Measurement, identification and calculation of cyber defense metrics

Abstract

This paper presents performance metrics to be used for evaluation of cyber dynamic defense solutions. Currently, there are no standard, industry-defined metrics or benchmarks for evaluating cyber security architectures and systems for dynamic defense. These systems have relied instead on a layered, “defense in depth” approach, where the only measurement made is the number of defenses. In order to characterize the performance of cyber defense solutions, a variety of metrics need to be defined and captured based on observable effects on both cyber attacks and defenses. By establishing these metrics, the benefit each individual layer provides to an overall defensive solution can be determined, allowing system designers to select the most effective suite of defensive techniques. The metrics presented were formulated using a discrete event simulation of dynamic defense solutions. The focus of this simulation was to assess the increased cost to cyber attackers, where cost is based in time. Metrics are captured from the perspective of the defender, as well as that of the attacker. Collection of data supporting computation of the metrics will be shown in a discrete event simulation environment, as well as recommendations for network locations and equipment that can be used to collect these metrics in a notional network architecture.