A PATH TOWARDS CYBER RESILIENT AND SECURE SYSTEMS METRICS AND MEASURES

A holistic and defense in depth approach to program protection must be taken to increase system survivability. Systems security engineers (SSE) work with security specialty subject matter experts in specialties such as cyber security, software and hardware assurance, supply chain, anti‐tamper and general program security to integrate a security perspective throughout the systems engineering process and product development lifecycle. Today security specialties have varying methods, metrics, and measures to evaluate their threats, vulnerabilities, and likelihood of impact to the system's operational mission. This variability causes significant challenges throughout the system development lifecycle starting with articulating customer system security requirements to validating and verifying countermeasure implementation effectiveness to achieve acceptable levels of risk mitigation. To manage, balance, and conduct risk based trades, SSEs need a common metric with a common scale to evaluate security quality system attributes. This article explores concepts for consideration, which include establishing a common system security risk metric, integrating cyber resilient design within the system architecture, and methods for proving system security. These concepts apply to each security specialty and each security specialty contributes to the overall survivability of a system.