Glossary

Attack Surface Metric: A system’s attack surface is described as the sum of attack vectors where an unauthorized user attempts to manipulate data inputs or extract data from the system. The intuition behind measuring a system’s attack surface is based on the idea that the more extensive and exposed the system’s attack surface, the more opportunity for a malicious adversary to conduct an attack [IEEE2010]. Read more Attack Surface Metric.
Eigenvector Centrality: In graph theory, centrality is associated with how important a node in a graph is by ranking it based on how ‘central’ it is. The more central the nodes, the more important they are likely to be in the system. Eigenvector centrality measures a node’s centrality by evaluating the centrality of its neighbours rather than just the number of edges incident with the node [JOURNAL1987]. Read more Eigenvector Centrality Metric.
Security Metrics: Security metrics are commonly used to measure the security level of a system, i.e, the system’s ability to minimize possible attack opportunities. Security metrics help us measure one or more security characteristics of the system.
Security Posture: A system’s security posture is described as its security state at a specific point in time that reflects its ability to defend against knowable threats that affect it [QRS2021]. The concept of security posture recognizes the need for system designs to be evaluated based on a given view of the system (such as structural, behavioural, functional) since each view focuses on specific attributes of the system which we can use to quantitatively evaluate the system’s security for that view.
Structural Security Posture: Structural security posture is an extension of security posture approach consisting of a collection of system-level and element-level metrics affected by specific parameters that help us evaluate a system’s security posture based on its structural view. Read more: Structural Security Posture.
Software System (aka. System): We define a software system as a combination of interacting software elements (such as web server or web client – each of which may encompass a variety of technologies) organized to achieve one or more objectives set out by the stakeholders. Read more: [CARLETON2021].