QOTD on good security metrics

NIST has just released a draft version of publication Directions in Security Metrics Research in which it outlines several properties of good information security metrics (emphasis mine):
To be of value, the method of measurement employed should be reproducible, that is, capable of attaining the same result when performed independently by different competent evaluators. The result should also be repeatable, such that a second assessment by the same evaluators produces the same result. Relevance and timeliness are also implicit considerations, since it is of little benefit to have measures that are not meaningful or whose latency exceeds their usefulness.
Src: Directions in Security Metrics Research (Draft-NISTIR-7564.pdf)

No comments: