There are many more different quantitative and qualitative metrics that have been engineered to assess and reduce security risk. Structured as quantitative or qualitative -- meaning that some are structured according to empirical, mathematical rules (quantitative; usually from disciplines such as finance), whilst others are structured in an experiential manner derived from interviews, observation, and so forth (qualitative) -- each has its benefits and disadvantages.
Uses of security metrics and how organizations benefit from them
The benefits of security metrics fall into three broad classes:
1. Strategic support -- Security metrics help tighten the security of different kinds of organizational decision-making such as planning programs, product and service selection, and resource allocation.
2. Quality assurance - Security metrics are used during the software development lifecycle in order to prevent and screen out vulnerabilities, particularly during the code production. They do this by executing functions such as measuring the system's adherence to coding standards and identifying vulnerabilities that may exist. They also track down and analyze possible security issues.
3. Tactical oversight -- Security metrics gauge the effectiveness of security controls and mange risk, identify areas for improvement, provide a basis for trend analyzing, and monitor the security statue of an organization's it system ensuring that it complies with security standards (Jansen (n.d.)).
In all these ways (and more), metrics are used throughout all it operations of the organization in order to prevent and screen out vulnerabilities, gauge the effectiveness of security controls and mange risk, identify areas for improvement, and monitor the security statue of an organization's it system so that it complies with security standards.
Metrics benefit the security of the organization in all ways. On a micro scale (as regards the it system itself), security metrics help ensure the safety and security of the organization's it system by identifying its potential vulnerabilities...
On the macro scale, and as regards the organization as a whole, security metrics enable the organization to improve its security objectives so that no valuable data is corrupted or slips through that jeopardizes the safety of the organization.
Models and their derivative metrics should be repeatedly tested in order to ensure their reliability, namely that metrics should show constant and replicated positive results regardless of the it system that it is applied to. Metrics should also be applicable and timely.
The field of security metrics is enormous and complex and entire books have been written on the subject (see e.g. Bojanc & Jerman-Blazoc, 2008). Areas of ongoing research seek to improve the estimators of the system security as ways of developing new metrics and tightening up the procedures used. They also seek to make metrics as objective as possible order to screen out human error and bias. Researchers are also working to offer a more systematic and rapid means of obtaining meaningful measurements whilst seeking to broaden their understanding and insight into development of further models and into improvement of existent models and metrics.
Reference
Bojanc, R. & Jerman-Blazoc, B. (2008), an economic modeling approach to information security risk management. International Journal of Information Management 28 (2008) 413 -- 422
Chowdhary, a., & Mezzeapelle, M.A. (n.d.) Information Security metrics. Hewlett Packard.
Jansen, W. (n.d.) Directions in security metrics research. National Institute of Standards and Technology (NIST)
http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf
Pedro, G.L., & Ashutosh, S. (2010). An approach to quantitatively measure Information security 3rd India Software Engineering Conference, Mysore, 25-27
Swanson, M. et al., Security Metrics Guide for Information Technology Systems, NIST Special Publication 800-55,
http://cid-7086a6423672c497.skydrive.live.com/self.aspx/.Public/NIST%20SP%20800-55.pdf
