Measuring Cyber Security and Information Assurance

The rapid growth of connections, processing, bandwidth, users, and global dependence on the Internet has greatly increased vulnerabilities of information technology (IT) infrastructure to increasingly sophisticated and motivated attacks. Despite significantly increased funding for research, development, and deployment of information assurance (IA) defenses, reports of attacks on, and damage to the IT infrastructure are growing at an accelerated rate.

While a number of cyber security/IA (CS/IA) strategies, methods, and tools exist for protecting IT assets, there are no universally recognized, reliable, and scalable methods to measure the “security” of those assets. CS/IA practitioners’ success in protecting and defending an uninterrupted flow of information on IT systems and networks is critically dependent upon their ability to accurately measure in real time the security status of the local system as well as on their understanding of the security status of regional, national, and international networks.

This report assesses the current “state of the art” in CS/IA measurement to facilitate further research into this subject. Progress has been made, but much remains to be done to achieve the goal of real-time, accurate CS/IA measurement. Enabling such measurement would make it is possible to understand, improve, and predict the state of CS/IA.