Samaneh Tajalizadehkhoob,Rainer Böhme,Carlos Gañán,Maciej Korczyński,Michel Van Eeten

DOI: https://doi.org/10.48550/arXiv.1702.01624

2017-02-06

Abstract:Internet security and technology policy research regularly uses technical indicators of abuse in order to identify culprits and to tailor mitigation strategies. As a major obstacle, readily available data are often misaligned with actual information needs. They are subject to measurement errors relating to observation, aggregation, attribution, and various sources of heterogeneity. More precise indicators such as size estimates are costly to measure at Internet scale. We address these issues for the case of hosting providers with a statistical model of the abuse data generation process, using phishing sites in hosting networks as a case study. We decompose error sources and then estimate key parameters of the model, controlling for heterogeneity in size and business model. We find that 84\,\% of the variation in abuse counts across 45,358 hosting providers can be explained with structural factors alone. Informed by the fitted model, we systematically select and enrich a subset of 105 homogeneous "statistical twins" with additional explanatory variables, unreasonable to collect for \emph{all} hosting providers. We find that abuse is positively associated with the popularity of websites hosted and with the prevalence of popular content management systems. Moreover, hosting providers who charge higher prices (after controlling for level differences between countries) witness less abuse. These factors together explain a further 77\,\% of the remaining variation, calling into question premature inferences from raw abuse indicators on security efforts of actors, and suggesting the adoption of similar analysis frameworks in all domains where network measurement aims at informing technology policy.

Cryptography and Security

Samaneh Tajalizadehkhoob,Tom van Goethem,Maciej Korczyński,Arman Noroozian,Rainer Böhme,Tyler Moore,Wouter Joosen,Michel van Eeten

DOI: https://doi.org/10.48550/arXiv.1708.06693

2017-08-23

Abstract:Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. {\em Shared} hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10\% and 19\% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10\% to the best-performing 10\%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels.

Cryptography and Security

Mohammed Alqadhi,Ali Alkinoon,Saeed Salem,David Mohaisen

DOI: https://doi.org/10.48550/arXiv.2305.14531

2023-05-23

Cryptography and Security

Abstract:This paper examines free content websites (FCWs) and premium content websites (PCWs) in different countries, comparing them to general websites. The focus is on the distribution of malicious websites and their correlation with the national cyber security index (NCSI), which measures a country's cyber security maturity and its ability to deter the hosting of such malicious websites. By analyzing a dataset comprising 1,562 FCWs and PCWs, along with Alexa's top million websites dataset sample, we discovered that a majority of the investigated websites are hosted in the United States. Interestingly, the United States has a relatively low NCSI, mainly due to a lower score in privacy policy development. Similar patterns were observed for other countries With varying NCSI criteria. Furthermore, we present the distribution of various categories of FCWs and PCWs across countries. We identify the top hosting countries for each category and provide the percentage of discovered malicious websites in those countries. Ultimately, the goal of this study is to identify regional vulnerabilities in hosting FCWs and guide policy improvements at the country level to mitigate potential cyber threats.

Michael D. Iannacone,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1902.00053

2019-10-25

Abstract:Metrics and frameworks to quantifiably assess security measures have arisen from needs of three distinct research communities - statistical measures from the intrusion detection and prevention literature, evaluation of cyber exercises, e.g.,red-team and capture-the-flag competitions, and economic analyses addressing cost-versus-security tradeoffs. In this paper we provide two primary contributions to the security evaluation literature - a representative survey, and a novel framework for evaluating security that is flexible, applicable to all three use cases, and readily interpretable. In our survey of the literature we identify the distinct themes from each community's evaluation procedures side by side and flesh out the drawbacks and benefits of each. The evaluation framework we propose includes comprehensively modeling the resource, labor, and attack costs in dollars incurred based on expected resource usage, accuracy metrics, and time. This framework provides a unified approach in that it incorporates the accuracy and performance metrics, which dominate intrusion detection evaluation, the time to detection and impact to data and resources of an attack, favored by educational competitions' metrics, and the monetary cost of many essential security components used in financial analysis. Moreover, it is flexible enough to accommodate each use case, easily interpretable and comparable, and comprehensive in terms of costs <a class="link-external link-http" href="http://considered.Finally" rel="external noopener nofollow">this http URL</a>, we provide two examples of the framework applied to real-world use cases. Overall, we provide a survey and a grounded, flexible framework with multiple concrete examples for evaluating security which can address the needs of three currently distinct communities.

Cryptography and Security

Giacomo Gori,Lorenzo Rinieri,Andrea Melis,Amir Al Sadi,Franco Callegati,Marco Prandini

DOI: https://doi.org/10.3390/electronics13071208

IF: 2.9

2024-03-26

Electronics

Abstract:Nowadays, as the cyber-threat landscape is evolving and digital assets are proliferating and becoming more and more interconnected with the internet and heterogeneous devices, it is fundamental to be able to obtain a sensible measure of the security of devices, networks, and systems. Industrial cyber–physical systems (ICPSs), in particular, can be exposed to high operational risks that entail damage to revenues, assets, and even people. A way to overcome the open question of measuring security is with the use of security metrics. With metrics it is possible to rely on proven indicators that benchmark systems, identify vulnerabilities, and show practical data to assess the risk. However, security metrics are often proposed with specific contexts in mind, and a set of them specifically crafted for ICPSs is not explicitly available in the literature. For this reason, in this work, we analyze the current state of the art in the selection of security metrics and we propose a systematic methodology to gather, filter, and validate security metrics. Then, we apply the procedure to the ICPS domain, gathering almost 300 metrics from the literature, analyzing the domain to identify the properties useful to filter the metrics, and applying a validation framework to assess the validity of the filtered metrics, obtaining a final set capable of measuring the security of ICPSs from different perspectives.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sumayah Alrwais,Xiaojing Liao,Xianghang Mi,Peng Wang,XiaoFeng Wang,Feng Qian,Raheem Beyah,Damon Mccoy

DOI: https://doi.org/10.1109/sp.2017.32

2017-01-01

Abstract:BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.

Mahmood Deypir,Toktam Zoughi

DOI: https://doi.org/10.1007/s40998-023-00690-x

2024-05-12

Iranian Journal of Science and Technology Transactions of Electrical Engineering

Abstract:Attackers perform malicious activities by sending URL s to victims via e-mail, SMS , social network messages, and other means. Recently, intruders have been generating malicious URL s algorithmically. They also use shortening or obfuscation services to bypass firewalls and other security barriers. Some machine learning methods have been presented in order to identify malicious URLs from normal ones, all of which are subject to classification errors. On the other hand, it is impractical to have a complete and up-to-date blacklist due to large number of daily generated malicious URL s. Therefore, calculating the URLs security risk would be more helpful than URLs classification. In this way a user can correctly decide whether to use an unfamiliar URL if they know its associated security risk. In this study, the problem of URLs security risk computation is introduced and two effective novel criteria for this problem are proposed. Based on these criteria, a security risk score can be estimated for each incoming URL . In the first criterion, based on previous malicious and non-malicious URL instances, the extracted features of a URL are divided into two categories, those increase the risk and those reduce the security risk. In the second criterion, security risk score of an unknown URL is estimated based on its distances to nearest known malicious and also safe URLs . For both criterion, corresponding formulations and algorithms are also designed and are described. Extensive empirical evaluations on various real datasets show the effectiveness of the proposed criteria in terms of malicious URL detection rate. Moreover, our experiments show that the proposed metrics significantly outperforms previously proposed risk score criteria.

engineering, electrical & electronic

Eric Pauley,Ryan Sheatsley,Blaine Hoak,Quinn Burke,Yohan Beugin,Patrick McDaniel

DOI: https://doi.org/10.1109/SP46214.2022.9833784

2022-04-11

Abstract:Public clouds provide scalable and cost-efficient computing through resource sharing. However, moving from traditional on-premises service management to clouds introduces new challenges; failure to correctly provision, maintain, or decommission elastic services can lead to functional failure and vulnerability to attack. In this paper, we explore a broad class of attacks on clouds which we refer to as cloud squatting. In a cloud squatting attack, an adversary allocates resources in the cloud (e.g., IP addresses) and thereafter leverages latent configuration to exploit prior tenants. To measure and categorize cloud squatting we deployed a custom Internet telescope within the Amazon Web Services us-east-1 region. Using this apparatus, we deployed over 3 million servers receiving 1.5 million unique IP addresses (56% of the available pool) over 101 days beginning in March of 2021. We identified 4 classes of cloud services, 7 classes of third-party services, and DNS as sources of exploitable latent configurations. We discovered that exploitable configurations were both common and in many cases extremely dangerous; we received over 5 million cloud messages, many containing sensitive data such as financial transactions, GPS location, and PII. Within the 7 classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5446 exploitable domains spanning 231 eTLDs-including 105 in the top 10,000 and 23 in the top 1000 popular domains. Through tenant disclosures we have identified several root causes, including (a) a lack of organizational controls, (b) poor service hygiene, and (c) failure to follow best practices. We conclude with a discussion of the space of possible mitigations and describe the mitigations to be deployed by Amazon in response to this study.

Cryptography and Security

Mengyao Lu,Maria Lamond,Deborah Fry

DOI: https://doi.org/10.1016/j.chiabu.2024.107046

IF: 4.863

2024-09-26

Child Abuse & Neglect

Abstract:Background A critical step in improving the response to and monitoring of online child sexual exploitation and abuse (OCSEA) is the need to standardize the data that are collected, stored, and analyzed that effectively measure change in the frequency, nature and risk of OCSEA over time. Objective The objective of the content analysis was to investigate the metrics used by online content-sharing platforms in their efforts to combat OCSEA. Methods A content analysis was undertaken on 19 online content-sharing services' transparency reports on their metrics related to OCSEA. Results From the 19 transparency reports, 132 data points in relation to OCSEA were identified with 22 distinct metrics on OCSEA. Findings revealed a disparity of appropriate metrics and reporting mechanisms employed, particularly, there is a lack of standardized approaches to metrics reporting and an absence of time related measures. Furthermore, very few online content-sharing services disclosed metadata on the data reported and its capture methodology. Conclusion This study highlights the critical need for standardized metrics reporting to enable comparability across services. Without such an evidence base, there are no objective measures to assess the progress and effectiveness in addressing OCSEA.

family studies,psychology, social,social work

Simon Yusuf Enoch,Jin B. Hong,Mengmeng Ge,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2007.03486

2020-07-07

Cryptography and Security

Abstract:Security metrics present the security level of a system or a network in both qualitative and quantitative ways. In general, security metrics are used to assess the security level of a system and to achieve security goals. There are a lot of security metrics for security analysis, but there is no systematic classification of security metrics that are based on network reachability information. To address this, we propose a systematic classification of existing security metrics based on network reachability information. Mainly, we classify the security metrics into host-based and network-based metrics. The host-based metrics are classified into metrics ``without probability" and "with probability", while the network-based metrics are classified into "path-based" and "non-path based". Finally, we present and describe an approach to develop composite security metrics and it's calculations using a Hierarchical Attack Representation Model (HARM) via an example network. Our novel classification of security metrics provides a new methodology to assess the security of a system.

张鑫,顾庆,陈道蓄

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.09.032

2009-01-01

Computer Science

Abstract:Quality of protection can be seen as the security target of security modules when doing their security treatments,which can be judged by quantitative criteria.The question of how to evaluate whether the current software system has fulfills the quality of protection target objectively and effectively has become one of the hotspots of research.Currently,however,most security professionals use the qualitative method for security evaluation,which is highly subjective and makes the evaluation result dependent on the individual experience and thus unreliable.So what needed are substantive and quantitative security metrics.Because of the complexity and the difficulty of implementing the security metrics,a novel security evaluation model was presented in this paper,which analyzed the relative security level of given systems from the views of attack surface,denial of service and attack graph.At last,a general discussion for the process and the result of the evaluation were given.

Corren McCoy,Ross Gore,Michael L. Nelson,Michele C. Weigle

2024-06-10

Abstract:The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations for organizations to prioritize their vulnerability management strategy will offer significant improvements over using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We test our approach by identifying vulnerabilities in software associated with six universities and four government facilities. Ranking policy performance is measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The return on investment (ROI) of patching using our policies results in a savings of 23.3% - 25.5% in annualized costs. Our results demonstrate the efficacy of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies.

Cryptography and Security

Teemu Rytilahti,Thorsten Holz

2024-10-11

Abstract:Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their benefits in corporate environments, VPNs are also marketed to privacy-minded users to preserve their privacy, and to bypass geolocation-based content blocking and censorship. This has created a market for turnkey VPN services offering a multitude of vantage points all over the world for a monthly price. While VPN providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: (i) How well do the providers configure and secure their own network infrastructure? and (ii) How well are they protecting their customers from other customers? To answer these questions, we have developed an automated measurement system with which we conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Considering the fact that VPNs work internally using non-Internet-routable IP addresses, they might enable access to otherwise inaccessible networks. If not properly secured, this can inadvertently expose internal networks of these providers, or worse, even other clients connected to their services. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.

Cryptography and Security,Networking and Internet Architecture

Mohammed Alkinoon,Abdulrahman Alabduljabbar,Hattan Althebeiti,Rhongho Jang,DaeHun Nyang,David Mohaisen

DOI: https://doi.org/10.48550/arXiv.2304.13278

2023-04-26

Cryptography and Security

Abstract:Using a total of 4,774 hospitals categorized as government, non-profit, and proprietary hospitals, this study provides the first measurement-based analysis of hospitals' websites and connects the findings with data breaches through a correlation analysis. We study the security attributes of three categories, collectively and in contrast, against domain name, content, and SSL certificate-level features. We find that each type of hospital has a distinctive characteristic of its utilization of domain name registrars, top-level domain distribution, and domain creation distribution, as well as content type and HTTP request features. Security-wise, and consistent with the general population of websites, only 1\% of government hospitals utilized DNSSEC, in contrast to 6\% of the proprietary hospitals. Alarmingly, we found that 25\% of the hospitals used plain HTTP, in contrast to 20\% in the general web population. Alarmingly too, we found that 8\%-84\% of the hospitals, depending on their type, had some malicious contents, which are mostly attributed to the lack of maintenance. We conclude with a correlation analysis against 414 confirmed and manually vetted hospitals' data breaches. Among other interesting findings, our study highlights that the security attributes highlighted in our analysis of hospital websites are forming a very strong indicator of their likelihood of being breached. Our analyses are the first step towards understanding patient online privacy, highlighting the lack of basic security in many hospitals' websites and opening various potential research directions.

Rafał Leszczyna

DOI: https://doi.org/10.1109/mitp.2024.3392415

2024-09-27

IT Professional

Abstract:A recent survey of cybersecurity assessment methods proposed in academic and research environments revealed that their adoption in operational settings was extremely scarce. At the same time, the frameworks developed by industrial communities have been met with broad reception. The question arises of what contributed to the success of the methods. To answer it, three-part research that employed evaluation criteria, qualitative metrics, and continuity of support assessment was conducted. Among other findings, it shows that the continuity of support plays an important role in the adoption of a method. This, in turn, is connected to a sound funding model and a well-developed and active community of supporters.

computer science, information systems,telecommunications, software engineering

Abdelhadi Zineddine,Oumaima Chakir,Yassine Sadqi,Yassine Maleh,Gurjot Singh Gaba,Andrei Gurtov,Kapal Dev

DOI: https://doi.org/10.1016/j.compeleceng.2024.109137

2024-04-01

Abstract:Cybersecurity assessments are critical for ensuring that security measures in organizational infrastructures, systems, and applications meet necessary requirements. Given the significant HTTPS vulnerabilities exposed in recent years, assessing HTTPS deployments is increasingly important. However, there has been no systematic literature review (SLR) comparing different cybersecurity assessment methods specifically for HTTPS deployment security issues. This study aims to address this gap by identifying, analyzing, and comparing various HTTPS deployment assessment methods documented in scientific literature. Our approach involved a structured research methodology with specific inclusion and exclusion criteria for selecting relevant methods. The review utilizes 16 comparison metrics, divided into two categories: critical security metrics, focusing on assessment metrics adopted and the number of vulnerabilities evaluated by each method, and additional metrics assessing the methods’ applicability and effectiveness in real-world scenarios. The findings indicate varied adoption rates of these metrics among the reviewed cybersecurity assessment methods, highlighting the absence of a standardized approach using common, well-defined security metrics for HTTPS deployment assessment. In contrast, merging all the comparison metrics outlined in this review would enable a more in-depth assessment of HTTPS deployment security issues, enhance the quality of reported results, and lead to the development of a more practical assessment method.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Avital Baral,Taylor Reynolds,Lawrence Susskind,Daniel J. Weitzner,Angelina Wu

2024-02-05

Abstract:Municipalities are vulnerable to cyberattacks with devastating consequences, but they lack key information to evaluate their own risk and compare their security posture to peers. Using data from 83 municipalities collected via a cryptographically secure computation platform about their security posture, incidents, security control failures, and losses, we build data-driven cyber risk models and cyber security benchmarks for municipalities. We produce benchmarks of the security posture in a sector, the frequency of cyber incidents, forecasted annual losses for organizations based on their defensive posture, and a weighting of cyber controls based on their individual failure rates and associated losses. Combined, these four items can help guide cyber policymaking by quantifying the cyber risk in a sector, identifying gaps that need to be addressed, prioritizing policy interventions, and tracking progress of those interventions over time. In the case of the municipalities, these newly derived risk measures highlight the need for continuous measured improvement of cybersecurity readiness, show clear areas of weakness and strength, and provide governments with some early targets for policy focus such as security education, incident response, and focusing efforts first on municipalities at the lowest security levels that have the highest risk reduction per security dollar invested.

Cryptography and Security,General Economics

Konstantinos Chatzikokolakis,Giovanni Cherubin,Catuscia Palamidessi,Carmela Troncoso

DOI: https://doi.org/10.1109/CSF57540.2023.00011

2024-02-20

Abstract:Security system designers favor worst-case security metrics, such as those derived from differential privacy (DP), due to the strong guarantees they provide. On the downside, these guarantees result in a high penalty on the system's performance. In this paper, we study Bayes security, a security metric inspired by the cryptographic advantage. Similarly to DP, Bayes security i) is independent of an adversary's prior knowledge, ii) it captures the worst-case scenario for the two most vulnerable secrets (e.g., data records); and iii) it is easy to compose, facilitating security analyses. Additionally, Bayes security iv) can be consistently estimated in a black-box manner, contrary to DP, which is useful when a formal analysis is not feasible; and v) provides a better utility-security trade-off in high-security regimes because it quantifies the risk for a specific threat model as opposed to threat-agnostic metrics such as DP. We formulate a theory around Bayes security, and we provide a thorough comparison with respect to well-known metrics, identifying the scenarios where Bayes Security is advantageous for designers.

Cryptography and Security

Ángel Longueira-Romero,Rosa Iglesias,David Gonzalez,Iñaki Garitano

DOI: https://doi.org/10.48550/arXiv.2112.05475

2021-12-10

Abstract:Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms, and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5 % of them is related exclusively to software, and only the 0.6 % of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics to quantify the security level of an ES.

Cryptography and Security

Alex Ramos,Marcella Lazar,Raimir Holanda Filho,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1109/comst.2017.2745505

2017-01-01

Abstract:Network security metrics (NSMs) based on models allow to quantitatively evaluate the overall resilience of networked systems against attacks. For that reason, such metrics are of great importance to the security-related decision-making process of organizations. Considering that over the past two decades several model-based quantitative NSMs have been proposed, this paper presents a deep survey of the state-of-the-art of these proposals. First, to distinguish the security metrics described in this survey from other types of security metrics, an overview of security metrics, in general, and their classifications is presented. Then, a detailed review of the main existing model-based quantitative NSMs is provided, along with their advantages and disadvantages. Finally, this survey is concluded with an in-depth discussion on relevant characteristics of the surveyed proposals and open research issues of the topic.

computer science, information systems,telecommunications