U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Archived Content

In an effort to keep DHS.gov current, the archive contains outdated information that may not reflect current policy or programs.

Enterprise Level Security Metrics and Usability

Defining effective information security metrics has proven difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and, at a minimum, rough comparisons of security between systems. Metrics underlie and quantify progress in many other system security areas. As the saying goes, “You cannot manage what you cannot measure.” The lack of sound and practical security metrics is severely hampering progress both in research and engineering of secure systems. However, general community agreement on meaningful metrics has been hard to achieve. This is due in part to the rapid evolution of IT, as well as the shifting focus of adversarial action.


Enterprise-level security metrics address the security posture of an organization. Experts, such as system administrators, and non-technical users alike must be able to use an organization’s system while still maintaining security.

This project is developing security metrics and the supporting tools and techniques to make them practical and useful as decision aids. This will allow the user to measure security while achieving usability and make informed decisions based on threat and cost to the organization.


Email: SandT-Cyber-Liaison@HQ.DHS.GOV


Enterprise-Level Security Metrics

Prime: George Mason University | Sub: Applied Visionis; ProInfo

Metrics Suite for Enterprise-Level Attack Graph Analysis

Prime: University of Illinois at Urbana-Champaign

A Tool for Compliance and Depth of Defense Metrics

Usable Security

Prime: IBM Research

Usable Multi-Factor Authentication and Risk-Based Authorization

Prime: Indiana University | Sub: USC Information Sciences Institute

CUTS: Coordinating User and Technical Security

Prime: University of Houston

Continuous and Active Authentication for Mobile Devices Using Multiple Sensors

Last Updated: 01/12/2023
Was this page helpful?
This page was not helpful because the content