Measurement is the process of mapping from the empirical world to the formal, relational world. The measure that results characterizes an attribute of some object under scrutiny. A measure is one thing, sometimes called a primitive, that you can report on as a fact. It is the result of holding something like a yardstick against some object. Cybersecurity is not the object of measurement, nor a well‐understood attribute. This means that you are not directly measuring security, you are measuring other things and using them to draw conclusions about cybersecurity.

The history of cybersecurity includes a wide variety of examples of how people use numbers to measure security processes and attributes. However, not all measures use numbers. For example, in Figure 7.1 we have a human being measured by a wall rule, and the ruler’s measurement is somewhere around 5½ feet. This is a single attribute, it is height. It does not fully describe the whole human of course. If you want to describe a human, you have to give more attributes, such as shape, color, sound, intellect. Not all of these measures can be made with numbers, yet they are tangible attributes that help identify the person. Cybersecurity measures are like that but even less tangible. It is more like a measure of weather. You can measure temperature, pressure, and wind direction, and it can help you decide whether it is probable that your raincoat is protective enough and whether your house is high enough over the ...