The term assurance has been used for decades in trusted system development to express the notion of confidence in the strength of a specific system or system of systems. The unsolved problem that security engineers must struggle with is the adoption of measures or metrics that can reliably depict the assurance associated with a specific hardware and software architecture. This article reports on a recent attempt to focus needs in this area and suggests various categories of information assurance metrics that may be helpful to an organization that is deciding which set is useful for a specific application.
Vaughn, R., A. Siraj, and D. Dampier, “Information Security System Rating and Ranking,” CROSSTALK, The Journal of Defense Software Engineering, May 2002, pp. 30-32.