Abstract

Security incidents occur at an alarming rate with malicious software (malware) involved in a large number of these incidents. Current malware evaluation and handling practices in organizations are unstandardized and intelligence regarding threat levels often comes from vendors and peers, who lack a unified threat metric system. This paper explores a method to quantify malware threats systematically and proposes a quantitative malware threat metric system. The proposed method makes communicating the level of threat more effective and efficient, particularly for information sharing organizations.