*3.2. Security Metrics*

The EDG model that was proposed in the previous sections is by itself capable of representing the internal structure of the SUT, and it can display it graphically for the user. This representation not only includes the internal assets of the SUT, but also captures their relationships, existing vulnerabilities, and weaknesses. Moreover, assets, vulnerabilities, and weaknesses are easily identified using their corresponding CPE, CVE, and CWE values, respectively. Altogether, this constitutes a plethora of information that the model can use to improve the development and maintenance steps of the SUT, enhance its security, and track its status during its whole life cycle. Metrics are a grea<sup>t</sup> tool to integrate these features into the model.

Metrics can serve as a tool to manage security, make decisions, and compare results over time. They can also be used to systematically improve the security level of an industrial component or to predict its security level at a future point in time.

In this section, the basic definitions that serve as the foundation of the metrics are described. Then, the proposed metrics are introduced to complement the functionality of the EDG model. The main feature of these metrics is that they all depend on time as a variable, so it is possible to capture the actual state of the SUT, track its evolution over time, and compare the results.

3.2.1. Basic Definitions

In this section, the basic concepts on which the definitions of the metrics will be based are formalized.

**Definition 2.** *The set of all possible weaknesses at a time t is represented as CWE*(*t*)*, where*

$$CWE(t) = \{cwe\_1, \dots, cwe\_m\} \tag{1}$$

*and m is the total number of weaknesses at time t. This set contains the whole CWE database defined by MITRE [38].*

**Definition 3.** *The set of all of the possible vulnerabilities at a time t is represented as CVE*(*t*) *where*

$$CEE(t) = \{cv\nu\_1, \dots, cv\nu\_p\} \tag{2}$$

*and p is the total number of vulnerabilities. This set contains the whole CVE database defined by MITRE [34].*

**Definition 4.** *The set of all possible attack patterns at a time t is represented as CAPEC*(*t*)*, where*

$$CAPEC(t) = \{capec\_1, \dots, capec\_q\} \tag{3}$$

*and q is the total number of attack patterns at time t. This set contains the whole CAPEC database defined by MITRE [82].*

**Definition 5.** *The set of weaknesses of an asset aiat a time t is defined as*

*CWEai*(*t*) = {*cwej*|*cwej is in the asset ai at time t* ∧ *cwej* ∈ *CWE*(*t*) ∧∀*k* = *j*, *cwej* = *cwek*} (4)

*From this expression, the set of all the weaknesses of a particular asset throughout its life cycle is defined as*

$$CWE\_{a\_i} = \bigcup\_{t=1}^{T} CWE\_{a\_i}(t) \tag{5}$$

*where* |*CWEai* | *is the total number of non-repeated weaknesses in its entire life cycle.*

**Definition 6.** *The set of vulnerabilities of an asset aiat a time t is defined as*

$$
\mathbb{C}VE\_{\overline{u}\_l}(t) = \{cve\_{\overline{j}} | cve\_{\overline{j}} \text{ is in the asset } a\_{\overline{i}} \text{ at time } t \land cve\_{\overline{j}} \in \mathbb{C}VE(t)\}\tag{6}
$$

*From this expression, the set of vulnerabilities of an asset throughout its entire life cycle is defined as*

$$\text{CCE}\_{\mathfrak{a}\_i} = \bigcup\_{t=1}^{T} \text{CVE}\_{\mathfrak{a}\_i}(t) \tag{7}$$

*where* |*CVEai*| *is the total number of vulnerabilities in its entire life cycle.*

**Definition 7.** *The set of weaknesses of a SUT A with n assets at a time t is defined as:*

$$\text{CWE}\_A(t) = \bigcup\_{i=1}^n \text{CWE}\_{a\_i}(t) \tag{8}$$

**Definition 8.** *The set of vulnerabilities of a SUT A with n assets at a time t is defined as:*

$$CVE\_A(t) = \bigcup\_{i=1}^{n} CVE\_{a\_i}(t) \tag{9}$$

**Definition 9.** *The set of vulnerabilities associated with the weakness cwej and to the asset ai at a time t is defined as:*

$$\text{CCE}\_{a\_i|\text{cuc}\_j}(t) = \{\text{cve}\_k|\text{cve}\_k\text{ associated with weakness }\text{cuc}\_j\text{ and to asset }a\_i\text{ at time }t\} \tag{10}$$

It is worth noting that CWE is used as a classification mechanism that differentiates CVEs by the type of vulnerability that they represent. A vulnerability will usually have only one associated weakness, and weaknesses can have one or more associated vulnerabilities [85].

**Definition 10.** *The partition j of an asset ai at time t conditioned by a weakness cwek is defined as*

$$\mathbb{C}VE\_{a\_l|\text{cuc}\_k}(t) = \{\text{cue}\_l|\text{cuc}\_l = \text{cue}\_k \land \text{cuc}\_l \in \mathbb{C}VE\_{a\_l}(t)\}\tag{11}$$

**Definition 11.** *The partition j of the SUT A at time t conditioned by a weakness cwekis defined as*

$$\mathbb{C}VE\_{A|\text{cue}\_k}(t) = \{\text{cwe}\_l|\text{cwe}\_l = \text{cwe}\_k \land \text{cwe}\_l \in \mathbb{C}VE\_A(t)\}\tag{12}$$

**Definition 12.** *The set of attack patterns associated to a weakness wi at a time t is defined as*

$$\begin{aligned} \text{CAPEC}\_{w\_i}(t) &= \{ \text{capec}\_j | \text{capec}\_j \text{ can exploit weakness } w\_i \text{ at time} \\ t &\land \text{capec}\_j \in \text{CAPEC}(t) \} \end{aligned} \tag{13}$$

*.***Definition 13.** *The set of metrics that are defined in this research work based on the EDG model is defined as*

$$M = \{m\_1, \ldots, m\_r\} \tag{14}$$

*where r is the total number of metrics. This set can be extended, defining more metrics according to the nature of the SUT.*
