Stevens Creek Software LLC
Security metrics have evolved side by side with the advent of security tools and techniques. They have been derived from the techniques rather than specified as system requirements. This paper surveys the evolution and state of the practice of security metrics from both a technical and historical perspective. It describes the evolution of currently popular security metrics, and classifies them to illustrate their utility in systems engineering verification and validation activities. It provides criteria with which to evaluate security metrics based on system purpose and architecture. The criteria are illustrated using a case study of Cloud System security.