Quantifiable Measure for Cyber Security Maturity Model

Abstract

This paper presents an Objective Cyber Security Maturity Measure for Enterprise Networks as are envisioned for future networked telemetry applications. Mainstream strategies such as DOE’s Cyber Capabilities Maturity Model (C2M2) and NIST’s Cyber Security Framework (CSF) are valiant efforts to capture the state of security but fail to deliver measures that are quantitative and objective. This paper is yet another effort to create a useable Maturity Measure that is tied to the design and operation of the enterprise. It provides a measure tied to controls that are fundamental to the security and measure of risk. This effort follows from the NIST 800-53 Controls which are common to both the C2M2 and the CSF approaches. This approach uses Estimation Theory measures which capture the maturity state of the system as designed, with the risk state of the system in operation, to provide an adaptive optimized measure. This is useful both for assessing the security design and for monitoring performance in operation.