Making Security Measurable

MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through registries of baseline security data, providing standardized languages as means for accurately communicating the information, defining proper usage, and helping establish community approaches for standardized processes.

The other activities and initiatives listed here have similar concepts or compatible approaches to MITRE’s. Together all of these efforts — be they mature or continuing to build momentum — are helping to make security more measurable by defining the concepts that need to be measured, providing for high fidelity communications about the measurements, and providing for sharing of the measurements and the definitions of what to measure.

Measurable security pertains at a minimum to the following areas:

Software Assurance

Application Security

Asset Management

Supply Chain Risk Management

Cyber Intelligence Threat Analysis

Cyber Threat Information Sharing

Vulnerability Management

Patch Management

Configuration Management

Malware Protection

Intrusion Detection

System Assessment

Incident Coordination

Enterprise Reporting

Remediation

"Software assurance (SwA) is defined as the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner."

"If you believe that your software should do what it is supposed to do and nothing more in spite of the efforts of attackers, haphazard user input, or accidents, then application security is probably something you will be interested in."

"By understanding adversaries' behavior against a range of targets over a period of time, defenders can identify a set of indicators and a robust set of adversary tactics, techniques, and procedures (TTPs)."

"The basic process for addressing unexpected security-relevant weaknesses in any self-developed, commercial or open source software used in any organization starts with the discovery of a security-relevant weakness in that software that leaves the software vulnerable."

"Standardization efforts in this area of cyber security include the following..."

"Cyber intelligence — or the collecting, analyzing and countering of cyber security threat information — is an essential capability in defending against today's agile cyber adversaries."

"When a cyber incident occurs, such as a spear-phishing attack, a configuration error, or a denial-of-service (DoS) attack, defenders may need to reach out to Computer Security Incident Response Teams (CSIRTs), Law Enforcement, Internet Service Providers (ISPs), product vendors, and others for assistance and coordination."

"Attackers, ranging from script kiddies to hacktivists to criminals to nations states, use malware to gain access to an organization's network infrastructure. Once inside the network, these attackers may try to deface systems, gather personal and proprietary information, or deny legitimate users access to resources."

This website is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007–2024 The MITRE Corporation. MITRE, the MITRE logo, CVE, and the CVE logo are registered trademarks and the Making Security Measurable logo, CWE, the CWE logo, CAPEC, the CAPEC logo, MAEC, the MAEC logo, CWSS, the CWSS logo, CWRAF, the CWRAF logo, and Recommendation Tracker are trademarks of The MITRE Corporation. All other trademarks are the property of their respective owners. All other trademarks are the property of their respective owners. Contact us: measurablesecurity@mitre.org

Page Last Updated: July 08, 2013