>But seriously, how do you measure one's security?
In ounces, unless it's a European university, in which case you use
liters. Older systems of measuring security involving mass (pounds and
kilos) have been deprecated, and you should not be using them anymore in
You need to count the number of employees/users, information assets,
applications, systems, IP addresses on your network, and network
ports on your switch, processes running on all your machines, files
stored on your servers; and place them in the disjoint
Then decide a 'weight' for each object, 'impact'; for example, the
cost of formatting and reinstalling a server, buying new hardware if
a device has been bricked; or the cost of re-creating work from
scratch, or settling the lawsuit if your environment's security
failure allows this particular file's content to be disclosed, lost,
corrupted, or made temporarily unavailable due to a DoS.
The weight should be the greatest possible cost of breach, or
misbehavior of that object, be that an application, OS, user,
switchport, or MAC address, but Users, Applications, Servers,
Workstations, Network Devices, and "Documents directories" are some
useful categories to use.
Then assign a probability of each object, based on the expectation of
a breach, given the series of expected attacks over a period of time.
Then for each category, take a ratio of the sums of all objects for
Sum of ( ( 1 minus Probability that an attack succeeds ) X (
Weight ) ) Divided by (Sum of the Weights)
Example, I have 5 Windows XP servers on my network, which
cost me $100 to recover and replace from attack, for the period of
time of 1 year, no firewall, RDP open to the world; so there is a
90% chance estimated that an attacker will eventually find the
vulnerability on average over the series of attacks I expect to find
in one year, except on one system I patched, so there is a 40%
(0.6 * $100 + 0.1 * $100 + 0.1 * $100 + .... ) divided by $500
Then when faced with the complete series of attacks, I expect to lose
$400 out of $500; so my OS category is 10% secure for the year,
in that case.
Your percentage security is the _lowest_, _least desirable_, or
_worst_ metric over all the distinct categories you cared about.