A formal approach to information security metrics

Abstract

Automation of Enterprise Information Systems has resulted in several information security issues. There is a need to devise ways of measuring information security. Existing techniques mostly concentrate on finding ways of measuring specific attributes of security devices. This paper is an initial step towards the development of a formal methodology for measuring enterprise information system security. The proposed technique may also be used to compare the relative security of information systems.