McLean, J.D., "Quantitative Measures of Security",
Preprints of the Fourth International Working Conference on Dependable 
Computing for Critical Applications, San Diego, CA, 
1994.

<blockquote>
One of the most striking properties of the ``Trusted Computer System
Evaluation Criteria'' and its international successors is that none of
these documents contain any attempt to relate their evaluation levels
to a measure of how much effort must be expended to break into a
system.  As a consequence, it's impossible to evaluate rationally the
marginal benefit of spending the extra money necessary to obtain a
higher rating than a lower one.  One reason for this gap between
evaluation levels and cost of system penetration is the difficulty of
quantifying penetration costs.  In this paper I hope to shed some
light on the questions of what is needed, what we have, and what it
would be useful to have in the future.
</blockquote>