This is a presentation I gave at a workshop that was co-located with ESSoS 2010. The presentation is about using Metrics Validation Criteria to choose a valid predictive metric for security vulnerabilities.

1. Metrics validation criteria: How do we know when a metric is worthwhile? Ben Smith Andy Meneely Laurie Williams

3. Metric Uses Metrics Quality Assessment Process Certification Process Improvement Task Planning Research Prediction

4. Motivation Software System Component m=.25 Component m=.95 Component m=. 05 Component m=.21 Component m=.15 Component m=.01 Prediction M < .2

9. Foundation in the Literature

10. Systematic literature review Phase Size of Source List Literature Index 2,228 Title 536 Cross-confirmed Title 156 Abstract 44 Full-text 17 Follow-up 20

16. Metrics Validation Criteria A priori validity Actionability Appropriate Continuity Appropriate Granularity Association Attribute validity Causal model validity Causal relationship validity Content validity Construct validity Constructiveness Definition validity Discriminative power Dimensional consistency Economic productivity Empirical validity External validity Factor independence Improvement validity Instrument validity Increasing growth validity Interaction sensitivity Internal consistency Internal validity Monotonicity Metric Reliability Non-collinearity Non-exploitability Non-uniformity Notation validity Permutation validity Predictability Prediction system validity Process or Product Relevance Protocol validity Rank Consistency Renaming insensitivity Repeatability Representation condition Scale validity Stability Theoretical validity Trackability Transformation invariance Underlying theory validity Unit validity Usability

17. Reduced Metrics Validation Criteria

22. Questions?