Security Metrics - Attack Surface Metrics


Operational security metrics are the metrics we are most familiar with in our lives. When we measure the height, width, or length of an object we are using an operational metric. When we write the date, use a birthday, or ask the score of a game we are using operational metrics. An operational metric is a constant measurement that informs us of a factual count in relation to the physical world we live in. They are operational because they are numbers we can work with specifically and consistently from day to day and person to person. It is difficult to work with relative or inconsistent measurements like choosing a specific hue of yellow to paint a room, meeting someone in the "morning", having a "delicious" milkshake, or preparing for the next threat to affect your organization’s profits because these factors have many variables which are biased or frequently changing between people, regions, customs, and locations. For this reason, many professions attempt to standardize such things like flavors, colors, and work hours. This is done through reductionism, a process of finding the elements of such things and building them up from there by quantifying those elements. This way, colors become frequencies, work hours become hours and minutes on a standardized clock set and systematically adjusted to Earth rotations, flavors become chemical compounds, and an attack surface becomes porosity, controls, and limitations. The unit of operational measurement for an attack surface we call "ravs".

The rav is a scale measurement of the attack surface. This is how much of your operations is exposed for attack. In this scale, 100% rav is perfect balance between interactions and controls. Anything less than 100% is too few controls and therefore a greater attack surface. More than 100% shows there are more controls than are necessary which itself may be a problem as controls often add more interactions as well as new problems such as complexity and maintenance issues.

The rav does not measure risk for an attack surface, but it does improve the measurement of it. It cannot say if a particular target will be attacked however it can say that if an attack were to occur, what type it would be, where it would occur, how deep the the attack can go, what damage could be done, and which controls precisely would defend against these attacks. With that information it is then possible to assess the trusts and risks much more accurately.

The Attack Surface metrics are developed as part of the OSSTMM and are licensed the same, Creative Commons 3.0 Attribution-NoDerivs. You may create them for commercial use and you may distribute them.

Why use the ravs?

If you are interested in helping with this project please contact us.



rav Spreadsheet (.xls or .ods)

A calculation sheet to simplify making ravs and for completing the STAR.

The STAR is the Security Test Audit Report. Its purpose is to serve as an executive summary with the precise calculation of the Attack Surface. The STAR is required when OSSTMM certifying the security of an organization.