The state and scientific basis of cyber security metrics – Including Canadian perspectives


  1. Yee, G.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN);Procom Consultants Group, Ottawa Ont (CAN)
This report describes a study on the state of enterprise cyber security metrics in terms of contributions from international research, Canadian university research, and Canadian industry. The study finds that very little published research exists on cyber security metrics compared to related fields such as information security, and existing research lacks scientific rigour. Furthermore, use of cyber security metrics by industry appears to be mostly limited to security information and event management (SIEM) software. This report proposes a scientific framework to provide a firm basis for the analysis of current and future cyber security measures and metrics. The report evaluates the state of the art (SoA) and state of practice (SoP) of published cyber security metrics using the proposed scientific framework, and identifies gaps between the SoA/SoP and what is theoretically possible. The report concludes with a summary of the study results and gives recommendations for future work. In addition, an annex is included that describes the viability of basing a security dashboard on current SIEM technology.

Il y a un résumé en français ici.

Report Number
DRDC-OTTAWA-CR-2012-109 — Contractor Report
Date of publication
01 Oct 2012
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: