How Secure is Secure: Some Thoughts on Security Metrics

This is a summery of the general chair’s opening remarks presented at the 1995 IFIP 11.3 Working Conference on Database Security. It addresses the issue of analyzing a security-critical information system in order to determine if the system is considered secure enough. The central idea of the remarks is to introduce the idea of a relative secure system that has an appropriate performance level of security fault tolerance or fault acceptance as specified by the security policy that govern the system. A set of commonly acceptable security metrics will be necessary to guide security policy makers for the establishment of rational security policies and for security designers to design and select security fault tolerance techniques appropriate to the policy of the system. A data value and analysis approach are introduced for motivating researchers for the development of the high desired data security metrics.