| The current situation of computer security in government, corporate and private domains was examined. It was evident that a need exists to measure the effectiveness of enterprise security. Criteria were set forth to provide standards for a proposed metric (aggregation, enterprise-wide, evolvable, software supportable, heterogeneous, rational, complete, and a proactive model that would function as a framework for the metric). Security was decomposed into five basic elements: Authentication, Authorization, Accuracy, Availability, and Audit. A model was created utilizing these basic elements of security and a metric was determined that could be used to analyze enterprise security. This metric, Time-To-Defeat, was demonstrated to fulfill the criteria that had been determined.; By demonstrating that security can be evaluated by direct, rational measurement, rather than procedural methods, it was established that an objective, functional determination of security could be made. Strengths as well as weaknesses of security can be addressed with this direct measurement. Cost/benefit ratios can be determined for enterprise security expenditures. The metric is effective in determining the level of security, from single components to large corporations and government agencies, at any size, portion or complexity of any enterprise. |
