Measuring Security


Mi'kail Eli'yah
5 min readMay 28, 2024

In measuring judgement and decisions, we extend to all areas of our work and life. In this segment, we explore the possible means to measure security. This may be seen as a way to re-purpose the means to gauge confidence levels with certainty with specificity on measuring the security of a system.

Measuring security in a solution ecosystem involves defining metrics that provide insights into various domains such as identification, detection, reaction, and recovery. These metrics should be comprehensive and allow for the assessment of security coverage, the efficiency of security operations, and the overall resilience of the system.

The means and metrics to measure security are missing in our industry today.

To illustrate how to visualize the coverage (or the lack), let’s use a simulation to describe how the hits and misses will impact the confidence of the security posture over time iff (if and only if) the coverage (or lack) is known, and hence, measurable from the observed traced, tracked and known. Where hits are above misses, it is the coverage of past security tech debt.

import matplotlib.pyplot as plt
import numpy as np

time_points = 100 # Number of time points

# Generate random hits and misses
np.random.seed(0) # For reproducibility
hits = np.random.randint(0, 10, time_points) # where hits is above misses is the coverage of past security tech debt
misses = np.random.randint(0, 10, time_points)

time = np.arange(1, time_points + 1) # Time array…