The 2012 Program Protection Workshop identified metrics as one of the top 5 issues that challenged the system security community in addressing Kendall’s 2011 memo directing document streamlining and a holistic approach for delivering trusted systems.
In 2014, the SSE Committee kicked of a metrics project. The metrics breakout session at the May 2014 PPP Summit and Workshop defined characteristics of a good metric and authored a project charter to include goals and objectives.
System Security Metrics Project Charter:
The value of developing well defined, measurable, and achievable system security metrics is to be able to establish an indicator of a system’s security mission effectiveness.
Develop system security metrics that establish thresholds and trends that are predictive of the system’s ability to perform within the mission threat environment.
1. Create levels of end system security performance metrics.
2. Develop indicators and trades of in-process security metrics.
3. Investigate additional needs for programmatic progress metrics.
Assess current security relevant metrics and identify gaps to a desired future state to achieve the Metrics Project charter goals and objectives.
1. Develop a list of currently available security relevant metrics
2. Evaluate metrics to project needs
3. Define the future desired state
4. Map currently available metrics to desired state.
5. Assess strengths and weaknesses (gaps)
6. Develop a report of findings.