{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,6]],"date-time":"2025-11-06T15:56:50Z","timestamp":1762444610351,"version":"build-2065373602"},"reference-count":65,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2016,6,17]],"date-time":"2016-06-17T00:00:00Z","timestamp":1466121600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>This paper addresses the challenge of measuring security, understood as a system property, of cyberphysical systems, in the category of similar properties, such as safety and reliability. First, it attempts to define precisely what security, as a system property, really is. Then, an application context is presented, in terms of an attack surface in cyberphysical systems. Contemporary approaches related to the principles of measuring software properties are also discussed, with emphasis on building models. These concepts are illustrated in several case studies, based on previous work of the authors, to conduct experimental security measurements.<\/jats:p>","DOI":"10.3390\/info7020033","type":"journal-article","created":{"date-parts":[[2016,6,17]],"date-time":"2016-06-17T10:09:24Z","timestamp":1466158164000},"page":"33","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["A Framework for Measuring Security as a System Property in Cyberphysical Systems"],"prefix":"10.3390","volume":"7","author":[{"given":"Janusz","family":"Zalewski","sequence":"first","affiliation":[{"name":"Department of Software Engineering, Florida Gulf Coast University, Ft. Myers, FL 33965, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ingrid","family":"Buckley","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Florida Gulf Coast University, Ft. Myers, FL 33965, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bogdan","family":"Czejdo","sequence":"additional","affiliation":[{"name":"Department of Math &amp; Computer Science, Fayetteville State University, Fayetteville, NC 28301, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Steven","family":"Drager","sequence":"additional","affiliation":[{"name":"Air Force Research Laboratory, Rome, NY 13441, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrew","family":"Kornecki","sequence":"additional","affiliation":[{"name":"Department of Electrical, Computer, Software, and Systems Engineering, Embry-Riddle Aeronautical University, Daytona Beach, FL 32114, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3963-9149","authenticated-orcid":false,"given":"Nary","family":"Subramanian","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Texas at Tyler, Tyler, TX 75799, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2016,6,17]]},"reference":[{"key":"ref_1","unstructured":"Herrmann, D.S. (2011). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience and ROI, Auerbach Publications."},{"key":"ref_2","unstructured":"Brotby, W.K., and Hinson, G. (2013). Pragmatic Security Metrics: Applying Metametrics to Information Security, CRC Press."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Gollmann, D., Massacci, F., and Yautsiukhin, A. (2006). Quality of Protection: Security Measurements and Metrics, Springer.","DOI":"10.1007\/978-0-387-36584-8"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1002\/sys.21211","article-title":"Measuring Systems Security","volume":"16","author":"Bayuk","year":"2013","journal-title":"Syst. Eng."},{"key":"ref_5","unstructured":"(2008). Performance Measurement Guide for Information Security, National Institute of Standards and Technology."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Jansen, W. (2009). Directions in Security Metrics Research, National Institute of Standards and Technology.","DOI":"10.6028\/NIST.IR.7564"},{"key":"ref_7","unstructured":"Barabanov, R., Kowalski, S., and Yngstr\u00f6m, L. (2011). Information Security Metrics: State of the Art, Swedish Civil Contingencies Agency."},{"key":"ref_8","unstructured":"A Community Website for Security Practitioners. Available online: http:\/\/www.securitymetrics.org."},{"key":"ref_9","unstructured":"Hinson, G. Seven Myths about Security Metric. Available online: http:\/\/www.noticebored.com\/html\/metrics.html."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Laird, L.M., and Brennan, M.C. (2006). Software Measurement and Estimation: A Practical Approach, John Wiley & Sons.","DOI":"10.1002\/0471792535"},{"key":"ref_11","unstructured":"(1985). Department of Defense Trusted Computer Systems Evaluation Criteria, Department of Defense. DoD 5200.28-STD."},{"key":"ref_12","unstructured":"Available online: http:\/\/www.commoncriteriaportal.org\/cc\/."},{"key":"ref_13","unstructured":"ISO\/IEC (2009). ISO\/IEC 15408 Information Technology\u2014Security Techniques\u2014Evaluation Criteria for IT Security\u2014Part 1: Introduction and General Models, ISO\/IEC."},{"key":"ref_14","unstructured":"Bartol, N., Bates, B., Goertzel, K.M., and Winograd, T. (2009). Measuring Cyber Security and Information Assurance, Information Assurance Technology Analysis Center (IATAC)."},{"key":"ref_15","unstructured":"(2009). Software Security Assessment Tools Review, Booz Allen Hamilton."},{"key":"ref_16","first-page":"43","article-title":"How Can Security Be Measured?","volume":"2","author":"Chapin","year":"2005","journal-title":"Inf. Syst. Control J."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Verendel, V. (2009, January 8\u201311). Quantified Security Is a Weak Hypothesis. Proceedings of the NSPW\u201909, New Security Paradigms Workshop, Oxford, UK.","DOI":"10.1145\/1719030.1719036"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"211","DOI":"10.3233\/JCS-1993-22-308","article-title":"Towards Operational Measures of Computer Security","volume":"2","author":"Littlewood","year":"1993","journal-title":"J. Comput. Secur."},{"key":"ref_19","unstructured":"International Electrotechnical Commission (IEC) Electropedia: The World\u2019s Online Electrotechnical Vocabulary, IEC. Available online: http:\/\/www.electropedia.org\/."},{"key":"ref_20","unstructured":"ISO\/IEC\/IEEE (2011). 2476-2010 Systems and Software Engineering\u2014Vocabulary, ISO\/IEC."},{"key":"ref_21","unstructured":"Available online: http:\/\/computer.org\/sevocab."},{"key":"ref_22","unstructured":"National Information Assurance (IA) Glossary, Available online: https:\/\/www.ncsc.gov\/nittf\/docs\/CNSSI-4009_National_Information_Assurance.pdf."},{"key":"ref_23","unstructured":"(2004). Standards for Security Categorization of Federal Information and Information Systems, National Institute of Standards and Technology."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1016\/S1367-5788(01)80001-8","article-title":"Real-Time Software Architectures and Design Patterns: Fundamental Concepts and Their Consequences","volume":"25","author":"Zalewski","year":"2001","journal-title":"Ann. Rev. Control"},{"key":"ref_25","unstructured":"Mayr, O. (1969). Zur Fr\u00fchgeschichte der technischen Regelungen, Oldenburg Verlag. (English translation: The Origin of Feedback Control; MIT Press: Cambridge, MA, USA, 1970)."},{"key":"ref_26","unstructured":"ISO\/IEC (2011). 27005-2011 Information Technology\u2014Security Techniques\u2014Information Security Risk Management, International Organization for Standardization."},{"key":"ref_27","unstructured":"National Physical Laboratory History of Length Measurement, Teddington. Available online: http:\/\/www.npl.co.uk\/educate-explore\/posters\/history-of-length-measurement\/."},{"key":"ref_28","unstructured":"Von Helmholtz, H. (1887). Philosophische Aufs\u00e4tze: Eduard Zeller zu seinem f\u00fcnfzigj\u00e4hrigen Doctorjubil\u00e4um gewidmet, Fues Verlag. (English translation: Counting and Measuring; Van Nostrand: New York, NY, USA, 1980)."},{"key":"ref_29","unstructured":"Definitions of the SI Base Units, Available online: http:\/\/physics.nist.gov\/cuu\/Units\/current.html."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"S1","DOI":"10.1088\/0026-1394\/48\/2\/S01","article-title":"Counting the Atoms in a 28Si Crystal for a New Kilogram Definition","volume":"48","author":"Andreas","year":"2011","journal-title":"Metrologia"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1109\/MSP.2011.50","article-title":"The Science of Security","volume":"9","author":"Evans","year":"2011","journal-title":"IEEE Secur. Priv."},{"key":"ref_32","first-page":"12","article-title":"Complex Fluid Mixing Flows: Simulation vs. Theory vs. Experiment","volume":"39","author":"Glimm","year":"2006","journal-title":"SIAM News"},{"key":"ref_33","first-page":"101","article-title":"On the Interaction Between Theory, Experiments, and Simulation in Developing Practical Learning Control Algorithms","volume":"13","author":"Longman","year":"2003","journal-title":"Intern. J. Appl. Math. Comput. Sci."},{"key":"ref_34","first-page":"135","article-title":"Reasoning under Uncertainty with Bayesian Belief Networks Enhanced with Rough Sets","volume":"12","author":"Zalewski","year":"2013","journal-title":"Int. J. Comput."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"176","DOI":"10.1007\/s11334-005-0013-1","article-title":"Experimental Evaluation of Software Development Tools for Safety-Critical Real-Time Systems","volume":"1","author":"Kornecki","year":"2005","journal-title":"Innov. Syst. Softw. Eng. A NASA J."},{"key":"ref_36","first-page":"21","article-title":"Threat Modeling for Aviation Computer Security","volume":"28","author":"Baquero","year":"2015","journal-title":"CrossTalk J. Def. Softw. Eng."},{"key":"ref_37","unstructured":"(2012). International Vocabulary of Metrology\u2014Basic and General Concepts and Associated Terms (VIM), BIPM Joint Committee for Guides in Metrology. [3rd ed.]. Report JCGM 200:2012."},{"key":"ref_38","unstructured":"Mell, P., Scarfone, K., and Romanosky, S. (2007). CVSS\u2014A Complete Guide to the Common Vulnerability Scoring System, National Institute of Standards and Technology. Available online: http:\/\/www.first.org\/cvss\/cvss-guide."},{"key":"ref_39","unstructured":"National Vulnerability Database, Available online: http:\/\/nvd.nist.gov\/."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Wang, J.A., Wang, H., Guo, M., and Xia, M. (2009, January 19\u201321). Security Metrics for Software Systems. Proceedings of the ACM-SE \u201909, 47th Annual Southeast Regional Conference, Clemson, SC, USA. Article No. 47.","DOI":"10.1145\/1566445.1566509"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Kornecki, A.J., Zalewski, J., and Stevenson, W. (2011, January 20\u201321). Availability Assessment of Embedded Systems with Security Vulnerabilities. Proceedings of the SEW-34, 2011 IEEE Software Engineering Workshop, Limerick, Ireland.","DOI":"10.1109\/SEW.2011.12"},{"key":"ref_42","unstructured":"Cooperative Adaptive Cruise Control (CSE491\u2013602 Class Projects), 2006. Available online: http:\/\/www.cse.msu.edu\/~chengb\/RE-491\/Projects\/cacc_msu-ford.pdf."},{"key":"ref_43","unstructured":"Stevenson, W. (2010). Evaluating the Impact of Adding Security to Safety Critical Real-Time Systems, Graduate Research Project, Embry-Riddle Aeronautical University."},{"key":"ref_44","unstructured":"Relex\/Windchill Reliability Prediction Tool, PTC Product Development Company. Available online: http:\/\/www.ptc.com\/products\/relex\/reliability-prediction."},{"key":"ref_45","unstructured":"Swiderski, F., and Snyder, W. (2004). Threat Modeling, Microsoft Press."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Zalewski, J., Drager, S., McKeever, W., and Kornecki, A. (2013, January 8\u201310). Threat Modeling for Security Assessment in Cyberphysical Systems. Proceedings of the CSIIRW 2013, 8th Annual Cyber Security and Information Intelligence Workshop, Oak Ridge, FL, USA. Article No. 10.","DOI":"10.1145\/2459976.2459987"},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1109\/MS.2008.25","article-title":"Threat Modeling: Diving into the Deep End","volume":"25","author":"Ingalsbe","year":"2008","journal-title":"IEEE Softw."},{"key":"ref_48","unstructured":"Aijaz, A., Bochow, B., D\u00f6tzer, F., Festag, A., Gerlach, M., Kroh, R., and Leinm\u00fcller, T. (2006, January 14\u201315). Attacks on Inter Vehicle Communication Systems\u2014An Analysis. Proceedings of the WIT2006, 3rd International Workshop on Intelligent Transportation, Hamburg, Germany."},{"key":"ref_49","unstructured":"Vestlund, C. (2010). Threat Analysis on Vehicle Computer Systems. [Master\u2019s Thesis, Link\u00f6ping University]."},{"key":"ref_50","unstructured":"Common Industrial Control System Vulnerability Disclosure Framework, 2012, Available online: http:\/\/www.us-cert.gov\/."},{"key":"ref_51","first-page":"2265","article-title":"Designing Safety-Critical Embedded Systems with Time-Triggered Architecture","volume":"19","author":"Czejdo","year":"2013","journal-title":"Technol. Railw. Transp. (TTN\u2014Technika Transportu Szynowego, Poland)"},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"527","DOI":"10.4271\/2014-01-0341","article-title":"Design of Reactive Security Mechanisms in Time-Triggered Embedded Systems","volume":"7","author":"Trawczynski","year":"2014","journal-title":"SAE Intern. J. Passeng. Cars Electron. Electr. Syst."},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"1115","DOI":"10.1109\/TC.2003.1228509","article-title":"Comparison of Physical and Software-Implemented Fault Injection Techniques","volume":"52","author":"Arlat","year":"2003","journal-title":"IEEE Trans. Comput."},{"key":"ref_54","unstructured":"Trawczynski, D. (2009). Dependability Evaluation and Enhancement in Real-Time Embedded Systems. [Ph.D. Thesis, Warsaw University of Technology]."},{"key":"ref_55","unstructured":"Rothbart, K., Neffe, U., Steger, C., and Weiss, R. (2004, January 15\u201317). High Level Fault Injection for Attack Simulation in Smart Cards. Proceedings of the ATS 2004, 13th IEEE Asian Test Symposium, Kenting, Taiwan."},{"key":"ref_56","unstructured":"Computer Science and Telecommunications Board (2001). Embedded Everywhere: A Research Agenda for Networked Systems of Embedded Computers, National Research Council."},{"key":"ref_57","unstructured":"TTTechComputertechnik AG Available online: http:\/\/www.tttech.com\/products\/ttp-product-line\/ttp-powernode."},{"key":"ref_58","unstructured":"MathWorks Available online: http:\/\/www.mathworks.com\/products\/simulink\/."},{"key":"ref_59","doi-asserted-by":"crossref","first-page":"397","DOI":"10.1109\/JSYST.2013.2294628","article-title":"Quantitative Assessment of Safety and Security of System Architectures for Cyberphysical Systems Using the NFR Approach","volume":"10","author":"Subramanian","year":"2016","journal-title":"IEEE Syst. J."},{"key":"ref_60","unstructured":"Buckley, I.A., Fernandez, E.B., Anisetti, M., Ardagna, C.A., Sadjadi, M., and Damiani, E. (2011, January 17\u201321). Towards Pattern-based Reliability Certification of Services. Proceedings of the DOA-SVI\u201911, 1st International Symposium on Secure Virtual Infrastructures, Hersonissos, Greece. Lecture Notes in Computer Science 7045, Part II."},{"key":"ref_61","unstructured":"Buckley, I.A., and Fernandez, E.B. (2011, January 25\u201330). Patterns Combing Reliability and Security. Proceedings of the Third International Conference on Pervasive Patterns and Applications, Rome, Italy."},{"key":"ref_62","unstructured":"Schmidt, D., Stal, M., Rohnert, H., and Buschmann, F. (2000). Patterns for Concurrent and Networked Objects, John Wiley & Sons."},{"key":"ref_63","unstructured":"Fernandez, E.B. (2013). Security Patterns in Practice: Designing Secure Architectures Using Software, John Wiley & Sons."},{"key":"ref_64","unstructured":"Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., and Stal, M. (1996). Pattern-Oriented Software Architecture: A System of Patterns, John Wiley & Sons."},{"key":"ref_65","doi-asserted-by":"crossref","unstructured":"Buckley, I.A., and Fernandez, E.B. (2011, January 10\u201312). Enumerating software failures to build dependable distributed applications. Proceedings of the HASE 2011, 13th IEEE International Symposium on High Assurance Systems Engineering, Boca Raton, FL, USA.","DOI":"10.1109\/HASE.2011.35"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/7\/2\/33\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T19:25:37Z","timestamp":1760210737000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/7\/2\/33"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,6,17]]},"references-count":65,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2016,6]]}},"alternative-id":["info7020033"],"URL":"https:\/\/doi.org\/10.3390\/info7020033","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2016,6,17]]}}}