We propose a metric for determining whether one version of a system is more secure than another with respect to a fixed set of dimensions. Rather than count bugs at the code level or count vulnerability reports at the system level, we count a system’s attack opportunities. We use this count as an indication of the system’s “attackability”, likelihood that it will be successfully attacked. We describe a system’s attack surface along three abstract dimensions: targets and enablers, channels and protocols, and access rights.

Intuitively, the more exposed the system’s surface, the more attack opportunities, and hence the more likely it will be a target of attack. Thus, one way to improve system security is to reduce its attack surface. To validate our ideas, we recast Microsoft Security Bulletin MS02-005 using our terminology, and we show how Howard’s Relative Attack Surface Quotient for Windows is an instance of our general metric.