRIBUTION

DEVICE

STATIC

If this has to do with statistic and probabilities, I think it is better not to use it

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Evolution of vulnerabilities

Future exploited vulnerability metric

VULNERABILITY

It measures the number of vulnerabilities that will be exploited during a future period of time

RATIO BSOLUTE ISTRIBUTION

DEVICE

STATIC

If this has to do with statistic and probabilities, I think it is better not to use it

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Evolution of vulnerabilities

Tendency-to-be-exploited metric

It measures the tendency that a vulnerability may be exploited, where the “tendency” may be derived from information sources such as posts on Twitter before vulnerability disclosures

RATIO BSOLUTE ISTRIBUTION

DEVICE

STATIC

¿?

This research work might not be part of a security evaluation, but could be applied if so

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Temporal Attributes of Vulnerabilities

Vulnerability lifetime

VULNERABILITY

Client-end vulnerabilities Server-end vulnerabilities Cloud-end vulnerabilities

ABSOLUTE

NETWORK

STATIC

Clearly related to nerworks

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Exploitability Metrics

Attack vector

Describes whether a vulnerability can be exploited remotely, adjacently, locally, or physically (i.e., attacker must have physical access to the computer)

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Exploitability Metrics

Attack complexity

Describes the conditions that must hold before an attacker can exploit the vulnerability, such as low or high

ORDINA

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Exploitability Metrics

Privilege required

Describes the level of privileges that an attacker must have in order to exploit a vulnerability, such as none, low, or high

ORDINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Exploitability Metrics

User interaction

Describes whether the exploitation of a vulnerability requires the participation of a user (other than the attacker), such as none or required

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Exploitability Metrics

Authorization scope

Describes whether or not a vulnerability has an impact on resources beyond its privileges (e.g., sandbox or virtual machine), such as unchanged or changed

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Impact Metrics

Confidentiality impact

CONFIDENTIALITY

The impact of a successful exploitation of a vulnerability in terms of confidentiality such as none, low, high

ORDINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Impact Metrics

Integrity impact

The impact of a successful exploitation of a vulnerability in terms of integrity such as none, low, high

ORDINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

Impact Metrics

Availability impact

AVAILABILITY

The impact of a successful exploitation of a vulnerability in terms of availability, such as none, low, high

ORDINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

CVSS Temporal Metrics

Exploit code maturity

The likelihood a vulnerability can be attacked based on the current exploitation techniques, such as undefined, unproven, proof-of-concept, functional, or high

ORDINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

CVSS Temporal Metrics

Remediation level

Describes whether or not a remediation method is available for a given vulnerability, such as undefined, unavailable, workaround, temporary fix, or official fix

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

CVSS Temporal Metrics

Report confidence

Measures the level of confidence for a given vulnerability as well as known technical details, such as unknown, reasonable, or confirmed

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of Individual Software Vulnerabilities

CVSS Base

CVSS Environmental Metrics

Security requirement

Describes environment-dependent security requirements in terms of confidentiality, integrity, and availability, such as not defined, low, medium, or high

NOMINAL

SOFTWARE

STATIC

YES

For calculating new vulnerabilities, or to know each dimension of known vulnerabilities

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Topology metrics

Depth metric

Ratio of the diameter of a domain-level attack graph over the diameter in the most secure case, implying that the larger the diameter, the more secure the network

NETWORK

STATIC

It is related to the topological properties of attack graphs

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Topology metrics

Existence, number, and lengths of attack paths metrics

It uses the attributes of attack paths from an initial state to the goal state. These metrics can be used to compare two attacks

NETWORK

STATIC

It is related to the topological properties of attack graphs

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Effort metrics

Necessary defense metric

It estimates a minimal set of defense countermeasures necessary for thwarting a certain attack

DEVICE

STATIC

YES

This is related with the defenses that are necesary to implement so the system is secure for a certain vulnerability

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Effort metrics

Effort-to-security-failure metric

EFFORT

It measures an attacker’s effort to reach its goal state

DEVICE

DYNAMIC*

YES

Although it might be difficult to estimate, this could be also included in the evaluation process

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Effort metrics

Weakest adversary metric

EFFORT

It estimates minimum adversary capabilities required to achieve an attack goal

DEVICE

DYNAMIC*

¿?

If the effort can be calculated in an objective manner, this could be used in embedded systems

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Deterministic Severity Metrics (attack graphs)

Effort metrics

k-zero-day-safety metric

It measures a number of zero-day vulnerabilities for an attacker to compromise a target

DEVICE

STATIC

This has to do with probabilities. Can be applied, but I won't

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Probabilistic Severity Metrics

Metrics treating CVSS scores as atomic parameters

Likelihood of exploitation

It measures the probability that an exploit will be executed by an attacker with certain capabilities

SOFTWARE

STATIC

¿?

This is related with statistics and risk assessment. It could be applied

YES

Vulnerability metrics

Measuring Software Vulnerabilities

Severity of a Collection of Vulnerabilities

Probabilistic Severity Metrics

Metrics not treating CVSS scores as atomic parameters

Effective base metric / scope

Given an attack graph and a subset of exploits, the effective base metric aims to adjust the CVSS base metric by taking the highest value of the ancestors of an exploit to reflect the worst-case scenario, while the effective base score metric is calculated based on the effective base metric

SOFTWARE

STATIC

YES

Defense metrics

Strength of Preventive Defenses

Metrics for Blacklisting

Reaction time metric

TIME

It captures the delay between the observation of the malicious entity at time t and the blacklisting of the malicious entity at time t (i.e., t − t)

ABSOLUTE

DEVICE

DYNAMIC

YES

If the device has any kind of detection mechanism, this could be used. Detection and reaction might have different times

YES

Defense metrics

Strength of Preventive Defenses

Metrics for Blacklisting

Coverage metric

COVERAGE

It estimates the portion of blacklisted malicious players

ORDINAL

DEVICE

STATIC

YES

This could be used, but the device has to have a blacklist

YES

Defense metrics

Strength of Preventive Defenses

Metrics for DEP

NO METRIC IS DEFINED

No metrics have been defined to measure the effectiveness of DEP. The effectiveness of DEP can be measured based on the probability of being compromised by a certain attack A(t) over all possible classes of attacks

DEVICE

No metric is defined

YES

Defense metrics

Strength of Preventive Defenses

Metrics for CFI

Average indirect target reduction

It counts the overall reduction of targets for any indirect control-flow transfer. It measures the overall reduction in terms of the number of targets exploitable by the attacker where smaller targets are more secure

ABSOLUTE

UNKNOWN

YES

Defense metrics

Strength of Preventive Defenses

Metrics for CFI

Average target size

Ratio between the size of the largest target and the number of targets

UNKNOWN

YES

Defense metrics

Strength of Preventive Defenses

Metrics for CFI

Evasion resistance

It is measured against control flow bending attacks, reflecting the effort (or premises) that an attacker must make (or satisfy) for evading the CFI scheme

UNKNOWN

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Monitoring

Coverage metric

COVERAGE

It measures the fraction of events detectable by a specific sensor deployment, reflecting a defender’s need in monitoring events

DEVICE

DYNAMIC

UNKNOWN

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Monitoring

Redundancy metric

It estimates the amount of evidence provided by a specific sensor deployment to detect an event

DEVICE

DYNAMIC

YES

This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software)

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Monitoring

Confidence metric

It measures how well-deployed sensors detect an event in the presence of compromised sensors

DEVICE

DYNAMIC

YES

This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software)

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Detection time

TIME

For instrument-based attack detection, this metric is used to measure the delay between the time t0 at which a compromised computer sends its first scan packet and the time t that a scan packet is observed by the instrument

UNKNOWN

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

True-positive rate

INTRUSION

It is the probability that an intrusion is detected as an attack

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

False-negative rate

INTRUSION

It is the probability that an intrusion is not detected as an attack

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

True-negative rate

INTRUSION

It is the probability that a non-intrusion is not detected as an attack

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

False-positive rate

INTRUSION

Also known as false alarm rate, it is the probability that a nonintrusion is detected as an attack

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

Intrusion detection capability metric

INTRUSION

It is the normalized metric of I(I, O) with respect to H(I) based on the base rate where I is the input to the IDS as a stream of 0/1 random variables (0 for benign/normal and 1 for malicious/abnormal), O is the output of the IDS as a stream of 0/1 random variables (0 for no alert or normal; 1 for alert / abnormal), H(I) and H(O), respectively, denote the entropy of I and O, and I(I, O) = H(I) − H(I\O) is the mutual information between I and O

NETWORK

UNKNOWN

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

Receiver operating characteristic (ROC)

It reflects the dependence of the true-positive rate on the false-positive rate, reflecting a tradeoff between the true-positive and the false-positive rates

NETWORK

STATIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

Intrusion detection operating characteristic (IDOC)

INTRUSION

It describes the dependence of the true positive rate Pr(A\I) on the Bayesian detection rate Pr(I\A), while accommodating the base rate Pr(I)

NETWORK

STATIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Individual Strength of Defense Mechanisms

Intrusion detection metrics

Cost metric (damage / response / operational)

COST

It includes the damage cost incurred by undetected attacks, the response cost spent on the reaction to detected attacks including both true and false alarms, and the operational cost for running an IDS

NETWORK

STATIC

This is clearly a network-oriented metric, that aims to translate the impact into moneu

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Relative Strength of Defense Mechanisms

Relative effectiviness

This metric reflects the strength of a defense tool when employed in addition to other defense tools. A defense tool does not offer any extra strength if it cannot detect any attack undetected by other defense tools in place

RATIO

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Reactive Defenses

Metrics for Detection Mechanisms

Collective Strength of Defense Mechanisms

Collective effectiviness

This metric measures the collective strength of IDSs and anti-malware programs

RATIO

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Defense metrics

Measuring the Strength of Proactive Defenses

Address Space Layout Randomization (ASLR)

ASLR-induced Effective entropy metric

Measure of entropy in user space memory which quantitatively considers an adversary’s ability to leverage low entropy regions of memory via absolute and dynamic inter-section connections

SOFTWARE

DYNAMIC

YES

If the device runs an OS, this could be applied

YES

Defense metrics

Measuring the Strength of Proactive Defenses

Moving Target Defense (MTD)

It measures the degree that an enterprise system can tolerate some undesirable security configurations in order to direct the global security state S(t) towards a desired stable system state

NETWORK

DYNAMIC

This is only applicable to an enterprise system

YES

Defense metrics

Measuring the Strength of Overall Defenses

Penetration resistance (PR)

Running a penetration test to estimate the level of effort (e.g., person-day or cost) required for a red team to penetrate into a system

DEVICE ETWORK

DYNAMIC

YES

Penetration testing is a really common way to test this kind of device

YES

Defense metrics

Measuring the Strength of Overall Defenses

Network diversity (ND)

It measures the least or average effort an attacker must make to compromise a target entity based on the causal relationships between resource types to be considered as the inclusion in an attack graph

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Attack metrics

Measuring Zero-Day Attacks

Lifetime of zero-day attacks

ZERODAY

It measures the period of time between when an attack was launched and when the corresponding vulnerability is disclosed to the public

SOFTWARE ARDWARE EVICE

DYNAMIC

This can be computed, but it is not feasible for a security evaluation

YES

Attack metrics

Measuring Zero-Day Attacks

Susceptibility of a device to zero-day attacks

ZERODAY

If we can capture the degree of the susceptibility of a device to zero-day attacks, then we can prioritize resource allocation to the ones requiring higher attention for mitigating the damage

DEVICE

This metric is proposed in [2] as a future concept, but it is not developed

YES

Attack metrics

Measuring Botnets

Botnet size

Number of bots, x, that can be instructed to launch attacks (e.g., distributed denial-of-service attacks) at time t, denoted by y(t). Due to time zone difference, y(t) is often much smaller than the actual x as some of x is turned off during night time at time zones

NETWORK

STATIC

This is clearly a network-oriented metric

YES

Attack metrics

Measuring Botnets

Network bandwidth

Network bandwidth that a botnet can use to launch denial-of-service attacks

NETWORK

STATIC YNAMIC

This is clearly a network-oriented metric

YES

Attack metrics

Measuring Botnets

Botnet efficiency

Network diameter of the botnet network topology. It measures a botnet’s capability in communicating command-and-control messages and updating bot programs

NETWORK

¿?

This is clearly a network-oriented metric

YES

Attack metrics

Measuring Botnets

Botnet robustness

Robustness of botnets under random or intelligent disruptions. The idea was derived from the concept of complex network robustness, characterized by the percolation threshold under which a network is disrupted into small components

NETWORK

¿?

This is clearly a network-oriented metric

YES

Attack metrics

Measuring Malware Spreading

Infection rate

Average number of vulnerable computers that are infected by a compromised computer (per time unit) at the early stage of spreading

NETWORK

DYNAMIC

This is usefull for networks or an organisation. It can be computed for a network of devices, but it is not useful for a security evaluation

YES

Attack metrics

Measuring Attack Evasion Techniques

Adversarial Machine Learning Attacks

Increased false-positive rate

The strength of attacks as a consequence of applying a certain evasion method

DEVICE ETWORK

DYNAMIC

This can only be calculated if the embedded system has implemented an evasion mechanism against machine learning attacks

YES

Attack metrics

Measuring Attack Evasion Techniques

Adversarial Machine Learning Attacks

Increased false-negative rate

The strength of attacks as a consequence of applying a certain evasion method

DEVICE ETWORK

DYNAMIC

This can only be calculated if the embedded system has implemented an evasion mechanism against machine learning attacks

YES

Attack metrics

Measuring Attack Evasion Techniques

Obfuscation Attacks

Obfuscation prevalence metric

CODE

Occurrence of obfuscation in malware samples

MALWARE

STATIC

Malware-related

YES

Attack metrics

Measuring Attack Evasion Techniques

Obfuscation Attacks

Structural complexity metric

Runtime complexity of packers in terms of their layers or granularity

MALWARE

¿?

Malware-related

YES

Attack metrics

Measuring Attack Evasion Techniques

Obfuscation Attacks

Evasion capability of attacks

Allows comparing the evasion power of two attacks, but also allows computing the damage caused by evasion attacks

MALWARE

DYNAMIC

Proposed, but not defined

YES

Attack metrics

Measuring Attack Evasion Techniques

Obfuscation Attacks

Obfuscation sophistication

CODE

In terms of the amount of effort required for unpacking packed malware

MALWARE

STATIC

Proposed, but not defined. Malware related

YES

Situation metrics

Measuring Security State

Data-Driven State Metrics

Network maliciousness metric

It estimates the fraction of blacklisted IP addresses n a network

NETWORK

STATIC YNAMIC

This metric works at network level, for systems in a network. Cannot be applied to embedded systems

YES

Situation metrics

Measuring Security State

Data-Driven State Metrics

Rogue networkmetric

Population of networks used to launch drive-by download or phishing attacks

NETWORK

DYNAMIC

This metric works at network level, for systems in a network. Phishing cannot be applied to embedded systems

YES

Situation metrics

Measuring Security State

Data-Driven State Metrics

ISP badness metric

Quantifies the effect of spam from one ISP or Autonomous System (AS) on the rest of the Internet

NETWORK

DYNAMIC

This is clearly a network-oriented metric

YES

Situation metrics

Measuring Security State

Data-Driven State Metrics

Control-plane reputation metric

Calibrates the maliciousness of attacker-owned (i.e., rather than legitimate but mismanaged/abused) ASs based on their control plane information (e.g., routing behavior), which can achieve an early-detection time of 50–60 days (before these malicious ASs are noticed by other defense means)

ATTACKER

¿?

This is related to external systems that could be potential attackers

YES

Situation metrics

Measuring Security State

Data-Driven State Metrics

Cybersecurity posturemetric

Measures the dynamic threat imposed by the attacking computers

ATTACKER

DYNAMIC

This is related to attacks themselves

YES

Situation metrics

Measuring Security State

Model-Driven Metrics

Probability a computer is compromised at time t

It quantifies the degree of security in enterprise systems by using modeling techniques based on a holistic perspective

DEVICE ETWORK

¿?

Although this is a network-oriented metric, this might be adapted to be used with an embedded system

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Encounter rate

Measures the fraction of computers that encountered some malware or attack during a period of time

NETWORK

STATIC

Directly related to the systems in a network

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Incident rate

Measures the fraction of computers successfully infected or attacked at least once during a period of time

NETWORK

STATIC

Directly related to the systems in a network

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Blocking rate

The rate an encountered attack is successfully defended by a deployed defense

NETWORK

DYNAMIC

¿?

Although this is a network-oriented metric, this might be adapted to be used with an embedded system (maybe for a penetration test)

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Breach frequencymetric

How often breaches occur

NETWORK

STATIC

Directly related to the systems in a network

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Breach size metric

Number of records breached in individual breaches

NETWORK

STATIC

Directly related to the systems in a network

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Time-between-incidents metric

TIME

Period of time between two incidents

NETWORK

STATIC

Directly related to the systems in a network

YES

Situation metrics

Measuring Security Incidents

Frequency of Security Incidents

Time-to-first-compromise metric

TIME

Estimates the duration of time between when a computer starts to run and the first malware alarm is triggered on the computer where the alarm indicates detection rather than infection

DEVICE

DYNAMIC

YES

This can be used in embedded systems, but it might not be suitable for a security evaluation (maybe for a penetration test)

YES

Host-based

Without Probability Values

Attack Impact

It is the quantitative measure of the potential harm caused by an attacker to exploit a vulnerability

NETWORK

STATIC

YES

Host-based

Without Probability Values

Attack Cost

COST

It is the cost spent by an attacker to successfully exploit a vulnerability (i.e., security weakness) on a host

NETWORK

STATIC YNAMIC

YES

This is related to network, but this could be applicable to devices too

YES

Host-based

Without Probability Values

Structural Important Measured

It it used to qualitatively determine the most critical event (attack, detection or mitigation) in a graphical attack model

NETWORK

STATIC

Related to networks

100

YES

Host-based

Without Probability Values

Mean-time-to-compromise (MTTC)

TIME

It is used to measure how quickly a network can be penetrated

NETWORK

DYNAMIC

¿?

This is no directly applicable, but its equivalent would be a penetration attack in an embedded system

101

YES

Host-based

Without Probability Values

Mean-time-to-recovery (MTTR)

TIME

It is used to assess the effectiveness of a network to recovery from an attack incidents. It is defined as the average amount of time required to restore a system out of attack state

NETWORK

DYNAMIC

¿?

Although this is developed for networks, the same concept can be translated into embeded systems

104

YES

Host-based

Without Probability Values

Return on Investment

COST

It measures the financial net gain of an investment based on the gain from investment minus the cost of investment

NETWORK

STATIC

Network-related and cost related. Useful for organisation managing

105

YES

Host-based

Without Probability Values

Return on Attack

The gain the attacker expects from successful attack over the losses he sustains due to the countermeasure deployed by his target

NETWORK

¿?

Network-related, but it scent can be translated into embedded systems

106

YES

Host-based

With Probability Values

Common Vulnerability Scoring System (CVSS) - Overall value

VULNERABILITY

The overall score is determined by generating a base score and modifying it through the temporal and environmental formulas

DEVICE

STATIC

YES

This could be used tohether with other metics to obtain a numeric value

107

YES

Host-based

With Probability Values

Probability of Vulnerability Exploited

VULNERABILITY

It is used to assess the likelihood of an attacker exploiting a specific vulnerability on a host

SOFTWARE ARDWARE ETWORK

STATIC

¿?

Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems

108

YES

Host-based

With Probability Values

Probability of attack detection

It is used to assess the likelihood of a countermeasure to successfully identify the event of an attack on a target.

SOFTWARE ARDWARE ETWORK

DYNAMIC

¿?

Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems

109

YES

Host-based

With Probability Values

Probability of host compromised

It is used to assess the likelihood of an attacker to successfully compromise a target

HARDWARE OFTWARE ETWORK

STATIC YNAMIC

¿?

Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems

110

YES

Network-based

Non-path based

Network Compromise Percentage

It quantifies the percentage of hosts on the network on which an attacker can obtain an user or administration level privilege

NETWORK

STATIC YNAMIC

It's about networks, and we can't predict where the device will be used, so this metric is not representative

112

YES

Network-based

Non-path based

Vulnerable Host Percentage

This metric quantifies the percentage of hosts with vulnerability on a network. It is used to assess the overall security of a network

NETWORK

DYNAMIC

It's about networks, and we can't predict where the device will be used, so this metric is not representative

113

YES

Network-based

Path based

Attack Shortest Path

PATH

It is the smallest distance from the attacker to the target. This metric represents the minimum number of hosts an attacker will use to compromise the target host

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

114

YES

Network-based

Path based

Number of Attack Paths

PATH

It is the total number of ways an attacker can compromise the target

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

115

YES

Network-based

Path based

Mean of Attack Path Lengths

PATH

It is the average of all path lengths. It gives the expected effort that an attacker may use to breach a network policy

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

116

YES

Network-based

Path based

Normalised Mean of Path Lengths

PATH

Expected number of exploits an attacker should execute in order to reach the target

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

117

YES

Network-based

Path based

Standand Deviation of Path Lengths

PATH

It is used to determine the attack paths of interest

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

118

YES

Network-based

Path based

Mode of Path Lengths

PATH

It is the attack path length that occurs most frequently

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

119

YES

Network-based

Path based

Median of Path Lengths

PATH

It is used by network administrator to determine how close is an attack path length to the value of the median path length (i.e. path length that is at the middle of all the path length values)

NETWORK

AUTOMATIC*

DYNAMIC

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

120

YES

Network-based

Path based

Attack Resistance Metric

It is use to assess the resistance of a network configuration based on the composition of measures of individual exploits. It is also use for assessing and comparing the security of different network configurations

NETWORK

¿?

If it has to do with paths, it has to do with networks, and we can't assume where is this going to be used

121

YES

Mean Time To Failure (MTTF) - Time to compromise

TIME

Mean time for a potential intruder to reach the specified target

NETWORK

AUTOMATIC

DYNAMIC

122

YES

Mean Effort To Failure (METF) - Effort to compromise

Mean effort for a potential attacker to reach the specified target

NETWORK

SEMI-AUTOMATIC

DYNAMIC

123

YES

Mean Time to Security Failure (MTTSF) - Time to compromise

TIME

Expected amount of time attackers need to successfully complete an attack process

NETWORK

SEMI-AUTOMATIC

STATIC

132

YES

Network compromise percentage

NETWORK

AUTOMATIC

DYNAMIC

If we are evaluating a device, it has no sense talking about networks

133

YES

Compromise probability

NETWORK

SEMI-AUTOMATIC

DYNAMIC

135

YES

Expected dificulty

NETWORK

AUTOMATIC

STATIC

136

YES

Percentage of distinct hosts (d1-Diversity)

NETWORK

SEMI-AUTOMATIC

STATIC

This is related with servers in a network, cannot be applied to a single device

137

YES

Number of bits leaked (mean privacy)

DATA

NETWORK

SEMI-AUTOMATIC

STATIC

¿?

If adapted, this metric can be used to test memory related vulnerabilities

139

rav

OPSEC

It is a scale measurement of the attack surface, the amount of uncontrolled interactions with a target, which is calculated by the quantitative balance between operations, limitations, and controls

141

YES

Churn

CODE

Count of Source Lines of Code that has been added or changed in a component since the previous revision of the software

SOFTWARE

142

YES

Churn

Frequency

CODE

Number of times that a binary was edited during its development cycle

SOFTWARE

AUTOMATIC*

STATIC*

This is more related to the development of the software

143

YES

Churn

Lines Changed

CODE

The cumulated number of code lines changed since the creation of a file

SOFTWARE

AUTOMATIC*

STATIC*

This is more related to the development of the software

144

YES

Churn

Lines new

CODE

The cumulated number of new code lines since the creation of a file

SOFTWARE

AUTOMATIC*

STATIC*

This is more related to the development of the software

146

YES

Churn

Number of commits

CODE

Counting the commits a given developer made

SOFTWARE

AUTOMATIC*

STATIC*

This is more related to the development of the software

148

YES

Churn

Relative churn

CODE

Normalized by parameters such as lines of code, files counts

SOFTWARE

AUTOMATIC*

STATIC*

149

YES

Churn

Repeat frequency

CODE

The number of consecutive edits that are performed on a binary

SOFTWARE

AUTOMATIC*

STATIC*

150

YES

Churn

Total churn

CODE

The total added, modified, and deleted lines of code of a binary during the development

SOFTWARE

AUTOMATIC*

STATIC*

155

YES

Complexity*

Cyclomatic number

CODE

M = E − N + P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components.

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

158

YES

Complexity

Fan in (FI)

COUPLING

Number of inputs a function uses. Inputs include parameters and global variables that are used (read) in the function / Number of functions calling a function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

159

YES

Complexity

Fan out (FO)

COUPLING

Number of outputs that are set. The outputs can be parameters or global variables (modified) / Number of functions called by a function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

162

YES

Complexity

Max fan in

CODE

The largest number of inputs to a function such as parameters and global variables

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

163

YES

Complexity

Max fan out

CODE

The largest number of assignment to the parameters to call a function or global variables

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

164

YES

Complexity

MaxMaxNesting

CODE

The maximum of MaxNesting in a file

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

165

YES

Complexity

MaxNesting

CODE

Maximum nesting level of control constructs such as if or while statements in a function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

166

YES

Complexity

Nesting complexity

CODE

Maximum nesting level of control constructs (if, while, for, switch, etc.) in the function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

167

YES

Complexity

Number of children (NOC)

CODE

Number of immediate sub-classes of a class or the count of derived classes. If class CA inherits class CB, then CB is the base class and CA is the derived class. In other words, CA is the children of class CB, and CB is the parent of class CB.

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

168

YES

Complexity

SumCyclomaticStrict

CODE

The sum of the strict cyclomatic complexity, where strict cyclomatic complexity is defined as the number of conditional statements in a function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

169

YES

Complexity

SumEssential

CODE

The sum of essential complexity, where essential complexity is defined as the number of branches after reducing all the programming primitives such as a for loop in a function’s control flow graph into a node iteratively until the graph cannot be reduced any further. Completely well-structured code has essential complexity 1

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

170

YES

Complexity

SumFanIn

CODE

The sum of FanIn, where FanIn is defined as the number of inputs to a function such as parameters and global variables

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

171

YES

Complexity

SumFanOut

CODE

The sum of FanOut, where FanOut is defined as the number of assignment to the parameters to call a function or global variables

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

172

YES

Complexity

SumMaxNesting

CODE

The sum of the MaxNesting in a file, where MaxNesting is defined as the maximum nesting level of control constructs such as if or while statements in a function

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

173

YES

Complexity

McCabe Cyclomatic Complexity

CODE

M = E − N + 2P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

174

YES

Complexity

Weighted methods per class (WMC)

CODE

Number of local methods defined in the class

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

177

YES

Cost

Remediation Impact (RI)

The remediation impact provides an overview of how much impact the remediation could have on the affected system

181

YES

Coverage

Administrator and operator logs

LOG

Total number corrective actions taken after specific event is recorded in log / total number of events recorded in log * 100

182

YES

Coverage

Anomalous session count

ACCESS

The first phase derives a SessionTableAccessProfile by correlating application server user log entries for a user session with accessed database tables; the resulting value of SessionTableAccessProfile is represented as a user ID followed by a set of ordered pairs with a table name and a count. The second phase derives the AnomalousSessionCount by counting how many SessionTableAccessCounts don’t fit a predefined user profile. If AnamalousSessionCount is greater than one for any user, especially a privileged user, it could indicate the need for significant refactoring and redesign of the Web application’s persistence layer. This is a clear case in which detection at design time is preferable.

SOFTWARE

¿?

If adapted, it could be used

185

YES

Coverage

Audit logging

LOG

Total number of log files monitored in specific time interval / number of available log files * 100

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

Although this has to do with larger systems, embedded systems could not be able to produce log files

187

YES

Coverage

Classified Accessor Attribute Interactions (CAAI)

CODE

The ratio of the sum of all interactions between accessors and classified attributes to the possible maximum number of interactions between accessors and classified attributes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

188

YES

Coverage

Classified Attributes Interaction Weight (CAIW)

CODE

The ratio of the number of all interactions with classified attributes to the total number of all interactions with all attributes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

189

YES

Coverage

Classified Class Data Accessibility (CCDA)

CODE

The ratio of the number of non-private classified class attributes to the number of classified attributes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

190

YES

Coverage

Classified Instance Data Accessibility (CIDA)

CODE

The ratio of the number of non-private classified instance attributes to the number of classified attributes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

191

YES

Coverage

Classified Method Extensibility (CME)

CODE

The ratio of the number of the non-finalised classified methods in program to the total number of classified methods in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

192

YES

Coverage

Classified Methods Weight (CMW)

CODE

The ratio of the number of classified methods to the total number of methods in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

193

YES

Coverage

Classified Mutator Attribute Interactions (CMAI)

CODE

The ratio of the sum of all interactions between mutators and classified attributes to the possible maximum number of interactions between mutators and classified attributes in the program.

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

194

YES

Coverage

Classified Operation Accessibility (COA)

CODE

The ratio of the number of non-private classified methods to the number of classified methods in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

195

YES

Coverage

Classified Writing Methods Proportion (CWMP)

CODE

The ratio of the number of methods which write classified attributes to the total number of classified methods in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

196

YES

Coverage

Composite-Part Critical Classes (CPCC)

CODE

The ratio of the number of critical composed-part classes to the total number of critical classes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

Classes Design Proportion (CDP)

CODE

Ratio of the number of critical classes to the total number of classes, from the group of Design Size Metrics.

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

197

YES

Coverage

Controls against malicious code

CODE

Number of incidents as results of malware (malicious software) outbreaks on system / number of detected and blocked malware occurrences * 100

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

This metric could be adapted to embedded systems, but it might not make sense in the testing phase

201

YES

Coverage

Critical Class Extensibility (CCE)

CODE

The ratio of the number of the non-finalised critical classes in program to the total number of critical classes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

202

YES

Coverage

Critical Design Proportion (CDP)

CODE

The ratio of the number of critical classes to the total number of classes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

203

YES

Coverage

Critical Element Ratio

CODE

A process may not require all aspects of an object to be instantiated. Critical Elements Ratio = (Critical Data Elements in an Object) / (Total number of elements in the object)

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

204

YES

Coverage

Critical Serialized Classes Proportion (CSCP)

CODE

The ratio of the number of critical serialized classes to the total number of critical classes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

205

YES

Coverage

Critical Superclasses Inheritance (CSI)

CODE

The ratio of the sum of classes which may inherit from each critical superclass to the number of possible inheritances from all critical classes in the program’s inheritance hierarchy

SOFTWARE

¿?

206

YES

Coverage

Critical Superclasses Proportion (CSP)

CODE

The ratio of the number of critical superclasses to the total number of critical classes in the program’s inheritance hierarchy

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

207

YES

Coverage

Depth of inspection

CODE

It calculates the depth of inspection by collecting the statistical data of inspection and testing approaches and finds out the defect capturing capability as a ratio. DI can be measured phase-wise or as a whole before the deployment of the product. # defects captured by inspection process / # defects captured by both inspection and testing approaches

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

212

YES

Coverage

Isolation (PI)

CODE

This assesses the level of security isolation between system components. This means getting privileges to a component does not imply accessibility of other co-located components. This metric can be assessed using system architecture and deployment models. Components marked as confidential should not be hosted with nonconfidential (public) components. Methods that are not marked as confidential should not have access to confidential attributes or methods

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

I am not sure if this metric can be applied to embedded software

214

YES

Coverage

Number of Catch Blocks Per Class (NCBC)

CODE

It measures the exception handing factor (EHF) in some way. It is defined as the percentage of catch blocks in a class over the theoretical maximum number of catch blocks in the class

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

215

YES

Coverage

Percentage High-, medium- and moderate-Risk Software Hazards with Safety Requirements

It reveals whether all high-, medium- and moderate-risk software hazards have resulted in applicable safety requirements through hazard analysis

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

This is related to software and the design

218

YES

Coverage

Percentage of Software Safety Requirements (PSSR)

How sufficient hazard analysis has been performed. (# Software Safety Requirements / # SoftwareRequirements) * 100

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

This is related to software and the design

219

YES

Coverage

Percentage of Software Safety Requirements Traceable to Hazards

Ensuring traceability to system hazards or System of Systems hazards increases the validation case. Percentage indicator of traceability of requirements. All derived software safety requirements must be traceable to system hazards or System of Systems hazards (# Traceable Software Safety Requirements / # Software Safety Requirements) * 100

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

This is related to software and the design

246

YES

Coverage

PercentValidatedInput

INPUTS

To compute this metric, let T equal the count of the amount of input forms or interfaces the application exposes (the number of HTML form POSTs, GETs, and so on) and let V equal the number of these interfaces that use input validation mechanisms. The ratio V/T makes a strong statement about the Web application’s vulnerability to exploits from invalid input

SOFTWARE

YES

This could be adapted to other pieces of code, rather than just HTML

247

YES

Coverage

Ratio of Design Decisions (RDD)

Ratio of the number of design decisions related to security to the total number of design decisions of the entire system. The objective is to assess the portion of design dedicated to security

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

This is related to design phase

248

YES

Coverage

Ratio of Design Flaws Related to Security (RDF)

Ratio of design flaws related to security to the total number of design flaws applicable to the whole system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

This is related to design phase

249

YES

Coverage

Ratio of extension misuse cases extended once to the total number of extension misuse cases

DESIGN

Are the functional decompositions between misuse cases correctly handled? 1 - (# Extension Misuse Cases included once / # Extension Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

250

YES

Coverage

Ratio of Implementation Errors That Have an Impact on Security (RSERR)

Ratio of the number of errors related to security to the total number of errors in the implementation of the system (i.e. NERR)

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

This is related to design phase

251

YES

Coverage

Ratio of inclusion misuse cases included once to the total number of inclusion misuse cases

DESIGN

Are the functional decompositions between misuse cases correctly handled? (# Inclusion Misuse Cases included once) / (# Inclusion Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

252

YES

Coverage

Ratio of misuse cases used as pre/post conditions of other misuse cases to the total number of misuse cases

DESIGN

Are the functional decompositions between misuse cases correctly handled? (# Misuse Cases used as pre/post conditions) / (# Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

253

YES

Coverage

Ratio of Patches Issued to Address Security Vulnerabilities (RP)

Ratio of the number of patches that are issued to address security vulnerabilities to the total number of patches of the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

254

YES

Coverage

Ratio of Security Requirements (RSR)

Ratio of the number of requirements that have direct impact on security to the total number of requirements of the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

255

YES

Coverage

Ratio of Security Test Cases (RTC)

Number of test cases designed to detect security issues to the total number of test cases of the entire system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

256

YES

Coverage

Ratio of Security Test Cases that Fail (RTCP)

Number of test cases that detect implementation errors (i.e. the ones that fail) to the total number of test cases, designed specifically to target security issues

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

258

YES

Coverage

Ratio of Software Changes Due to Security Considerations (RSC)

Number of changes in the system triggered by a new set of security requirements. Software changes due to security considerations include patches that are released after a system is delivered, or any other security updates

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

259

YES

Coverage

Ratio of the number of included security requirements to the total number of stated security requirements

DESIGN

How vulnerable is the application based on the stated security requirements? 1 - ( (# Stated Security Requirements - # Excluded Stated Security Requirements) / # Stated Security Requirements )

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

260

YES

Coverage

Ratio of the number of misuse cases that do not threaten the application to the total number of misuse cases

DESIGN

Do the misuse cases correctly represent the application vulnerabilities and are they consistent with application security use cases? (# Non-Threatening Misuse Cases) / (# Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

261

YES

Coverage

Ratio of the Number of Omitted Exceptions (ROEX)

Ratio of the number of omitted exceptions (i.e. Noex) to the total number of exceptions that are related to security

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the software is available, it can be applied. It can be also applied to embedded software

262

YES

Coverage

Ratio of the Number of Omitted Security Requirements (ROSR)

Ratio of the number of security requirements that have not been considered during the analysis phase (i.e. NOSR) to the total number of security requirements identified during the analysis phase (NSR)

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

263

YES

Coverage

Ratio of the number of the base misuse cases associated to one misuser to the total number of base misuse cases

DESIGN

Are the misusers presented and handled correctly in the misuse case model? 1 - (# Base Misuse Cases Associated to one misuser / # Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

264

YES

Coverage

Ratio of the number of unmitigated misuse cases that threaten the application to the total number of misuse cases

DESIGN

Do the misuse cases correctly represent the application vulnerabilities and are they consistent with application security use cases? (# Unmitigated Misuse Cases) / (# Misuse Cases)

SOFTWARE

MANUAL*

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

269

YES

Coverage

Software Hazard Analysis Depth

Hazardous software, or safety-critical software, allocated as high- or medium-risk, according to the Software Hazard Criticality Matrix, requires analysis of second- and third-order causal factors (should they exist)

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

Hazard is similar to risk.

273

YES

Coverage

Unaccessed Assigned Classified Attribute (UACA)

The ratio of the number of classified attributes that are assigned but never used to the total number of classified attributes in the program

SOFTWARE

Object-oriented programs

274

YES

Coverage

Uncalled Classified Accessor Method (UCAM)

The ratio of the number of classified methods that access a classified attribute but are never called by other methods to the total number of classified methods in the program

SOFTWARE

Object-oriented programs

275

YES

Coverage

Unused Critical Accessor Class (UCAC)

The ratio of the number of classes which contain classified methods that access classified attributes but are never used by other classes to the total number of critical classes in the program

SOFTWARE

Object-oriented programs

284

YES

Dependency

Classified Attributes Inheritance (CAI)

CODE

The ratio of the number of classified attributes which can be inherited in a hierarchy to the total number of classified attributes in the program’s inheritance hierarchy

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

285

YES

Dependency

Classified Methods Inheritance (CMI)

CODE

The ratio of the number of classified methods which can be inherited in a hierarchy to the total number of classified methods in the program’s inheritance hierarchy

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

286

YES

Dependency

Coupling

COUPLING

Measures the following three coupling dimensions between modules: referential dependency, structural dependency, and data integrity dependency

SOFTWARE

288

YES

Dependency

Coupling Between Object classes (CBOC)

COUPLING

Number of other classes coupled to a class C

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

290

YES

Dependency

Coupling Corruption Propagation

COUPLING

Coupling corruption propagation is meant to measure the total number of methods that could be affected by erroneous originating method. Coupling Corruption Propagation = Number of child methods invoked with the parameter(s) based on the parameter(s) of the original invocation

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

291

YES

Dependency

Critical Classes Coupling (CCC)

CODE

The ratio of the number of all classes’ links with classified attributes to the total number of possible links with classified attributes in the program

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software

292

YES

Dependency

Depth of Inheritance Tree (DIT)

Maximum depth of the class in the inheritance tree

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

301

YES

Dependency

Lack of cohesion of methods (LCOM)

The LCOM value for a class C is defined as LCOM(C) = (1- \E(C)\ ÷ (\V(C)\ × \M(C)\)) × 100%, where V(C) is the set of instance variables, M(C) is the set of instance methods, and E(C) is the set of pairs (v,m) for each instance variable v in V(C) that is used by method m in M(C)

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

304

YES

Dependency

NumCalls

The number of calls to the functions defined in an entity

SOFTWARE

YES

If the software is available, it can be applied. It can be also applied to embedded software

312

YES

Dependency

Reflection Package Boolean (RPB)

CODE

A boolean value representing whether the Java program imports the reflection package (1) or not (0)

SOFTWARE

Object-oriented programs

YES

Dependency

Vulnerability Propagation (VP)

CODE

Vulnerability Propagation (VP) of a class C, denoted by VP(C), is the set containing classes in the hierarchy which directly or indirectly inherit class C. Cardinality of set VP(C) represents the number of classes which have become vulnerable due to class C. Alternatively, Vulnerability Propagation of a class C is the total number of classes which directly or indirectly inherit class C.

SOFTWARE

AUTOMATIC*

STATIC*

YES

This metric can be applied to embedded software

315

YES

Dependency

Vulnerability Propagation Factor (VPF)

CODE

An Inheritance hierarchy may contain no class or one or more vulnerable classes. Also, there are more than one Inheritance hierarchies present in a design. So, calculation of Vulnerability Propagation Factor (VPF) of a design requires calculation of Vulnerability Propagation due to each vulnerable class in Inheritance hierarchies present in the design. Then, union of Vulnerability Propagation due to each vulnerable class will give overall Vulnerability Propagation in design.

SOFTWARE

AUTOMATIC*

STATIC*

YES

This metric can be applied to embedded software

316

YES

Effort

Access Complexity (AC)

ACCESS

This metric measures the complexity of attacks exploiting the vulnerability. A vulnerability with low complexity can be for example a buffer overflow in a web server, the vulnerability can be exploited at will

317

YES

Effort

Access Vector (AV)

ACCESS

This metric indicates from where an attacker can exploit the vulnerability

318

YES

Effort

Adversary Work Factor

EFFORT

Adversary work factor is an informative metric for gauging the relative strengths and weaknesses of modem information systems. However, this metric can be difficult to measure and evaluate

NETWORK

MANUAL*

DYNAMIC*

This metric has nothing to do with embedded systems and it is directly retaled to networks

319

YES

Effort

Attackability

The number of inbound edges of a node in the hostbased attack graph represents all the direct attack paths that other hosts in the considered network can compromise to that node. This number can be used to compute the attackability metric of a host in the context of the system under study. The metric is based on intuitive properties derived from common sense. For example, the metric will indicate reduced confidence when more inbound edges exist. (1 - # inbound edges of the node/ total inbound edges)

NETWORK

AUTOMATIC*

STATIC*

This metric has nothing to do with embedded systems and it is directly retaled to networks

320

YES

Effort

Authentication (AU)

AUTHENTICATION

This metric counts how often an attacker must authenticate before the vulnerability can be exploited

322

YES

Effort

Damage potential-effort ratio

It indicates the level of damage an attacker can potentially cause to the system and the effort required for the attacker to cause such damage

DEVICE

SEMI-AUTOMATIC*

DYNAMIC*

YES

It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase

324

YES

Effort

ExclusiveExeTime

Execution time for the set of functions, S, defined in an entity excluding the execution time spent by the functions called by the functions in S

327

YES

Effort

InclusiveExeTime

Execution time for the set of functions, S, defined in an entity including all the execution time spent by the functions called directly or indirectly by the functions in S

330

YES

Effort

Minimal cost of attack

COST

Minimal cost of attack represents the minimal cost that the attacker has to pay for the execution of an attack on a system

NETWORK*

Formal model. Formal verification. Too much notation. I think this is more related to networks

331

YES

Effort

Minimal length of attacks

An intuition behind this metric is the following: the less steps an attacker has to make, the simpler is to execute the attack successfully, and the less secure the system is

NETWORK*

Formal model. Formal verification. Too much notation. I think this is more related to networks

332

YES

Effort

Protection Rate (PR)

It expresses the efficiency of security mechanisms. Percentage of the known vulnerabilities protected by a given security mechanism. It is based on the Attack Surface metric. PR = (1 - AttackSurfaceEvaluatedSystem / AttackSurfaceReferenceSystem) * 100

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

¿?

This metric was developed specificaly for OSGi platform, but I think it can be adapted to be applied to embedded systems

334

YES

Effort

Side-channel Vulnerability Factor (SVF)

SVF quantifies patterns in attackers’ observations and measures their correlation to the victim’s actual execution patterns and in doing so captures systems’ vulnerability to side-channel attacks. we can measure information leakage by computing the correlation between ground-truth patterns and attacker observed patterns. We call this correlation Side-channel Vulnerability Factor (SVF). SVF measures the signal-to-noise ratio in an attacker’s observations. While any amount of leakage could compromise a system, a low signal-to-noise ratio means that the attacker must either make do with inaccurate results (and thus make many observations to create an accurate result) or become much more intelligent about recovering the original signal. We use phase detection techniques to find patterns in both sets of data then compute the correlation between actual patterns in the victim and observed patterns.

HARDWARE

SEMI-AUTOMATIC*

DYNAMIC*

YES

Embedded devices can be vulnerable to side-channel attacks and they can be tested

335

YES

Effort

Social Engineering Resistance (SER)

SER = <SERlow, SERhigh>; SERlow = (1 − (P + N − A)/N) ∗ 100; SERhigh = (1 − P/N) ∗ 100; where N is the number of individuals selected or invited to take part in the experiment; A is the number of active participants; P is the total number of valid password/username pairs obtained during the experiment

USER

SEMI-AUTOMATIC*

DYNAMIC*

Social engineering cannot be applied to a device

336

YES

Effort

Structural severity

RISK

Measure that uses software attributes to evaluate the risk of an attacker reaching a vulnerability location from attack surface entry points. It is measured based on three values: high (reachable from an entry point), medium (reachable from an entry point with no dangerous system calls), low (not reachable from any entry points)

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

¿?

I am not sure if this metric can be applied to embedded software

YES

Effort

Vulnerability Index (VI)

Probability of a component’s vulnerability being exposed in a single execution

DEVICE

MANUAL*

DYNAMIC*

¿?

It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase

YES

Effort

Effective Vulnerability Index (EVI)

Relative measure of the impact of a component on the system’s insecurity

DEVICE

SEMI-AUTOMATIC*

DYNAMIC*

¿?

It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase

341

YES

Organization

Depth of Master Ownership

This metric determines the level of ownership of the binary depending on the number of edits done. The organization level of the person whose reporting engineers perform more than 75% of the rolled up edits is considered as the DMO. This metric determines the binary owner based on activity on that binary. Our choice of 75% is based on prior historical information on Windows to quantify ownership.

350

YES

Organization

Edit Frequency

Total number of times the source code that makes up the binary was edited. An edit is when an engineer checks out code from the version control system, alters it, and checks it in again. This is independent of the number of lines of code altered during the edit

355

YES

Organization

Organization Intersection Factor

The number of different organizations that contribute more than 10% of edits, as measured at the level of the overall org owners

361

YES

Size

Classified Attributes Total (CAT)

The total number of classified attributes in the program

SOFTWARE

Object-oriented programs

362

YES

Size

Classified Methods Total (CMT)

The total number of classified methods in the program

SOFTWARE

Object-oriented programs

366

YES

Size

Count of Base Classes (CBC)

Number of base classes

SOFTWARE

367

YES

Size

Critical Classes Total (CCT)

The total number of critical classes in the program

SOFTWARE

Object-oriented programs

376

YES

Size

Number of Attacks

How many attacks on a system exist. The idea behind this metric is that the more attacks on a system exist the less secure the system is. This metric is applied for the simplest analysis of attack graphs. Number of attacks also can be used for the analysis of results of the penetration testing

NETWORK*

Formal model. Formal verification. Too much notation. I think this is more related to networks

378

YES

Size

Number of Design Decisions Related to Security (NDD)

The proposed metric aims at assessing the number of design decisions that address the security requirements of the system. During the design phase, it is common to end up with multiple solutions to the same problem. Software engineers make many design decisions in order to choose among alternative design solutions.

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

380

YES

Size

Number of elicited security use cases *

DESIGN

What is the number of elicited security use cases? # Elicited Security Use Cases

SOFTWARE

MANUAL

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

381

YES

Size

Number of excluded security requirements that ensure session handling *

DESIGN

Is session identifier created on server side? Is new session identifier assigned to user on authentication? Is session identifier changed on reauthentication? Is logout option provided for all operations that require authentication? Is session identifier cancelled when authenticated user logs out? Is session identifier killed after a period of time without any actions? Is user’s authenticated session identifier protected via secure data transmission protocol?

SOFTWARE

MANUAL

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

382

YES

Size

Number of excluded security requirements that put the system at risk of possible attacks *

DESIGN

Summation of the excluded security requirements that put the system at risk

SOFTWARE

MANUAL

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

383

YES

Size

Number of global variables *

SOFTWARE

YES

If the software is available, it can be applied. It can be also applied to embedded software

384

YES

Size

Number of identified misuse cases *

DESIGN

What is the number of misuse cases found? # Misuse Cases

SOFTWARE

MANUAL

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

390

YES

Size

Number of return points in the method

SOFTWARE

YES

If the software is available, it can be applied. It can be also applied to embedded software

391

YES

Size

Number of Security Algorithms (NSA)

Number of security algorithms that are supported by the application

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied, but this metric can be used in finals stages of the development life-cycle

392

YES

Size

Number of Security Incidents Reported (NSR)

Number of incidents related to security that are reported by the users of the system

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

By definition, the values of this metric are collectec by the user. Son it can't be used in the valuation

393

YES

Size

Number of Security Requirements (NSR) *

Number of security requirements identified during the analysis phase of the application

SOFTWARE

MANUAL

STATIC*

¿?

If the design is available, it can be applied

394

YES

Size

Number of sub classes

SOFTWARE

YES

If the software is available, it can be applied. It can be also applied to embedded software

395

YES

Size

NumFunctions

SOFTWARE

YES

If the software is available, it can be applied. It can be also applied to embedded software

400

YES

Size

Response set for a Class (RFC)

Set of methods that can potentially be executed in response to a message received by an object of that class. RFC is simply the number of methods in the set, including inherited methods

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

402

YES

Size

Stall Ratio

CODE

Stall ratio is a measure of how much a program’s progress is impeded by frivolous activities. stall ratio = (lines of non-progressive statements in a loop) / (total lines in the loop)

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

409

YES

Strength

Comment ratio

Ratio of number of comment lines to number of code lines

SOFTWARE

AUTOMATIC*

STATIC*

YES

If the software is available, it can be applied. It can be also applied to embedded software

410

YES

Strength

CommentDensity

The ratio of lines of comments to lines of code

411

YES

Strength

Compartmentalization

CODE

Compartmentalization means that systems and their components run in different compartments, isolated from each other. Thus a compromise of any of them does not impact the others. This metric can be measured as the number of independent components that do not trust each other (performs authentication and authorization for requests/calls coming from other system components) that the system is based on to deliver its function. The higher the compartmentalization value, the more secure the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the software is available, it can be applied. It can be also applied to embedded software

415

YES

Strength

Defense-In-Depth

CODE

This metric verifies that security controls are used at different points in the system chain including network security, host security, and application security. Components that have critical data should employ security controls in the network, host, and component layers. To assess this metric we need to capture system architecture and deployment models as well as the security architecture model. Then we can calculate the ratio of components with critical data that apply the layered security principle compared to number of critical components

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

I am not sure if this metric can be applied to embedded software, or at verification phases

417

YES

Strength

Fail Securely

CODE

The system does not disclose any data that should not be disclosed ordinarily at system failure. This includes system data as well as data about the system in case of exceptions. This metric can be evaluated from the security control responses – i.e. how the control behaves in case it failed to operate. From the system architecture perspective, we can assess it as the number of critical attributes and methods that can be accessed in a given component. The smaller the metric value, the likely more secure the system in case of failure

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

This could be used in evaluation

419

YES

Strength

Inspection Performance Metric (IPM)

TESTER

It measures the performance of the people during the inspection process using the aforementioned parameters. # defects captured by inspection process /inspection effort

TESTER

SEMI-AUTOMATIC*

STATIC*

This metric is related to the tester

421

YES

Strength

Isolation (PI)

CODE

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

I am not sure if this metric can be applied to embedded software

423

YES

Strength

Least Privilege

CODE

This metric states that each component and user should be granted the minimal privileges required to complete their tasks. This metric can be assessed from two perspectives: from the security controls perspective we can review users’ granted privileges. From the architectural analysis perspective this can be assessed as how the system is broken down to minimal possible actions i.e. the number of components that can access critical data. The smaller the value, the more secure the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the software is available, it can be applied. It can be also applied to embedded software

431

YES

Strength

Trustworthiness

Trustworthiness of software means its worthy of being trusted to fulfill requirements which may be needed for a particular software component, application, system, or network. It involves attributes of stability, data security, quality, privacy, safety and so on. Software trustworthiness is interrelated with not only risk control in the software process, but also the quality management of the software development process. Furthermore, vision is needed to avoid excessive costs and schedule delays in development and risks management costs in operation; to improve development efforts; and above all

SOFTWARE

433

YES

Strength

Variable Security Vulnerability

CODE

The security vulnerability of a variable v@l is determined by the combined security damage it might cause to the overall system security when v@l is attacked. The more security properties that can be left intact, the less vulnerable the variable is; on the other hand, the more security properties are violated, the more criticall the variable is.

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is only applicable if the source code is available

435

YES

Strength

Vulnerability Free Days (VFD)

Percent of days in which the vendor’s queue of reported vulnerabilities for the product is empty

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

This metric is not suitable for the evaluation phase

437

YES

Weakness

Average Active Vulnerabilities per day (AAV)

Median number of software vulnerabilities which are known to the vendor of a particular piece of software but for which patch has been publicly released by the vendor

SOFTWARE

SEMI-AUTOMATIC*

DYNAMIC*

This metric is not suitable for the evaluation phase

439

YES

Weakness

BrokenAccountCount

Number of accounts that have no activity for more than 90 days and will never expire. Such accounts represent a clear risk of password compromise and resulting illegal access.

SOFTWARE

¿?

449

YES

Weakness

Faults found during manual inspection

SOFTWARE

YES

It is related to software and it can be applied to embedded software

452

YES

Weakness

Maximal probability of successful attack

The probability to accomplish an attack successfully is a well-known metric. The metric describes the most probable way to compromise the system

NETWORK*

Formal model. Formal verification. Too much notation. I think this is more related to networks

458

YES

Weakness

Number of Design Flaws Related to Security (NSDF)

Security-related design flaws occur when software is planned and specified without proper consideration of security requirements and principles. For instance, clear-text passwords are considered as design flaws. Design flaws can be detected using design inspection techniques (e.g., design reviews). Identifying the number of design flaws related to security can help detect security issues earlier in the design process

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

459

YES

Weakness

Number of Exceptions That Have Been Implemented to Handle Execution Failures Related to Security (NEX)

Number of exceptions that have been included in the code to handle possible failures of the system due to an error in a code segment that has an impact on security

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

460

YES

Weakness

Number of excluded security requirements that ensure input/output handling

DESIGN

Is a specific encoding scheme defined for all inputs? Is a process of canonicalization applied to all inputs? Is an appropriate validation defined and applied to all inputs, in terms of type, length, format/syntax and range? Is a whitelist Filtering approach is applied to all inputs? Are all the validations performed on the client and server side? Is all unsuccessful input handling rejected with an error message? Is all unsuccessful input handling logged? Is output data to the client filtered and encoded? Is output encoding performed on server side?

SOFTWARE

MANUAL

STATIC*

This metric is intended to be use in the design phase. This cannot be applied in a security assessment

462

YES

Weakness

Number of Implementation Errors Found in the System (NERR)

Number of implementation errors of the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Related to the implementation phase

463

YES

Weakness

Number of Implementation Errors Related to Security (NSERR)

Number of implementation errors of the system that have a direct impact on security. One of the most common security related implementation errors is the buffer overflow

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Related to the implementation phase

464

YES

Weakness

Number of Omitted Exceptions for Handling Execution Failures Related to Security (NOEX)

Number of missing exceptions that have been omitted by software engineers when implementing the system. These exceptions can easily be determined through testing techniques.

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

Related to the implementation phase

465

YES

Weakness

Number of Omitted Security Requirements (NOSR)

Number of requirements that should have been considered when building the application

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

¿?

If the design is available, it can be applied

471

YES

Weakness

Number of violations of the LP principle

Number of violations of the Least Privilege principle. A component does not adhere to LP if it, based upon the permissions attributed as described before, is capable of executing tasks it is not responsible for

SOFTWARE

AUTOCATIC*

STATIC*

YES

This could be used in embedded systems

473

YES

Weakness

Percentage Software Hazards (PSH)

Comparing the number of software hazards identified against historical data, it indicates the sufficiency of the software hazard identification based on the identified hazards. (# software hazards / # System hazards ) * 100

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

SÍ

Hazard is similar to risk.

476

YES

Weakness

Remediation Potency (RP)

Remediation potency refers to how good the remediation is against the vulnerability

477

YES

Weakness

Remediation Scheme (RS)

It is used to describe the remediation process

480

YES

Weakness

Static analysis alert count (number of)

SOFTWARE

488

YES

Weakness

Vulnerability Density

CODE

Number of vulnerabilities in the unit size of a code. VD = size of the software / # vulnerabilities in the system

SOFTWARE

SEMI-AUTOMATIC*

STATIC*

YES

It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase

490

YES

Weakness

XsiteVulnCount

It is obtained via a penetration-testing tools

SOFTWARE

It is not clearly defined

494

YES

Dependency*

Security metrics of Arithmetic Expression

The security flaws of arithmetic expression include divide by zero, overflow of arithmetic operation, misused data type of arithmetic expression, and truncation error of arithmetic operation

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

495

YES

Dependency*

Security Metrics of Array Index

The security flaws of array index include index out of range, incorrect index variable and uncontrollable array index

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

496

YES

Dependency*

Security Metrics of Component Interfaces

The security flaws of component interface include inconsistent parameter numbers, inconsistent data types, and inconsistent size of data types

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

497

YES

Dependency*

Security Metrics of Control Operation

The security flaws of control operations include infinite loop, deadlock situations and boundary defects

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

498

YES

Dependency*

Security Metrics of I/O Management

File is an important media which can store critical information and record log data. However, file privilege definition, file access management, file contents, file organization and file size are major factors to affect the security software operation

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

499

YES

Dependency*

Security Metrics of Input Format

The security flaws of data format include mismatched data contents, mismatched data type, mismatch data volume

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist

500

YES

Dependency*

Security Metrics of Kernel Operation

A released software system must be adapted to a suitable operating system and environment. The kernel of operating system and environment become a critical factor to affect the operating security of software system. Resource management, execution file protection, main memory control and process scheduling are major tasks of operating system. The security flaws, which embedded in the tasks of operating system, become high security risk for software system operation

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified. Checklist. Only when there is an OS

501

YES

Dependency*

Security Metrics of Network Environment

Network environment is a critical tool in the e-commerce years. However, data transmission management, remote access control, and transmission contents always become the security holes of software system operation

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified

502

YES

Dependency*

Security Metrics of Resources Allocation

The security flaws of resource allocation include exhausted memory, unreleased memory exhausted resources, and unreleased resources

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified

503

YES

Dependency*

Security Metrics of User Authority

Many users may use the released system to do specific jobs. However, user privilege definition, user password management and user detailed information maintenance are important tasks to control and manage the user authority. Without user authority control and management, the operation environment of software system will be on high security risk

SOFTWARE

AUTOMATIC*

STATIC*

¿?

This is not a metric, but a group of them. Individually, they could be used if they are specified

526

YES

Weakness

Kolmogorov Complexity

SOFTWARE